Privacy Policy

Who we are

Ezeet ("we", "us", "our") is a digital receipt platform operated from Liverpool, United Kingdom. Our website is ezeet.co.uk and our registered trademark is UK00004354636.

Ezeet captures digital receipts automatically when you pay at participating merchants, and via open banking with your explicit consent. We provide consumers with a single place to view, manage, and export their receipts, and we provide merchants with anonymised analytics about their sales performance.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Ezeet is the data controller for the personal data we collect through our platform.

What data we collect

Account information

When you create an Ezeet account, we collect:

• Your email address
• Your name (if provided)
• A securely hashed version of your password (we never store your password in plain text)
• Your account type (consumer, business user, or sole trader)
• Your business name (if applicable)

Card registration data

To match receipts to your account, we collect:

• Your card brand (Visa, Mastercard, Amex, or Maestro)
• The last 4 digits of your card number
• An optional label you assign to the card

We do not collect, store, or have access to your full card number, CVV, expiry date, PIN, or any information that could be used to make payments with your card. The last 4 digits alone cannot be used to identify or access your financial accounts.

Transaction and receipt data

When you shop at a merchant connected to Ezeet, or when you connect your bank account, we collect transaction data including:

• Merchant name and location
• Transaction amount, currency, and date/time
• Itemised product details (where available from POS systems)
• VAT amount (calculated or provided by the merchant)
• Payment method (contactless, chip, online)
• Card brand and last 4 digits used for the transaction

Open banking data

If you choose to connect your bank account via our open banking provider, we access:

• Your bank account identifiers (account number, sort code — used for connection purposes only)
• Account holder name
• Transaction history (merchant name, amount, date, category)
• Account balances

Open banking data is accessed only with your explicit consent and can be revoked at any time. See Section 5 for full details.

Technical data

When you visit ezeet.co.uk, we may automatically collect:

• Your IP address
• Browser type and version
• Device type and operating system
• Pages visited and time spent on site
• Referring website

How we collect your data

We collect data through the following methods:

• Directly from you — when you sign up, register a card, or update your profile.
• From POS systems — when you pay at a merchant who has connected their point-of-sale system (Zettle, Square, SumUp, or Clover) to Ezeet. The merchant's POS system sends transaction data to our servers via secure API webhooks.
• From open banking providers — when you explicitly authorise Ezeet to access your bank transaction history through a regulated Account Information Service Provider (AISP). We access this data through providers such as Yapily and Salt Edge, who are authorised and regulated by the Financial Conduct Authority (FCA).
• Automatically — through cookies and similar technologies when you use our website.

Why we process your data (legal basis)

Under the UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:

Contract performance (Article 6(1)(b))

We process your account information, card registration data, and receipt data to provide you with the Ezeet service — namely, capturing, storing, and displaying your digital receipts. This processing is necessary to perform our contract with you.

Consent (Article 6(1)(a))

We process your open banking data only with your explicit consent. You provide this consent when you authorise Ezeet to access your bank account through the open banking flow. You can withdraw this consent at any time (see Section 11).

Legitimate interests (Article 6(1)(f))

We may process certain data where it is in our legitimate interests to do so, provided these interests are not overridden by your rights. This includes:

• Improving and developing our platform
• Providing anonymised and aggregated analytics to merchants (no individual consumer data is shared)
• Detecting and preventing fraud or abuse of our platform
• Communicating with you about important service updates

Legal obligation (Article 6(1)(c))

We may process data where required to comply with a legal obligation, such as responding to lawful requests from law enforcement or regulatory authorities.

Open banking data

Open banking is a secure, regulated framework that allows you to share your bank transaction data with authorised third parties. Ezeet accesses open banking data through Account Information Service Providers (AISPs) who are authorised by the Financial Conduct Authority (FCA).

How it works

• You click "Connect Bank" in your Ezeet dashboard.
• You are redirected to your bank's secure login page.
• You log in with your normal banking credentials and approve the data sharing request.
• Your bank sends a consent token to Ezeet (via the AISP) that allows us to read your transaction data.
• At no point does Ezeet see, store, or have access to your banking login credentials.

