Breadcrumbs Image

GDPR Compliance

Last Updated: April 2025

1. Our Commitment to GDPR

DexAI is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We believe that transparency, security, and user control over personal data are fundamental rights, not optional features.

This statement outlines how we meet our GDPR obligations and the measures we've implemented to protect your data.

2. Data Protection by Design

We've built data protection into the core of our platform from the ground up:

  • Privacy-First Architecture: Our OCR engine processes receipts without storing unnecessary personal identifiers
  • Data Minimisation: We only collect data that is strictly necessary for providing our financial automation services
  • Purpose Limitation: Your data is used only for the purposes explicitly stated in our Privacy Policy
  • Storage Limitation: Automated deletion processes ensure data is not retained longer than necessary

3. Your GDPR Rights

We make it easy for you to exercise your data protection rights:

Right of Access (Article 15)

Request a complete copy of all personal data we hold about you, including receipts scanned, expense categories assigned, and account metadata. We provide this data in a clear, readable format within 30 days.

Right to Rectification (Article 16)

Update or correct inaccurate information directly through your account settings or by contacting our support team. We will action corrections within 14 days.

Right to Erasure (Article 17)

Request deletion of your account and associated data. Note that certain financial records must be retained for 6 years to comply with HMRC requirements, but all other data will be permanently deleted within 30 days.

Right to Restrict Processing (Article 18)

Request that we limit how we process your data. During restriction periods, your account may have limited functionality, but we will continue to store your data securely.

Right to Data Portability (Article 20)

Export all your data in standard formats (CSV, JSON, or PDF) for transfer to another service provider. This includes receipt images, extracted data, expense reports, and transaction history.

Right to Object (Article 21)

Object to processing of your data for marketing purposes or based on legitimate interests. You can manage marketing preferences in your account settings at any time.

Rights Related to Automated Decision-Making (Article 22)

While our AI categorises expenses automatically, you retain full control to review, edit, and override any categorisation. No significant decisions affecting you are made solely by automated processes without human oversight.

4. Data Processing Activities

Under GDPR, we maintain detailed records of our data processing activities:

  • Receipt Processing: OCR extraction of vendor name, amount, date, VAT number, and payment method
  • Expense Categorisation: AI-based classification into HMRC-compliant expense categories
  • Bank Feed Synchronisation: Read-only retrieval of transaction data via Open Banking APIs
  • Report Generation: Compilation of financial reports and VAT returns
  • HMRC Submission: Secure transmission of VAT data via Making Tax Digital APIs

Each processing activity has a documented lawful basis and is regularly reviewed for compliance.

5. Security Measures

We implement technical and organisational measures that meet GDPR Article 32 requirements:

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access Controls: Role-based permissions, multi-factor authentication, and principle of least privilege
  • Resilience: Automated backups, disaster recovery planning, and 99.9% uptime SLA
  • Testing: Annual penetration testing by independent security firms, regular vulnerability scanning
  • Training: All employees complete mandatory GDPR and data security training annually

6. Data Breach Procedures

In the unlikely event of a personal data breach:

  • We will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
  • If the breach poses a high risk to your rights and freedoms, we will notify affected users directly without undue delay
  • We maintain an internal breach register and conduct thorough investigations of all incidents

7. International Data Transfers

Your data is primarily stored within the UK. Where processing occurs outside the UK/EEA:

  • We use UK-approved Standard Contractual Clauses (SCCs)
  • We verify that the recipient country has an adequacy decision from the ICO
  • We conduct Transfer Impact Assessments for all cross-border data flows

8. Third-Party Processors

All third-party service providers that process data on our behalf are bound by GDPR-compliant Data Processing Agreements (DPAs) that meet Article 28 requirements. These agreements ensure that processors:

  • Process data only on documented instructions from DexAI
  • Implement appropriate security measures
  • Assist with data subject requests and breach notifications
  • Return or delete data at the end of the contract
  • Submit to audits and inspections

9. Data Protection Officer

DexAI has appointed a Data Protection Officer (DPO) who oversees our GDPR compliance strategy. You can contact our DPO directly at:

  • Email: dpo@dexai.app
  • Address: Data Protection Officer, DexAI, 3rd Floor, 45 Albemarle Street, Mayfair, London, W1S 4JL, United Kingdom

10. Regulatory Supervision

DexAI is registered with the UK Information Commissioner's Office (ICO) as a data controller. Our registration number is available upon request. If you have unresolved concerns about our data practices, you have the right to lodge a complaint with the ICO at ico.org.uk.

11. Regular Reviews

We conduct quarterly reviews of our GDPR compliance posture, including:

  • Data mapping and processing activity updates
  • Lawful basis verification for all processing activities
  • Third-party processor compliance audits
  • Security assessment and penetration testing
  • Staff training refreshers and policy updates

12. Contact Us

For any GDPR-related questions or to exercise your data protection rights: