Privacy Policy
Adder Analytics Limited
Effective date: 16 May 2026
Last updated: 16 May 2026
Version: 1.0
This Privacy Policy explains what personal information we collect when you use the service operated by Adder Analytics Limited (“Adder”, “we”, “us”), how we use it, who we share it with, and the rights you have over it. It is written to be readable; the headings below tell you where to find each topic.
1. Who we are
Adder Analytics Limited is a company registered in the United Kingdom. We are the data controller for the personal information described in this policy, except where we act as a data processor on behalf of a client and have indicated that separately in a written agreement.
2. Scope
This Privacy Policy applies to the websites, applications, and services that we operate and link to this policy (“the Service”). Where the Service connects to your financial accounts at your direction using Plaid, this policy also explains how we handle the financial-account information we receive through that connection.
This policy does not cover third-party services that you may use alongside the Service. Those services are governed by their own privacy notices.
3. The information we collect
We collect the categories of information below. We do not collect more than we need to provide the Service.
3.1 Information you give us directly
- Account information: your name, email address, and authentication identifiers when you create an account.
- Communications: the content of messages you send to us (for example, support requests).
- Payment information: if you pay us, the payment is processed by a regulated payment provider; we receive a record of the transaction but not your full card details.
3.2 Financial-account information you authorise us to receive via Plaid
When you use the Service to connect a financial account, you are directed to Plaid, a financial-data network. You authenticate with your financial institution through Plaid; we never see or store your bank-login credentials.
Through Plaid, with your authorisation, we may receive:
- Account information — for example, account number, account type, and balance.
- Account holder identity — for example, the name, email address, phone number, and address held by your financial institution.
- Transaction information — for example, transaction dates, amounts, descriptions, and categorisations.
The specific data fields we request are limited to those needed for the features of the Service that you have chosen to use. Plaid's role and your rights with respect to Plaid are described in Section 6.
3.3 Information we collect automatically
- Usage information: how you interact with the Service (pages visited, actions taken).
- Device and connection information: IP address, browser type, operating system, and similar technical metadata.
- Cookies and similar technologies: we use cookies that are strictly necessary to operate the Service (for example, to keep you signed in) and a limited set of analytics cookies that help us understand how the Service is used. Where required by law, we ask for your consent before setting non-essential cookies.
4. How we use your information
We use the information we collect for the following purposes, each with a corresponding lawful basis under UK and EU GDPR:
| Purpose | Lawful basis |
|---|---|
| To provide, operate, and maintain the Service, including features that rely on data you authorise us to receive via Plaid | Performance of a contract |
| To authenticate you and secure your account | Performance of a contract; legitimate interests |
| To respond to your support requests | Performance of a contract; legitimate interests |
| To send you service-related communications (for example, security or billing notices) | Performance of a contract; legal obligation |
| To improve, debug, and develop the Service | Legitimate interests |
| To comply with applicable laws and regulations | Legal obligation |
| To detect, investigate, and prevent fraud or misuse | Legitimate interests; legal obligation |
| To use limited, AI-assisted features where you have chosen to use them (see Section 5) | Performance of a contract; legitimate interests |
We do not sell your personal information, and we do not “share” your personal information for cross-context behavioural advertising as those terms are used under the CCPA / CPRA.
5. AI / automated processing
Some features of the Service use AI models to process information you provide or that we collect on your authorisation. When this happens:
- We send only the minimum information needed for the feature to work.
- We use Google Cloud Vertex AI and Anthropic (including Anthropic's managed-agents capabilities), and our inputs are not used to train the providers' foundation models.
- We do not send Plaid-derived data to AI providers other than Google Cloud Vertex AI and Anthropic.
AI-assisted features support the operation of the Service and do not make significant decisions about you that produce legal or similarly significant effects without human review.
6. Plaid
When you choose to connect a financial account, you are interacting with Plaid Inc. (“Plaid”). Plaid acts as both an independent controller of certain data and as a processor on our behalf for certain data, as described in Plaid's End User Privacy Policy.
By using the Plaid-powered connection, you understand and agree that:
- You provide your financial-institution credentials to Plaid (not to us).
- Plaid will collect, use, and share your information as described in Plaid's End User Privacy Policy, available at https://plaid.com/legal/#end-user-privacy-policy.
- The information we receive about you from Plaid is used by us in accordance with this Privacy Policy.
- You can manage and revoke connections at any time through the Service or through Plaid's portal at https://my.plaid.com.
If you revoke a Plaid connection, we will stop receiving new data through that connection and we will delete the associated data from our primary systems within the timeframes set out in our Data Retention and Disposal Policy.
