Privacy Policy

1. Who we are

Wenzo is a trading name of ONAF Limited, a company registered in England and Wales. We are the data controller for the personal data you provide when using the Wenzo service.

Detail	Information
Data Controller	ONAF Limited
Trading As	Wenzo
Registered In	England & Wales
Privacy Contact	[email protected]
ICO Registration	[Registration reference number]

If you have any questions about this privacy policy or how we handle your data, please contact us at [email protected].

2. What data we collect

We collect and process the following categories of personal data:

Account information

When you create a Wenzo account, we collect your name, email address, and a securely hashed version of your password. We never store your password in plain text.

Bank transaction data

When you connect your bank account via Open Banking, we receive read-only access to your transaction data. This includes transaction dates, descriptions, amounts, and running balances. We never have access to your bank login credentials.

Uploaded documents

You may upload invoices, receipts, tax documents, and other financial records to the service. We store these securely and use them only to provide the accounting and bookkeeping service.

Usage data

We collect information about how you interact with the service, including pages viewed, features used, and actions taken. This helps us improve Wenzo and fix issues.

Device and browser information

We collect technical information such as your browser type, operating system, screen resolution, and IP address. This is used for security monitoring and to ensure the service works correctly on your device.

Communication records

If you contact us by email, through the app, or via our website, we keep a record of that correspondence so we can respond effectively and improve our support.

3. How we use your data

We use your personal data for the following purposes, each with a specific legal basis under UK GDPR:

Purpose	Legal Basis
Providing the accounting and bookkeeping service, including pulling in bank transactions, categorising them, and generating reports	Performance of contract
Automatically categorising your transactions using our rules engine	Performance of contract
Sharing your financial data with your authorised accountant, when you grant them access	Your consent
Sending you important service updates, security alerts, and changes to our terms	Performance of contract
Improving the service through anonymised usage analysis and feature development	Legitimate interest
Preventing fraud, detecting security issues, and protecting our users	Legitimate interest
Complying with legal obligations, including tax and regulatory requirements	Legal obligation

We will never use your data for any purpose that is incompatible with those listed above without first obtaining your explicit consent.

4. Who we share data with

We never sell your personal data to third parties. Full stop.

We share your data only with the following parties, and only to the extent necessary:

Your authorised accountant

If you choose to grant your accountant access to your Wenzo account, they will be able to view your transactions, documents, and reports. You control this access and can revoke it at any time.

Finexer Limited (Open Banking provider)

Finexer is our Open Banking provider, regulated by the Financial Conduct Authority (FCA). They facilitate the secure connection between your bank and Wenzo. Finexer processes your bank data only to provide this connection and is bound by strict FCA regulations.

Microsoft Azure (cloud hosting)

Our service is hosted on Microsoft Azure infrastructure, using UK-based data centres. Azure provides the servers, storage, and networking that Wenzo runs on. Microsoft processes data only as instructed by us and in accordance with their data processing agreement.

Cloudflare (security and CDN)

We use Cloudflare to protect the service against cyberattacks and to deliver content quickly. Cloudflare may process limited traffic data (such as IP addresses) as part of providing this security layer.

All third-party processors are bound by data processing agreements that require them to handle your data securely and only for the purposes we specify.

5. Data retention

We retain your data only for as long as necessary to provide the service and meet our legal obligations:

Data Type	Retention Period
Account data (name, email)	While your account is active, plus 7 years after closure (HMRC requirement for financial records)
Bank transaction data	Retained while your bank connection is active. If you disconnect your bank, transaction data is retained for the remainder of the current tax year plus 7 years
Uploaded documents	Retained until you delete them, or until account closure (whichever comes first)
Usage and analytics data	Anonymised after 24 months
Communication records	Retained for 3 years after the last interaction

Account deletion

When you request deletion of your account, all your personal data will be permanently and irreversibly deleted within 30 days. This includes your account details, transaction data, uploaded documents, and all associated records. Anonymised, aggregated data that cannot identify you may be retained for service improvement purposes.

6. Your rights

Under the UK General Data Protection Regulation (UK GDPR), you have the following rights regarding your personal data:

Right of access -- You can request a copy of all personal data we hold about you (a Subject Access Request). We will respond within 30 days.
Right to rectification -- If any of your personal data is inaccurate or incomplete, you can ask us to correct it.
Right to erasure -- You can ask us to delete your personal data. We will do so unless we have a legal obligation to retain it (such as HMRC record-keeping requirements).
Right to data portability -- You can request your data in a commonly used, machine-readable format (such as CSV or JSON) so you can transfer it to another service.
Right to restrict processing -- You can ask us to limit how we use your data while a concern is being resolved.
Right to object -- You can object to our processing of your data where we rely on legitimate interest as the legal basis.
Right to withdraw consent -- Where we process your data based on consent (such as sharing with your accountant), you can withdraw that consent at any time.

To exercise any of these rights, please email [email protected]. We will respond to your request within 30 days. There is no fee for exercising your rights in most circumstances.

7. Cookies

We use a minimal number of cookies to make Wenzo work properly:

Essential cookies

These cookies are necessary for the service to function. They handle your login session, remember your authentication state, and protect against cross-site request forgery (CSRF) attacks. You cannot opt out of essential cookies as the service would not work without them.

Analytics cookies (optional)

With your consent, we use analytics cookies to understand how people use Wenzo so we can improve it. These cookies are only set after you have given explicit consent. You can change your preference at any time through your account settings.

What we do not use

We do not use advertising cookies, tracking pixels, or any third-party cookies that follow you across other websites. We do not participate in any advertising networks or data exchanges.

8. Data security

We take the security of your data seriously and have implemented the following measures:

Encryption in transit -- All data transmitted between your device and our servers is protected by 256-bit TLS encryption. We enforce HTTPS on all connections.
Encryption at rest -- Your data is encrypted at rest on our servers, meaning it remains protected even if physical storage media were compromised.
UK data centres -- All your data is stored in UK-based data centres. Your financial data never leaves the United Kingdom.
Access controls -- Access to your data within our team is strictly limited to those who need it to provide the service, and is protected by multi-factor authentication.
Regular security reviews -- We conduct regular security assessments and keep our systems updated against known vulnerabilities.
Open Banking security -- Bank connections are made through FCA-regulated Open Banking, which means we never see or store your bank login credentials.

If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) within 72 hours, as required by UK GDPR.

9. Children

Wenzo is a business accounting and bookkeeping service. It is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children.

If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data as soon as reasonably possible. If you believe a child has provided us with personal data, please contact us at [email protected].

10. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make changes:

We will update the "Last updated" date at the top of this page.
For minor changes (such as clarifications), the updated policy will simply be posted on this page.
For significant changes that affect how we use your data, we will notify you by email and display a prominent notice within the Wenzo app before the changes take effect.

We encourage you to review this policy periodically to stay informed about how we protect your data.

11. Complaints

If you are unhappy with how we have handled your personal data, we would like the opportunity to put things right. Please contact us first:

Email: [email protected]

We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority for data protection:

Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF