SciroBack to home

Privacy Policy

Last updated: 26 June 2026 · Version: 1.0

1. Who we are

This Privacy Policy explains how Suraj Kishor Patel, a sole trader trading as Sciro ("Sciro", "we", "us", "our"), collects, uses, and protects personal information when you use our website at https://sciro.app and our expense and invoice management platform (together, the "Services").

We are the data controller for the personal information described in this policy, except where we act as a data processor on behalf of a business customer (see Section 12).

This policy should be read alongside our Terms and Conditions and our Cookie Policy.

  • Contact for privacy matters: legal@sciro.app
  • General support: support@sciro.app
  • Postal address: 124 City Road, London EC1V 2NX
  • ICO registration number: ZC179892
  • Data Protection Officer: As a sole trader carrying out limited processing, we are not legally required to appoint a Data Protection Officer and have not appointed one. Privacy queries are handled by the contact above.

2. The information we collect

Information you give us directly

  • Account and profile information: name, email address, password, job role, organisation, and profile image.
  • Content you upload: receipt and invoice images and PDFs, expense and mileage claim details (including journey origin and destination addresses you enter), descriptions, categories, and notes.
  • Financial information: expense amounts, invoice values, VAT details, and billing information processed through our payment provider.
  • Communications: messages you send us by email or through the Services.

Information we collect automatically

  • Log and usage data: IP address, browser type and settings, and activity within the Services (used for security, rate limiting, and diagnostics).
  • Device data: browser and device information, and push-notification subscription details if you enable notifications.
  • Security and audit logs: records of key account and security events, such as sign-ins and sign-in attempts, password changes, invitations, account deletion, and approval actions, together with the date and time, the account or email involved, and the IP address.

Information we receive from other sources

  • When an administrator invites you to an organisation, we receive your email address from them before you create an account.
  • When a business customer connects a third-party HR system or accounting software, we receive employee or contact records from that system to provide the Services.
  • When you sign in using Google or Microsoft single sign-on, we receive your name and email address from that provider to create or access your account. Google and Microsoft act as independent controllers for that sign-in; their own privacy policies apply to it.
  • If you connect a Microsoft 365 (Outlook) mailbox to import invoices, we access that mailbox so you can find and import invoice emails and their attachments, which can include email content and attachments that contain personal data. We store an encrypted access token so the connection keeps working, and we delete that token when you disconnect the mailbox (which you can do at any time from the invoice or expense upload pages) or when your account is deleted. Microsoft acts as an independent controller for your mailbox, and its own privacy policy applies.

Special-category data. We do not intentionally collect special-category personal data (such as health, genetic, or biometric data, or data revealing racial or ethnic origin, religious or philosophical beliefs, or trade-union membership). Such data could appear incidentally on a receipt or invoice a user uploads; we do not seek it out or use it, and our Terms ask users not to upload it. We do process financial data, which is sensitive in nature but is not a special category under the UK GDPR; we protect it with the measures in Section 10.

3. How and why we use your information

We rely on the following legal bases under the UK GDPR:

Performance of a contract to:

  • deliver and operate the Services for you;
  • run the approval workflow and enable communications between users (for example, approval requests and reminders);
  • manage your subscription, orders, and billing;
  • respond to your enquiries; and
  • send you administrative messages (invitations, billing notices, invoice reminders, confirmations, and approval notifications).

Legitimate interests to:

  • protect the Services, diagnose problems, and prevent fraud and abuse;
  • understand usage trends so we can improve the Services; and
  • maintain accurate, tamper-resistant records of expense and invoice approval decisions, so our business customers have an auditable approval trail for their accounting, tax, and compliance obligations.

Legal obligation to keep certain financial and transaction records for the periods required by law.

Consent to send you push notifications, where you choose to enable them. You can turn them off at any time in your browser or device settings, which withdraws that consent without affecting any other processing.

We do not send marketing or promotional communications, and we do not make decisions about you by solely automated means that produce legal or similarly significant effects (a person always reviews and approves each claim).

Providing the information needed to create and operate your account is necessary to use the Services, and we cannot provide them without it. Providing optional information, such as a profile image, is not required.

4. Artificial intelligence features

Sciro uses an AI service provided by OpenAI to read uploaded receipts and invoices and extract details such as the vendor, date, amount, and line items. This helps speed up data entry.

Using AI extraction is optional: you can enter expense details manually instead of uploading a document for automated processing. A person always reviews and approves every claim, so no decision about you is made solely by automated means.

We do not allow OpenAI, or any other AI provider we use, to use your content or other personal data to train their models. The data is processed only to return the extracted details to you and is not retained by the provider for its own purposes.

5. Cookies and similar technologies

We use cookies that are strictly necessary, including for authentication and keeping you signed in (and, if you choose "remember me", for a longer period), and for security. The mileage and address features can use the Google Maps APIs, which set non-essential Google cookies; we load Google Maps only after you consent, and you can change or withdraw that consent at any time, including in Settings under Cookie choices. We store some preferences, such as your light or dark theme, in your browser's local storage rather than in a cookie. We do not use advertising or tracking cookies. See our Cookie Policy for details.

Do Not Track and Global Privacy Control. Because we do not use advertising or cross-site tracking cookies and do not track you across other websites, our Services do not behave differently in response to a browser "Do Not Track" (DNT) signal or a Global Privacy Control (GPC) signal. If we ever introduce tracking that these signals would apply to, we will update this policy and honour those signals where the law requires.

