Contents
1. Who we are
That's My Business (TMB) is a bookkeeping and business management app for UK self-employed people and sole traders. It is operated by Highland Vibe Studio, trading as That's My Business.
Email: privacy@thatsmybusiness.app
Web: thatsmybusiness.app
We are the data controller — meaning we decide how and why your personal data is used. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025, we have a legal duty to handle your information carefully and to be open about what we do with it.
We are in the process of registering with the Information Commissioner's Office (ICO). Our registration number will be published here once confirmed.
2. What information we collect
Information you give us directly
- Your name and business name
- Your email address
- Business address and contact details
- Bank details you enter for invoice payment instructions (stored locally on your device only)
- VAT number, if applicable
- Vehicle registration number, if you use the mileage tracker
- Financial records: invoices, expenses, mileage logs, time entries
- Receipt photos you choose to attach to expenses
- Messages you send to Aria, our AI assistant
- Feedback you send us voluntarily
Information collected automatically
- Device type and operating system (for technical support purposes)
- App usage patterns (anonymised, to improve the app)
- IP address (standard web server logging)
Information we do not collect
- We do not collect payment card details. Any payments are handled by Stripe, which has its own privacy policy.
- We do not collect biometric data.
- We do not track your location unless you voluntarily enter a location in a mileage or expense record.
3. Why we collect it and our legal basis
Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:
- Contract performance — to provide you with the app and its features you have signed up for
- Legitimate interests — to improve the app, prevent fraud, and ensure security, where this does not override your rights
- Legal obligation — where we are required by law to retain certain records
- Consent — for any optional features or communications where you have clearly opted in
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.
4. How we use your information
- To operate your account and provide the features of the app
- To allow Aria to answer your questions using context you provide in the conversation
- To generate invoices, reports, and financial summaries on your behalf
- To send you important service notifications (not marketing, unless you opt in)
- To respond to feedback or support requests you send us
- To improve the app based on anonymised usage data
- To comply with our legal obligations
We will never use your data to serve you third-party advertising. We will never sell your data to any third party.
6. Transfers outside the UK
Some of our service providers, including Anthropic (USA) and Vercel (USA), process data outside the UK. Where this happens, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the ICO, to protect your information to UK GDPR standards.
7. How long we keep your information
- Your account and financial records — kept for as long as your account is active, plus 7 years after closure, in line with HMRC record-keeping requirements for self-employed people
- Support and feedback emails — kept for up to 2 years
- Anonymised usage data — kept indefinitely as it cannot identify you
When data is no longer needed, we delete it securely. You can request deletion at any time (see Your Rights below).
8. Your rights
Under UK GDPR you have the following rights. All requests should be sent to privacy@thatsmybusiness.app. We will respond within one month.
Ask for a copy of all data we hold about you.
Ask us to correct inaccurate data.
Ask us to delete your data ("right to be forgotten").
Ask us to pause processing while a dispute is resolved.
Ask for your data in a machine-readable format.
Object to processing based on legitimate interests.
Under the Data (Use and Access) Act 2025, you also have the right to complain to us directly and receive an acknowledgement within 30 days. You also have the right to complain to the ICO at any time:
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
9. How we keep your information safe
- All data in transit is encrypted using TLS (the secure padlock you see in your browser)
- Financial records entered in the app are stored locally on your device using your device's own security
- We do not store bank account details or card numbers on our servers
- Access to any server-side data is restricted to authorised personnel only
- We use reputable, security-audited third-party services (Vercel, Stripe, Anthropic)
No system is completely secure. If we ever become aware of a data breach that affects you, we will notify you and the ICO as required by law, within 72 hours of discovery.
11. Children
That's My Business is intended for adults who are self-employed or running a business. We do not knowingly collect data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us at privacy@thatsmybusiness.app and we will delete it promptly.
12. Changes to this policy
We will update this policy when our practices change or when the law requires it. We will notify you of any significant changes by email or through the app. The date at the top of this page always shows when it was last updated.
Continued use of the app after a change means you accept the updated policy.
13. How to contact us
We aim to respond to all privacy requests within one calendar month. For complex requests we may take up to three months, and we will tell you if this is the case.