Privacy Policy
Last updated: 25 April 2026
This Privacy Policy explains how ARYANETIX LTD (Company No. 11425860), trading as Chase Up, collects, uses, stores, shares, and protects personal data when you use our website at chaseup.io, the Chase Up application, and related services (together, the "Service"). We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
ARYANETIX LTD trading as Chase Up
Company Number: 11425860
Registered office: 52a High Street, Beighton, Sheffield, S20 1ED, United Kingdom
ICO registration: ZC150682
General contact: hello@chaseup.io
Privacy and data rights contact: privacy@chaseup.io
Controller and processor roles
ARYANETIX LTD is the data controller for personal data we collect about account holders (accountants, firm staff, administrators), website visitors, and people who contact us directly.
Where you use Chase Up to manage reminders, communications, or records relating to your own clients or contacts, you are the data controller for that data and we act as your data processor. Our processing of that data is governed by our Data Processing Agreement, available on request from privacy@chaseup.io.
2. Personal data we collect
2.1 Account data
- Full name
- Email address
- Phone number
- Firm or organisation name
- Role within the firm (and group / practice memberships where you operate across multiple practices)
- Authentication credentials, multi-factor authentication state, and session data
- Subscription and billing status
2.2 Client and contact data you provide
Where you use the Service to manage your firm's clients and contacts, we process data you upload or enter, including:
- Client and contact names
- Phone numbers and email addresses
- Companies House identifiers (company numbers, officer details) where imported
- HMRC identifiers (UTR, VRN) where you provide them
- Filing obligations, deadlines, and status records
- Message content sent and received via the Service (WhatsApp, SMS, email)
- Replies and documents received from your clients (including attachments)
- Delivery, classification, and audit records
Optional: import from your phonebook (iOS only). Where the Service offers an "Add from phonebook" action, we read only the specific contact you tap — not your address book in bulk. iOS will prompt for Contacts permission the first time you use it (NSContactsUsageDescription). The contact's name, phone number, and email (if present) are then stored as a Chase Up record under your firm's tenant on the same basis as any other client and contact data you enter manually. You can remove the record at any time, including via the Article 17 deletion path described in §11. The Android app does not currently request contacts access; if that changes we will update this Section before shipping.
2.3 Usage data
- Feature interactions and Service usage patterns
- Device type, operating system, and application version
- IP address (at the point of connection)
- Error logs and diagnostic data
2.4 AI-processed data
Parts of the Service use third-party AI models (named in the DPA we provide to firm customers) to:
- Classify inbound message intent
- Classify and route inbound documents (5-dimension: client, obligation, period, document type, source)
- Draft outbound replies for human review or for sending after a separate AI quality-control check (the "QC agent")
What we send to the AI: the minimum needed for the task — the message body and structured context (client name, obligation type, period, open document requests). We do not send card details, full client portfolios, or unrelated client data to AI providers.
Two-layer AI safety model: every AI-generated reply is reviewed by a second AI model (the QC agent) before any human reads it. Every AI-generated document classification that would change state (auto-file, close a request, flip a checklist) is reviewed by the QC agent before that change is made. Anything outside the strict scope of what the user asked is routed to the firm as an internal "insight" — it is never surfaced to a client without a human accountant approving it first.
No surprise to clients: clients never receive AI-generated content the firm has not directly or indirectly authorised. The firm can disable the AI assistant at any time from Settings.
Training: our AI providers are contractually bound not to train their general models on your data. We do not sell or license your data for AI training.
3. How we use your data
We process personal data only where we have a lawful basis under UK GDPR.
| Purpose | Lawful basis |
|---|---|
| Provide, maintain, and operate the Service | Contract performance |
| Create and manage user accounts | Contract performance |
| Send messages on your behalf to your contacts | Your instructions as controller / contract performance |
| AI-assisted classification, extraction, and drafting (with QC review) | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Detect abuse, prevent fraud, and maintain security | Legitimate interests |
| Improve the Service, fix bugs, and monitor performance | Legitimate interests |
| Send operational and service announcements | Legitimate interests |
| Comply with legal and regulatory obligations | Legal obligation |
Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You can object to processing based on legitimate interests at any time (see Section 9).
3.1 Sector knowledge graph (Section 11 of the Compliance Agent Voice Doctrine)
When a firm onboards a client, we read the client's UK Standard Industrial Classification (SIC) code from Companies House — public data — to determine which UK regulatory sector the client operates in. If our shared compliance knowledge graph does not yet cover that sector, we automatically research the sector using public regulator sources (gov.uk, ICAEW guidance, HMRC manuals) and add it to the platform-wide graph so the compliance agent can answer sector-specific questions accurately.
What we use: only the SIC code and public regulator sources.
What we never use: client conversation content, contact details, obligation history, document content, firm settings, or any other confidential tenant data. The knowledge graph is generic to a sector, never specific to a client or firm.
