Data Protection & Privacy

Compliance with UK GDPR and the Data Protection Act 2018.

Key Privacy Principles

Controller Status: Nest Finance Ltd is the Data Controller for your account information. Open Banking providers act as independent controllers for the separate banking connection.

Household Privacy: Inviting a partner does not automatically share data. They must accept the invite and provide independent consent before their institutions are connected on Nest.

Zero-Knowledge Vault: Vault entries are encrypted client-side and Nest acts as the Processor for storage. We technically cannot decrypt the content.

No Onward Sale: Nest does not sell your data. Providers accessed through Nest are contractually prohibited from using any data pulled via our application for advertising.

1. Information We Collect

  • Identity data: Name, email, household role.
  • Financial data: Balances, transactions, and holdings pulled via Open Banking (Plaid/TrueLayer).
  • Vault data: Encrypted blobs stored for you; we never inspect the decrypted content.

Lawful Basis for Processing

Under UK GDPR, we process your data under the following legal bases:

  • Performance of Contract: To create your account and provide the dashboard service.
  • Consent: Explicitly obtained before connecting to Open Banking providers (which you can withdraw at any time).
  • Legitimate Interest: To prevent fraud, ensure network security, and improve our services.
  • Legal Obligation: To comply with financial regulations and tax laws where applicable.

Third-Party Processors

Aside from Open Banking providers, we share strictly necessary data with the following categories of service providers:

  • Cloud Hosting & Infrastructure: (e.g., AWS/Vercel) to host the application.
  • Transactional Email: (e.g., Resend/SendGrid) to send security codes and updates.
  • Analytics: (e.g., PostHog) using anonymized data to understand app usage.

2. Your Rights

  • Right to Erasure: Request full account deletion. Vault data deletion is cryptographic and irreversible.
  • Right to Portability: Export your transaction history and net worth logs as CSV anytime.
  • Revocation of Consent: Unlink bank accounts instantly via Settings, and remove household connections individually.
  • Right to Complain: If you believe we have not handled your data in accordance with the law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO.

3. Cookies & Communications

Cookies: We use essential cookies to stabilize sessions, remember settings, and keep the UI responsive. No tracking cookies are used for advertising.

Communications: Administrative emails (account, billing, security) are sent from Nest addresses. You control promotional opt-in preferences inside Settings.

4. Data Retention & Security

We retain account data for as long as needed to provide the Service. Vault backups are retained until you delete them. We keep audit logs for troubleshooting and compliance purposes.

We implement industry-standard safeguards (TLS, encryption-at-rest, SOC2 controls) and regularly review providers for compliance with GDPR and UK data protection law.

5. International Data Transfers

We store data primarily in the UK/EEA. However, some of our service providers (e.g., cloud infrastructure, email delivery) may process data in the USA. Where this occurs, we ensure protection through UK Government-approved International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs).

6. Contact Us

Data Controller: Nest Finance Ltd

Registered Address: 71-75 Shelton Street, London, WC2H 9JQ

Company Number: [Insert Company Number]

Data Protection Officer: The DPO (contactable via privacy@nestfinance.com)

Email: privacy@nestfinance.com