This Privacy Policy explains how Lucibook Ltd (“Lucibook”, “we”, “us”, “our”) collects and uses personal data when you use Snap (the “Service”). It is written for compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are (data controller)
Lucibook Ltd is the controller of personal data processed through Snap accounts that we offer directly. Where Snap is used by a Practice firm to manage Client workspaces, the firm acts as a controller in respect of the documents and personal data it uploads about its own clients, and Lucibook acts as a processor in respect of that content. For account-level personal data (firm-user names, emails, login activity) Lucibook is the controller.
You can contact us at any time about this Policy at [email protected].
2. Personal data we collect
We collect the following categories of personal data:
- Account data: name, email address, hashed password, role, firm or business name, mode (Practice or Business) and locale.
- Authentication data: verification codes, password reset tokens, login timestamps and device/browser fingerprints.
- Billing data: Stripe customer ID, subscription state, plan, seat count, coupon usage, last four digits and expiry of the card on file (we never store full card numbers ourselves), invoice history.
- User Content: documents you upload (cost invoices, sales invoices, expense claims, receipts) and the metadata extracted from them (supplier or customer name, dates, totals, VAT, line items, categories, attachments).
- Usage data: log records of actions in the Service (uploads, edits, approvals, messages, exports), device and browser information, and IP address.
- Support data: messages you send to us via email or in-product channels.
- Local storage: we store small items in your browser’s local storage (authentication tokens, preferred help-centre audience, chat history, recently viewed clients) to keep you signed in and to remember your preferences.
3. How and why we use your data (UK GDPR Article 6 lawful bases)
| Purpose | Lawful basis |
|---|---|
| Creating and operating your Account; providing the Service; processing payments via Stripe. | Performance of a contract with you (Article 6(1)(b)). |
| Running OCR and AI extraction over uploaded documents to populate fields, suggest categories and improve auto-rules. | Performance of a contract with you (Article 6(1)(b)). |
| Sending transactional emails (verification, invitations, billing, security and important service notices). | Performance of a contract; legitimate interests (Article 6(1)(b) and (f)). |
| Securing the Service, preventing abuse and fraud, detecting and responding to incidents. | Legitimate interests (Article 6(1)(f)). |
| Improving the Service, analysing aggregated usage, building auto-rule heuristics from anonymised patterns. | Legitimate interests (Article 6(1)(f)). |
| Complying with our legal, accounting, tax and audit obligations. | Legal obligation (Article 6(1)(c)). |
| Sending optional marketing or product news. | Consent (Article 6(1)(a)). You can withdraw at any time. |
4. Document content and AI processing
When you upload a document, we send it to one or more AI/LLM providers to extract financial fields (supplier or customer name, dates, totals, VAT, line items, categories). We pass the minimum content required (typically the document image or text plus a short instruction prompt) and we do not authorise providers to use your content for training their general models.
We do not sell your data, do not use User Content to train our own models without permission, and we do not enrich your User Content with profiling derived from third-party sources.
5. Sharing and sub-processors
We share personal data with the following categories of recipients, on our behalf:
- Stripe — subscription management and payment processing (Stripe Payments Europe, Ltd. and Stripe Payments UK, Ltd.).
- Xero — optional accounting integration for sending Snap data to your ledger. Used only if you connect a Xero organisation.
- AI / LLM providers — document processing (OCR and field extraction). We use providers operating under written data processing agreements that prohibit using your content to train general models.
- Cloud hosting and object storage — the infrastructure that runs Snap, including S3-compatible object storage that holds uploaded documents in private buckets.
- Transactional email provider — for verification, invitations, security alerts and billing notifications.
- Professional advisers — lawyers, accountants and auditors, where required.
- Authorities — law enforcement, regulators or courts, where we have a legal obligation or a clear legal basis to disclose.
We do not sell your personal data, and we do not share it for third-party advertising.
6. International transfers
Some of our sub-processors are located outside the United Kingdom (for example in the European Economic Area or the United States). When personal data is transferred outside the UK we rely on safeguards approved under UK GDPR, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with technical measures (encryption in transit and at rest, access controls). We can provide more detail on request.
7. Data retention
We retain personal data for as long as your Account is active and for a limited period after closure to comply with legal, tax and accounting obligations and to handle disputes.
- User Content (documents and extracted fields): retained while your Account is active. On Account deletion the data is removed from production systems within 30 days. Encrypted backups are rotated and overwritten on a regular schedule (typically within 90 days).
- Billing and tax records: retained for at least 6 years from the end of the financial year, as required by UK tax law.
- Security logs: retained for up to 12 months unless required for an active incident.
8. Security
We protect personal data with technical and organisational measures, including encryption in transit (TLS) and at rest, role-based access controls, multi-factor authentication for privileged staff access, segmented network zones, audit logging and a least-privilege approach to engineering access. We monitor for suspicious activity and have an incident response process in place. No system is perfectly secure; you must also keep your password confidential and notify us immediately if you suspect unauthorised access.
9. Your rights
Under UK GDPR you have the following rights in respect of your personal data:
- Right of access — obtain a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — ask us to delete your data, subject to legal retention obligations.
- Right to restriction of processing — ask us to limit how we use your data while a concern is investigated.
- Right to object — object to processing carried out on the basis of legitimate interests.
- Right to data portability — receive a structured, commonly used, machine-readable copy of data you provided to us.
- Right to withdraw consent — for any processing based on consent (such as marketing).
- Right to lodge a complaint — with the Information Commissioner’s Office (ico.org.uk) if you believe we have not handled your data lawfully. We would, however, appreciate the chance to address your concern first — please email [email protected].
To exercise any of these rights, email [email protected] from the address associated with your Account. We will respond within one month and may need to verify your identity before acting on the request.
10. Cookies and similar technologies
Snap uses a small number of strictly necessary cookies and browser local storage entries to keep you signed in, remember your preferred Help Center audience, store the minimal Help Assistant chat history on your own device, and prevent abuse. We do not use third-party advertising cookies. Where local analytics is used it is privacy-first and does not track individuals across other sites.
11. Children
Snap is intended for business users and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us so we can remove it.
12. Changes to this Policy
We may update this Policy from time to time. The “Last updated” date at the top of the page indicates when the most recent revision took effect. If a change is material we will notify you in the application or by email at least thirty (30) days before it takes effect.
13. Contact and Data Protection queries
Lucibook Ltd
Email: [email protected]
Subject line for data-protection queries: “Data Protection — UK GDPR”.