What we access

We access your transaction history only. We use this to create digital receipts — enriched transaction records showing merchant name, amount, date, estimated VAT, and expense category. We do not access or store your banking login credentials, and we cannot make payments, transfer money, or modify your account in any way.

Duration of access

Open banking consent is valid for a maximum of 90 days in the UK, after which you will need to re-authorise access. You can revoke access at any time through your banking app, through the AISP's interface, or by contacting us.

Security

All open banking data is transmitted over encrypted connections (TLS 1.2 or higher). Our AISP partners are FCA-authorised and comply with PSD2 Strong Customer Authentication (SCA) requirements. We do not store raw banking credentials at any point in the process.

POS transaction data

When a merchant connects their point-of-sale system to Ezeet, we receive transaction data for sales processed through that system. This includes itemised product details, payment method, and card identifiers (brand and last 4 digits only).

How matching works

We match POS transaction data to consumer accounts using the card brand and last 4 digits that the consumer has registered with Ezeet. This matching is performed automatically and securely on our servers. No full card numbers are involved at any stage.

Merchant data

Merchants who connect their POS to Ezeet receive access to anonymised and aggregated analytics about their own sales. They can see their total transactions, revenue, average transaction value, and top-selling products. Merchants cannot see individual consumer identities, personal details, or data from other merchants.

How we use your data

We use your personal data for the following purposes:

• Providing the service — capturing, storing, matching, and displaying your digital receipts.
• Account management — managing your Ezeet account, authenticating your sessions, and processing card registrations.
• Expense categorisation — automatically categorising your transactions (e.g., Meals & Drinks, Travel, Shopping) to help you manage expenses.
• VAT calculation — estimating or extracting VAT amounts for each transaction to support expense claims and tax compliance.
• Accounting integration — if you choose to connect Xero, QuickBooks, or another accounting platform, we push your receipt data to that platform on your behalf.
• Communications — sending you a welcome email when you sign up, and important service updates. We do not send marketing emails without your explicit consent.
• Analytics for merchants — providing connected merchants with anonymised, aggregated insights about their sales performance. Individual consumer data is never shared with merchants.
• Platform improvement — understanding how our platform is used so we can improve it.

What we do NOT do with your data

• We do not sell your personal data to third parties.
• We do not share your individual transaction data with advertisers.
• We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
• We do not share your personal data with merchants — they only see their own aggregated sales data.

Data sharing and third parties

We share your data only with the following categories of third parties, and only to the extent necessary to provide the Ezeet service:

Open banking providers

Yapily Connect Ltd (FCA authorised) and/or Salt Edge Limited (FCA reference: 822499) act as our Account Information Service Provider. They facilitate the secure connection between your bank and Ezeet. Their processing of your data is governed by their own privacy policies.

POS providers

Zettle by PayPal, Square, SumUp, and Clover provide POS transaction data to Ezeet when a merchant connects their system. These providers process transaction data under their own merchant agreements.

Accounting platforms

If you choose to connect Xero or QuickBooks, we send your receipt data to these platforms on your instruction. This is initiated by you and can be disconnected at any time.

Email service provider

We use Resend to send transactional emails (such as your welcome email). Resend processes your email address solely for the purpose of email delivery.

Hosting and infrastructure

Our platform is hosted on Render (cloud hosting) and our database is hosted on Neon (PostgreSQL database provider). Both are secured with encryption at rest and in transit. Our domain DNS is managed through Cloudflare.

Law enforcement and legal requirements

We may disclose your personal data if required to do so by law, or in response to valid legal process (such as a court order or regulatory request). We will notify you of such requests unless prohibited from doing so by law.

We do not share your data with any other third parties. We do not use third-party advertising or analytics tracking services that would have access to your personal or financial data.

Data storage and security

We take the security of your data seriously and implement appropriate technical and organisational measures to protect it.