How long it stays: the platform-wide knowledge graph is retained indefinitely as a product feature, refreshed when regulations change. The audit log of which onboarding event triggered each generation is retained per Section 7.
4. Sharing your data — sub-processors
We share personal data only with trusted providers where necessary to deliver the Service, operate our business, or comply with the law. We do not sell, rent, or trade personal data.
The categories of sub-processors we engage are listed below. A current named list of sub-processors forms part of the Data Processing Agreement we provide to every firm customer — request a copy at privacy@chaseup.io. We will notify business customers of material changes via email or in-app notice at least 30 days before a new sub-processor begins processing your data, where practicable.
| Category | Purpose | Data shared | Location & transfer mechanism |
|---|---|---|---|
| Hosting and infrastructure | Application compute and operational database | Service data (encrypted in transit) | UK (London) |
| Document storage | Encrypted storage of client-uploaded documents (object storage with KMS-managed keys) | Uploaded documents and attachments | UK (London) |
| WhatsApp and SMS delivery | WhatsApp Business and SMS message delivery (BSP and Cloud API paths) | Phone numbers, message content, delivery status | US / EU; UK GDPR DPAs in place. Transfers under the UK Addendum to EU Standard Contractual Clauses and the UK–US Data Bridge where the provider is certified. |
| AI processing | Reply classification, document filename classification, draft messaging — staff always have final oversight | Message text, structured obligation context, document filenames and metadata. No financial document content is sent to third-party AI services. | US; UK GDPR DPA in place. No training on customer data. Transfers under the UK Addendum to EU Standard Contractual Clauses. |
| Transactional email | Account, billing, and notification email delivery | Recipient email address, subject, body | EU |
| Payment processing | Subscription billing and card processing (planned for V1 launch) | Billing contact, card metadata (the payment processor holds the card PAN; we do not), subscription status | UK / EU |
| Error monitoring and uptime | Application error capture and service-health monitoring | Stack traces and request metadata (PII redacted where feasible), log lines (PII minimised), service-health metrics | EU |
| Domain and email hosting | Domain DNS and our own staff mailbox (e.g. hello@chaseup.io) | Email content sent to or from us, DNS records | EU |
| Mobile application distribution | App Store and Play Store distribution channels for the Chase Up mobile app | Account identifiers and crash reports — no client data | US; UK GDPR safeguards via the providers' own DPAs |
| UK public-register and tax integrations | Companies House and HMRC integrations for client onboarding and tax-submission workflows | Company numbers, officer names (public-register data) and — where the firm explicitly authorises an HMRC submission — client tax identifiers and submission data | UK |
Where these providers act as our processors, we have data processing agreements in place. Some providers engage their own sub-processors; we require them to maintain equivalent data protection standards under their DPAs.
We may also share data with our professional advisers (legal, accounting, audit) where strictly necessary, and with law enforcement or regulators where legally required.
5. Data residency and international transfers
Primary residency: United Kingdom. Application hosting and document storage are both located in the United Kingdom (London region). Application data and uploaded documents do not leave the UK in normal operation.
Some of our sub-processors operate from the United States or the European Economic Area — specifically those in the messaging, AI processing, transactional email, error-monitoring, mobile-distribution, and (for some account-level metadata) payment-processing categories listed in Section 4. Where personal data is transferred outside the UK to these providers, we rely on one or more of the following safeguards:
- The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses
- Adequacy decisions where applicable (e.g. the UK–US Data Bridge, where the provider is certified)
- EU adequacy where the provider is in an EEA country recognised under UK adequacy
- Data minimisation and access controls to reduce the scope of transferred data
We minimise international transfers by design — for example, document files are stored in the UK even though some metadata about those files is processed by US-based AI providers.
You can request further details about the specific safeguard applied to any transfer by emailing privacy@chaseup.io.
6. Data storage and security
Service data is stored in the United Kingdom (London region) across our hosting and document-storage providers. The named providers form part of the Data Processing Agreement we provide to firm customers.
We apply technical and organisational security measures including:
- Encryption in transit: TLS 1.2 or higher on all client connections and inter-service traffic; HTTP is rejected, not downgraded.
- Encryption at rest: Uploaded documents are encrypted using KMS-managed keys (server-side encryption) on private object storage with public access fully blocked. The application database resides on encrypted storage.
- Tenant isolation: Every database query and every storage path is scoped to the owning firm. Multi-tenant role-based access control (RBAC) governs user permissions across group / practice / client scopes. No user can read, write, or list data outside the firm and scope they belong to.
- Authentication: Phone-OTP-based login, short-lived session tokens, and multi-factor authentication on administrative access. Where supported by the platform, additional MFA on user accounts is offered.
- Least privilege: Production credentials are scoped to the minimum permission needed; secrets are stored outside source control and rotated on a documented schedule and immediately on any suspected exposure.
- Audit trail: Sensitive actions (state transitions, classifications, contact changes, messages sent, document access) are logged. Firm administrators can review who did what, when, and to which client.
- Backups: Regular encrypted backups with rolling retention. Backup integrity is verified before forward changes.
- Logging and monitoring: Production access and application errors are logged and monitored.
- File safety: Inbound documents are validated for size and MIME type. Virus scanning of inbound files is on the V1.1 roadmap and will run before files are accessible to firm users.
We hold ourselves to a "secure-by-default" architecture: every new feature is reviewed against a security checklist before shipping, including encryption, tenant isolation, audit logging, data minimisation, and consent flows.
We are working towards external information-security accreditations (Cyber Essentials, then SOC 2). We will update this policy when those accreditations are achieved — we do not claim accreditations we have not yet earned.
No system is completely secure, but we work continuously to protect personal data against unauthorised access, loss, misuse, and disclosure.
Breach notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay.
7. Data retention
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy.
| Data type | Retention |
|---|---|
| Active account data | For the duration of the account relationship |
| Client and contact data | For the duration of the account relationship, unless archived or deleted earlier by the firm |
| Archived clients (grace period) | 30 days after archive — restorable and exportable during this window, then permanently deleted |
| Message history | For the duration of the account relationship, unless deleted earlier |
| Inbound documents | For the duration of the account relationship; deletable on request |
| Audit trail (identifiable) | For the duration of the account relationship |
| Audit trail (anonymised, for operational and legal integrity) | 6 years from record creation |
| Session tokens | Invalidated after their session expiry |
| Database backups | 30 days on a rolling basis |
| Data after account deletion | Active-system deletion within 30 days of a verified request; backups overwritten within 30 days |
Archive and immediate-delete model
Firms can archive a client at any time. Archive hides the client from active lists, starts a 30-day countdown, and keeps the client restorable and exportable during that window. After 30 days the data is permanently purged.
Erasure requests (UK GDPR Article 17)
On a verified erasure request, we delete identifiable personal data from active systems immediately and confirm completion. Deletion requires explicit typed confirmation in-app or in writing. Backups containing deleted data are overwritten within the backup retention cycle (up to 30 days). We retain an anonymised audit record of the deletion (with the personal name redacted) to demonstrate compliance and meet our own statutory record-keeping obligations under the Companies Act and HMRC rules.
We may retain specific data beyond these periods where required by law (for example, billing records under HMRC requirements for 6 years) or to establish, exercise, or defend legal claims.
8. Cookies and similar technologies
We take a privacy-first approach to cookies and tracking. We do not use advertising cookies, third-party analytics that profile users, cross-site tracking, fingerprinting, or session-replay tools.
The Chase Up website and app use only the following:
Strictly necessary
- Session cookies / mobile-storage tokens — maintain your authenticated session.
- CSRF and security tokens — protect against cross-site request forgery.
Functional (consent-based where required)
- Landing page preference cookie — remembers that you have accessed the Chase Up website, retained for 7 days. Contains no personal data.
If we introduce any non-essential tracking technology in future, we will request consent in line with PECR before it loads.
9. Your rights
Under UK data protection law, you have the following rights:
- Access — obtain a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — limit how we process your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests or for direct marketing
- Withdraw consent — where processing is based on consent
You also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.
We aim to respond to rights requests within one month. In complex cases we may extend this by up to two further months and will tell you if we do so.
Note on client data: if you are the end client of a firm that uses Chase Up, please contact your firm (the data controller of your data) to exercise your rights. We will assist our customers in responding.
Future client view (magic link)
We are building a feature that allows the end clients of firms that use Chase Up to view a read-only summary of their compliance file (documents received, documents outstanding, upcoming deadlines, who at the firm is working on it) via a one-time link sent in WhatsApp messages. No account, no password. Access is logged. This feature is not yet live; this Privacy Policy will be updated when it ships.
10. Children's privacy
The Service is intended for professional business use by UK accountancy firms and their clients. We do not knowingly process personal data of children under 13. The Service is not directed at children. If you believe we have collected such data, please contact privacy@chaseup.io and we will take appropriate steps to delete it.
11. How to exercise your rights
Email: privacy@chaseup.io
Post: ARYANETIX LTD, 52a High Street, Beighton, Sheffield, S20 1ED, United Kingdom
We may ask you to verify your identity before responding.
12. Data Processing Agreement (DPA)
A Data Processing Agreement governing our processing of client data on behalf of firms is available on request from privacy@chaseup.io. We expect business customers to execute the DPA before onboarding live client data into the Service.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will update the Last updated date above. For material changes (including the addition of a new sub-processor that materially affects how we process your data), we will notify account holders by email or in-app notice at least 30 days before the change takes effect, where practicable.
14. Contact us
For any question, concern, or complaint about this Privacy Policy or our data practices, contact us at privacy@chaseup.io.