7. Who we share your information with
We share information with the following categories of recipients and only as needed to operate the Service:
| Recipient | Purpose | Where they operate |
|---|---|---|
| Plaid | Financial-data connectivity that you have authorised | United States |
| Google Cloud (Vertex AI) | AI inference for limited features; our inputs are not used to train the provider's foundation models | United States |
| Anthropic | AI inference (including managed agents) for selected product features; our inputs are not used to train the provider's foundation models | United States |
| Hosting and managed database providers | Application hosting (frontend and serverless backend) and managed Postgres database | United States / global edge |
| Authentication provider | User authentication and account management (receives name, email, and authentication identifiers) | United States |
| Error monitoring provider | Error monitoring and performance telemetry (may receive user identifiers and technical metadata associated with errors) | United States |
| In-product feedback tool | Feedback widget that receives user identifiers and the content of feedback you submit | Australia / United States |
| Privacy-friendly analytics provider | Usage analytics for the Service (does not use cookies or store cross-site identifiers) | United States / global edge |
| Professional advisers and regulators | When required by law or to establish, exercise, or defend legal claims | UK / as applicable |
We will provide a current list of named sub-processors on request.
We may also share information in connection with a merger, acquisition, or sale of business assets, in which case we will notify you and require the successor entity to honour this Privacy Policy or provide notice of any material change.
We do not sell your personal information.
8. International data transfers
We are based in the United Kingdom. Some of our sub-processors are located in the United States and elsewhere. Where we transfer personal information outside the UK or European Economic Area, we rely on lawful transfer mechanisms, including:
- UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs), where applicable.
- Adequacy decisions, where one applies.
- Other lawful transfer mechanisms provided under the UK GDPR and EU GDPR.
You can request a copy of the safeguards we rely on for international transfers by contacting your Adder account manager.
9. How we protect your information
We maintain a documented Information Security Policy and Data Retention and Disposal Policy that govern how we protect personal information. Our controls include:
- Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
- Access control based on least privilege, with multi-factor authentication required for any system handling sensitive data.
- Secrets management through Doppler; credentials are never stored in source code.
- Continuous dependency scanning and prompt patching of high-severity vulnerabilities.
- Logging and monitoring through our platform providers, with alerts reviewed by our Security Officer.
- Incident response procedures that include notification to Plaid within 72 hours of any confirmed incident affecting Plaid-derived data, and to affected users and regulators where required by law.
No security program is perfect; we maintain ours as part of an ongoing program of review and improvement.
10. How long we keep your information
We keep personal information only as long as we need it to provide the Service and to comply with our legal obligations. Specific retention periods, including for Plaid-derived data, are set out in our Data Retention and Disposal Policy. In summary:
- Plaid-derived data is retained while you maintain an active connection and the underlying product purpose; on revocation or account deletion, the data is removed from our primary systems within 30 days, with residual backups purged on the next standard rotation cycle.
- Account records are retained for the duration of the relationship and for up to 12 months afterwards.
- Logs are retained for up to 13 months.
- Contracts, invoices, and accounting records are retained for 7 years to meet UK statutory requirements.
11. Your rights
Depending on where you live, you may have the following rights over the personal information we hold about you:
- Access — to ask for a copy of the personal information we hold about you.
- Rectification — to ask us to correct inaccurate or incomplete information.
- Erasure — to ask us to delete your personal information (“right to be forgotten”) subject to legal exceptions.
- Restriction — to ask us to limit how we use your information in certain circumstances.
- Portability — to receive certain information in a structured, commonly used, and machine-readable format.
- Objection — to object to processing based on legitimate interests.
- Withdraw consent — where we rely on your consent, to withdraw it at any time (without affecting the lawfulness of processing already carried out).
California residents (CCPA / CPRA): you have the right to know what personal information we collect, to delete it, to correct it, to limit our use of sensitive personal information, and to be free from discrimination for exercising your rights. You may designate an authorised agent to make a request on your behalf.
To exercise any of these rights, please contact your Adder account manager, who is the dedicated representative assigned to every account. We will respond within the timeframes required by applicable law (generally 30 days under UK / EU GDPR, and 45 days under CCPA, each extendable in limited circumstances with notice). We may need to verify your identity before fulfilling your request.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk or with your local supervisory authority.
12. Cookies and similar technologies
We use cookies and similar technologies for two purposes:
- Strictly necessary — to operate the Service (for example, to keep you signed in). These cannot be disabled without breaking the Service.
- Analytics — to understand how the Service is used. Where required by law, we obtain your consent before setting these.
You can control cookies through your browser settings. Disabling strictly-necessary cookies may prevent the Service from working correctly.
13. Children
The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please let your Adder account manager know so we can delete it.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the Effective date at the top of this policy and, where required by law, we will notify you (for example, by email or an in-Service notice) before the changes take effect.