6. Who we share your information with

We share personal information with service providers who process it only on our instructions and under a data processing agreement. These fall into the following categories:

  • cloud hosting, database, file storage, and backup providers;
  • a payment processor, for subscription billing;
  • AI processing providers, to extract data from receipts and invoices and to suggest expense categories;
  • a transactional email provider;
  • a mapping and distance-calculation provider, for mileage claims; and
  • a rate-limiting and security provider.

We do not allow these providers to use your personal data for their own purposes. A current list of the specific sub-processors we use is set out in our Data Processing Agreement, and is also available on request.

We also disclose information to the accounting software and HR system that a business customer chooses to connect, at that customer's direction.

We may disclose information where required by law, to enforce our Terms, or to protect the rights, safety, or property of Sciro, our users, or others. If our business is ever sold or reorganised, information may be transferred as part of that transaction.

We do not sell your personal information, and we do not share it with advertising, affiliate, or business partners. We also do not offer financial incentives (such as discounts or rewards) in exchange for your personal information.

7. International transfers

Some of our providers store or process data outside the UK, including in the United States. Where information is transferred outside the UK or EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an adequacy decision. You can request a copy of the safeguards we use by contacting us at legal@sciro.app.

8. How long we keep your information

We keep your information for as long as your account (or your organisation's account) remains active. When you delete your account, or an organisation owner deletes the organisation's account, we permanently delete that data, including uploaded receipt and invoice files, immediately as part of the deletion process. Deletion is not reversible, so we cannot recover the data afterwards.

We keep limited security and audit logs (described in Section 2) to protect accounts, investigate misuse, and maintain an accountability trail. Because of that purpose, we retain these logs, which can include your email address and IP address, for security and accountability reasons even after an account is deleted, and we delete them once they are no longer needed for those purposes.

We do not keep a separate copy of your financial or transaction records after deletion. If your organisation needs to retain expense or invoice records to meet its own legal, tax, or accounting obligations, it is responsible for exporting or retaining those records (for example, in its connected accounting software) before deleting its account.

Note that records relating to a person who has left an organisation are retained while that organisation's account remains active, because the organisation needs those records for its own accounting and audit purposes.

Once we no longer need to hold information in an identifiable form, we may anonymise it so that it can no longer be associated with you and keep that anonymised information indefinitely to understand usage trends and improve the Services. Anonymised information does not identify you and is not subject to the rights described in Section 9.

9. Your rights

Subject to the conditions and exemptions in applicable data protection law, you have the right to:

  • be informed about how we use your personal information (this policy);
  • access a copy of the personal information we hold about you;
  • rectify inaccurate or incomplete information;
  • erase your information ("right to be forgotten");
  • restrict our processing of your information;
  • object to processing based on our legitimate interests, and to object to direct marketing at any time (note we do not send marketing);
  • data portability — receive the information you provided in a structured, commonly used, machine-readable format; and
  • withdraw consent at any time where we rely on consent, without affecting any processing carried out before you withdrew it.

You can edit your profile and delete your account and associated data directly within the Services. To make any other request, contact us at legal@sciro.app. Exercising your rights is free, and we will respond within one month; we may extend this for complex or numerous requests as the law allows, and will tell you if we do. To protect your information, we may ask you to verify your identity before we act on a request. If we process your information on behalf of your employer or another organisation, we may direct your request to them as the controller.

Making a complaint. If you are unhappy with how we have handled your personal information, please contact us first at legal@sciro.app, with enough detail to identify the issue, so we can try to put things right. We will acknowledge your complaint within 30 days, investigate, and tell you the outcome. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk at any time.

10. How we protect your information

We use technical and organisational measures to protect your information, including encryption in transit, access controls, row-level security on our database, private storage for uploaded documents served only through expiring signed links, and audit logging. We take regular encrypted backups so your data can be restored after a technical failure, and we periodically review and test our security measures. A fuller description of our technical and organisational measures is set out in our Security Overview, available on request. No system is completely secure, and we cannot guarantee absolute security.

If a personal data breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in line with our legal obligations.

Please note that profile images you choose to upload are stored in a publicly accessible location, so a person who has the image's direct link may be able to view it. Do not use a sensitive or private image as your profile picture.

11. Children

The Services are intended for business use by adults and are not directed at children. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact us and we will delete it.

12. Our role as a processor

When a business customer uses Sciro to process information about its employees, suppliers, or contacts, that customer is the data controller and Sciro acts as a data processor on its behalf. In that role we process the information only on the customer's documented instructions, and our processing is governed by our Data Processing Agreement with the customer. The customer is responsible for having a lawful basis to provide that information to us and for informing the relevant individuals.

If you are an employee or contact of one of our business customers, your employer's or that organisation's own privacy notice governs how your information is handled, and you should direct data-rights requests to them in the first instance. This Privacy Policy describes the information for which Sciro itself is the controller.

13. Changes to this policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date above and, for material changes, provide more prominent notice. Your continued use of the Services after an update means you accept the revised policy.

If we intend to use your personal information for a new purpose that is not described in this policy, we will inform you beforehand and, where the law requires it, obtain your consent.

14. Contact us

For any questions about this policy or your personal information, contact us at legal@sciro.app or at the postal address in Section 1.