Technical measures

• Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS (HTTPS). All API communications with third parties use TLS.
• Encryption at rest — our database provider (Neon) encrypts all stored data at rest.
• Password security — your password is salted and hashed using SHA-256 before storage. We never store passwords in plain text and cannot retrieve your original password.
• Session security — user sessions are managed using secure, signed cookies with a maximum lifetime of 30 days.
• Access control — administrative access to our platform is password-protected and restricted to authorised personnel only.
• No full card storage — we only store card brand and last 4 digits. We never store full card numbers, CVVs, expiry dates, or PINs.
• No banking credential storage — we never see, store, or process your bank login credentials. Open banking authentication is handled entirely by your bank and our AISP provider.

Organisational measures

• Access to personal data is limited to those who need it to operate the service.
• We conduct regular reviews of our data processing activities and security measures.
• We maintain records of our data processing activities as required by Article 30 of the UK GDPR.

Data location

Your data is stored on servers located in the European Economic Area (EEA). Our primary database is hosted in AWS Europe West 2 (London, UK). See Section 14 for information on international transfers.

Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

• Account data — retained for as long as your account is active. If you delete your account, your personal data (name, email, password hash) is deleted within 30 days.
• Receipt and transaction data — retained for as long as your account is active, or for up to 7 years after the transaction date if required for tax compliance purposes (in line with HMRC record-keeping requirements).
• Open banking consent tokens — retained for the duration of the consent period (maximum 90 days). Expired tokens are automatically deleted.
• Card registration data — retained for as long as your account is active. Deleted when you remove a card or delete your account.
• Technical logs — server logs containing IP addresses and request data are retained for a maximum of 90 days for security and debugging purposes.

When data is deleted, it is permanently removed from our active databases. Backup copies may persist for up to 30 additional days before being automatically purged.

Your rights under GDPR

Under the UK GDPR, you have the following rights in relation to your personal data. You can exercise any of these rights by contacting us at privacy@ezeet.co.uk.

Right of access (Article 15)

You have the right to request a copy of the personal data we hold about you. We will respond within one calendar month.

Right to rectification (Article 16)

You have the right to request that we correct any inaccurate personal data we hold about you.

Right to erasure (Article 17)

You have the right to request that we delete your personal data. We will comply unless we have a legal obligation to retain it (for example, tax record-keeping requirements). You can delete your account at any time, which will trigger deletion of your personal data within 30 days.

Right to restrict processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest its accuracy or object to processing.

Right to data portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as CSV or JSON). You can export your receipt data from the Ezeet dashboard at any time.

Right to object (Article 21)

You have the right to object to processing based on legitimate interests. If you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent (Article 7(3))

Where we process your data based on consent (such as open banking access), you have the right to withdraw that consent at any time. You can do this by:

• Revoking access through your banking app
• Contacting us at privacy@ezeet.co.uk
• Disconnecting your bank from the Ezeet dashboard

Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

Right to complain

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

Cookies

Ezeet uses a minimal number of cookies, strictly for functionality:

• Session cookie — used to keep you logged in to your Ezeet account. This is an essential cookie required for the service to function. It expires after 30 days of inactivity.
• Admin session cookie — used for admin panel authentication. Essential for platform management.

We do not use:

• Third-party advertising cookies
• Analytics tracking cookies (such as Google Analytics)
• Social media tracking cookies
• Cross-site tracking cookies

Because we only use strictly necessary cookies required for the service to function, we do not require a cookie consent banner under UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

Children's privacy

Ezeet is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without appropriate consent, we will take steps to delete that data promptly.

If you are a parent or guardian and believe your child has provided personal data to Ezeet, please contact us at privacy@ezeet.co.uk.

International data transfers

We store and process the majority of your data within the United Kingdom and European Economic Area (EEA).

Some of our service providers may process data outside the UK/EEA. Where this occurs, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner
• The service provider being located in a country with an adequacy decision from the UK government
• The service provider being certified under an approved certification mechanism

You can request details of the specific safeguards applied to international transfers by contacting us.

Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you by email if the changes significantly affect how we process your personal data
• Where required by law, seek your consent before applying changes to the processing of your data

We encourage you to review this policy periodically.

Contact us

If you have any questions about this privacy policy, your personal data, or wish to exercise any of your rights, please contact us:

Ezeet
Email: privacy@ezeet.co.uk
Website: ezeet.co.uk
Liverpool, United Kingdom

We aim to respond to all privacy-related enquiries within 30 days.