Apron Payments Limited ("Apron", "we", "us", or "our") is committed to protecting your personal data. This Privacy Notice explains how we collect, use, disclose, process, safeguard and otherwise handle your personal data in compliance with the UK General Data Protection Regulation, the Data Protection Act 2018, and other applicable data protection laws (together, the "Data Protection Laws").

This Privacy Notice applies to individuals who: (i) are employees, directors, or authorised representatives of our business customers and prospective customers (including where you operate as a sole trader) ("Business Contacts"); (ii) are suppliers, vendors, payees, or employees paid through our payment services ("Payment Recipients"); (iii) are customers of our clients who are invoiced for payment through our services ("Invoiced Parties"); (iv) are issued an Apron expense card by a business customer ("Expense Cardholders"); and (v) browse and interact with our website ("Website Users").

This Privacy Notice describes:

1. What personal data we collect;
2. How we use and share it;
3. The legal bases for processing;
4. With whom your personal data may be shared;
5. How long we keep your data;
6. Your rights under Data Protection Laws with respect to your personal data; and
7. How to contact us with questions or concerns.

As a controller, Apron is responsible for deciding how we hold and use your personal data. If you have any concerns about our use of your personal data or questions about this Privacy Notice, you can contact our Data Protection Officer ("DPO") at dpo@getapron.com.

For certain services, Apron acts as a data processor on behalf of its business customers, who are the data controllers. This means that where Apron processes your personal data in connection with the following services, it does so on the instructions of the business customer and not for its own purposes:

1. BillPay — processing payments to suppliers, vendors, and payees on behalf of business customers, including payroll payment services;
2. GetPaid — processing invoice collection and payment receipt services on behalf of business customers; and
3. Capture Bookkeeping — processing financial documents and bookkeeping data on behalf of business customers.

If you are an employee, contractor, director, supplier, or customer of one of Apron's business customers, your personal data may be processed by Apron in its capacity as a processor in connection with one or more of the above services. In these circumstances, the business customer is responsible for the lawful basis on which your personal data is collected and shared with Apron, and for ensuring that you have been provided with appropriate information about how your personal data is used.

For information about how your personal data is processed and to exercise your data protection rights in connection with these services, you should refer to the privacy notice of the relevant business customer. Apron is not in a position to respond directly to data subject rights requests in relation to processing carried out in its capacity as a processor, and any such requests should be directed to the relevant business customer in the first instance.

Where you operate as a sole trader, in addition to the above, we will also collect:

Where an Apron expense card is issued to a named individual rather than a department or team, Apron may process the following personal data in connection with that individual's use of the card.

We automatically collect Technical Data, Usage Data, and Session Metadata through the use of tracking technologies including cookies. We use cookies to understand site usage, maintain functionality, and improve website performance. You can manage your cookie preferences through the cookie management tool on our website. Please see our Cookie Policy for further details.

We will only use your personal data for the purposes described below, or for purposes which are reasonably compatible with those described. We will not use your personal data for other purposes without your permission, unless we have a legal right or obligation to do so.

For ease of reference, we use the following terms throughout this section:

1. "Service Delivery" means providing, operating, and maintaining the Services, including processing transactions and payments, account setup, access and management, and responding to customer support requests and complaints.
2. "Regulatory Compliance" means complying with legal and regulatory obligations including anti-money laundering, sanctions screening, transaction monitoring, and FCA record-keeping requirements.
3. "Fraud and Financial Crime Prevention" means detecting, preventing, and prosecuting fraud, financial crime, and misuse of the Services.
4. "Legitimate Business Operations" means managing our relationship with you, responding to enquiries and complaints, and communicating updates, notifications, and service-related information.
5. "Security and IT Management" means protecting and improving the security and performance of our systems, networks, and Services, including through technical logs, usage analytics, and error reporting.
6. "Marketing and Business Development" means communicating with existing and prospective customers about our Services, including targeting and personalising advertising via trusted third-party platforms.
7. "AI Development and Service Improvement" means using anonymised and pseudonymised data to train AI models and improve the functionality and performance of our Services.

We will use your personal data for Service Delivery, including to:

1. Set up and manage your Apron account;
2. Process your instructions and payment requests;
3. Provide customer support and respond to your enquiries and complaints; and
4. Communicate with you about your account and the Services, including sending updates and notifications.

We will use your personal data for Regulatory Compliance and Fraud and Financial Crime Prevention, including to:

1. Verify your identity and carry out know-your-customer checks at onboarding and on an ongoing basis;
2. Screen against applicable sanctions lists;
3. Monitor transactions for anti-money laundering purposes; and
4. Retain records as required by FCA regulations and other applicable law.

We will use your personal data for Legitimate Business Operations and Security and IT Management, including to:

1. Manage our ongoing relationship with you;
2. Maintain and improve the security and performance of our systems and Services; and
3. Carry out analytics and reporting to improve our Services.

We will use your personal data for Marketing and Business Development, including to:

1. Communicate with you about Apron's products, services, and updates; and
2. Target and personalise communications via trusted third-party platforms.

We will use your personal data for AI Development and Service Improvement, including to:

1. Use data derived from your use of the Services to train AI models and improve the functionality and performance of our Services.

We will use your personal data for Service Delivery, Regulatory Compliance, and Fraud and Financial Crime Prevention, including to:

1. Process payments to you on behalf of our business customers;
2. Screen your details against applicable sanctions lists where required by financial services regulations; and
3. Monitor and retain transaction records for anti-money laundering and FCA record-keeping purposes.

We will use your personal data for Fraud and Financial Crime Prevention, including to:

1. Detect and prevent fraudulent payment instructions and financial crime in connection with payments made to you.

We will use your personal data for AI analysis and AI Development and Service Improvement, including to:

1. Extract structured data from uploaded documents (e.g., invoices);
2. Learn from user corrections to improve accuracy; and
3. Use aggregated anonymised data, derived from use of the Services, to train AI models and improve the functionality and performance of our Services, including in connection with extraction and automation features.

We will use your personal data for Service Delivery, Regulatory Compliance, and Fraud and Financial Crime Prevention, including to:

1. Process invoices and payment collection on behalf of our business customers;
2. Monitor and retain transaction records for anti-money laundering and FCA record-keeping purposes; and
3. Detect and prevent fraudulent activity in connection with payments processed on your behalf.

We will use your personal data for AI analysis and AI Development and Service Improvement, including to:

1. Extract structured data from uploaded documents (e.g., invoices);
2. Learn from user corrections to improve accuracy; and
3. Use aggregated anonymised data, derived from use of the Services, to train AI models and improve the functionality and performance of our Services including in connection with extraction and automation features.

We will use your personal data for Service Delivery, including to:

1. Issue and manage your Apron expense card;
2. Process your card transactions;
3. Provide real-time spending alerts and controls to your employer; and
4. Provide your employer with visibility of spending made using the card.

We will use your personal data for Regulatory Compliance and Fraud and Financial Crime Prevention, including to:

1. Monitor transactions for anti-money laundering purposes; and
2. Retain transaction records as required by FCA regulations and other applicable law.

We will use your personal data for Security and IT Management and AI Development and Service Improvement, including to:

1. Maintain and improve the security and performance of our systems; and
2. Train AI models and improve the functionality and performance of our Services.

We will use your personal data for Service Delivery and Security and IT Management, including to:

1. Monitor activity on our website to improve accessibility and performance;
2. Administer and protect our website and systems, including troubleshooting, data analysis, testing, and maintenance; and
3. Remember your choices and preferences when browsing our website.

We will use your personal data for Legitimate Business Operations, including to:

1. Respond to enquiries submitted through our website; and
2. Manage our relationship with you where you contact us.

We will use your personal data for Marketing and Business Development, including to:

1. Communicate with you about Apron's products and services; and
2. Target and personalise advertising via trusted third-party platforms.

We will use your personal data for Fraud and Financial Crime Prevention and Security and IT Management, including to:

1. Detect and prevent fraud, misuse of our website, and security threats; and
2. Comply with applicable laws and regulations.

We will use your personal data for AI Development and Service Improvement, including to:

1. Improve the functionality and performance of our Services.

We will only process your personal data for the purposes set out in Section 3 above and to the extent we have a lawful basis under Data Protection Laws. We rely on the following lawful bases:

1. Contract: To perform a contract to which you are a party, or to take steps at your request prior to entering into a contract. Where our business customer is a sole trader, certain processing of their personal data in connection with Service Delivery is carried out on this basis.
2. Legal Obligation: To comply with our legal and regulatory obligations, including our obligations as a regulated payment services provider.
3. Legitimate Interests: For the purposes of our legitimate interests where such interests do not override your fundamental rights and interests.
4. Consent: Where you have given your specific and informed consent. You may withdraw your consent at any time — see Section 9 for more information about your rights.

Where we process special categories of personal data (such as biometric data for identity verification purposes), we do so only under strict conditions permitted by Data Protection Laws, primarily where you have provided your explicit consent or where processing is necessary for reasons of substantial public interest, including compliance with our anti-money laundering and financial crime prevention obligations.

The main legitimate interests on which Apron relies are as follows, being processing necessary for us to:

1. Carry out Service Delivery in connection with business customers who are not sole traders, including managing accounts, processing payment instructions, and providing customer support;
2. Carry out Legitimate Business Operations, including managing our ongoing relationships with Business Contacts and communicating service updates and notifications;
3. Carry out Security and IT Management, including maintaining and securing our systems, website, and Services and protecting against unauthorised access and misuse;
4. Carry out Fraud and Financial Crime Prevention to the extent not already required by Legal Obligation, including detecting and preventing fraudulent activity and misuse of the Services;
5. Carry out Marketing and Business Development, including promoting our Services to existing and prospective customers and measuring the reach and effectiveness of our marketing campaigns (to the extent consent is not required);
6. Carry out AI Development and Service Improvement, including using data to train AI models and improve the functionality and performance of our Services;
7. Analyse, evaluate, and improve our Services for Website Users and better understand the needs of our business customers;
8. Inform you of updates to our terms, conditions, and policies;
9. Protect our legal interests and exercise or defend legal claims; and
10. Manage mergers, acquisitions, sales, reorganisations, or disposals and integration with any purchaser.

When we share your personal data with third parties who act as our service providers, we only disclose personal data that is necessary for them to provide their services. We require all such third parties to respect the security of your personal data and to treat it in accordance with applicable law. We do not permit our service providers to use your personal data for their own purposes and only allow them to process it for specified purposes and in accordance with our instructions.

When we share your personal data with third parties who act as independent controllers of that information, they may disclose or transfer it to other organisations in accordance with their own data protection policies. This does not affect your data subject rights as detailed in Section 9 below. Where you ask us to rectify, erase, or restrict the processing of your personal data, we will take reasonable steps to pass this request on to any such third parties with whom we have shared your personal data.

For all categories of data subject, we may share your personal data with:

1. IT and cloud service providers: including database, email, document management, and cloud infrastructure providers to support the effective running of our business and the delivery of our Services;
2. Customer support providers: including customer support platform providers to enable us to manage and respond to customer enquiries and complaints;
3. Payment processors and financial services partners: including payment processors, banking partners, and financial infrastructure providers (such as Checkout) to facilitate the processing of payments through our Services;
4. Analytics and performance providers: including analytics and diagnostic tool providers to help us monitor, improve, and troubleshoot the performance of our Services and website;
5. Professional service providers: including legal advisers, auditors, accountants, and insurers to enable us to comply with our legal obligations, protect our interests, and operate our business effectively;
6. Regulators and law enforcement authorities: including the FCA and other public authorities where we are required or permitted to do so by law, including: (a) to comply with legal process; (b) to respond to requests from public and government authorities; (c) to enforce our terms and conditions; (d) to protect our or third party operations, rights, privacy, safety, or property; and (e) to pursue available remedies or limit damages we may sustain; and
7. Potential buyers or acquirers: in the event of a merger, acquisition, reorganisation, or sale of some or all of our business or assets, your personal data may be transferred to the relevant third party or its advisers as part of that transaction.

For Business Contacts and Website Users, we may also share limited personal data (such as your business email address and company name) with advertising and social media platforms, including LinkedIn, Google, and Meta, for the purpose of targeting and personalising marketing communications and creating matched audiences to show relevant advertisements. You can object to this use of your personal data at any time by contacting dpo@getapron.com.

Our website may contain links to third-party websites and embedded features. These third-party sites are governed by their own privacy policies and we are not responsible for their data processing practices. Where appropriate, we have linked to relevant third-party privacy policies in our Terms and Conditions.

If you connect a Google account (e.g. Gmail), we do not use Google Workspace data (including Gmail message content, metadata, or attachments) or data derived from it to train, fine-tune, or improve any generalised AI/ML models. We use it only to provide and maintain the user-facing functionality you request (e.g. importing invoices/receipts into Apron).

We may also share your personal data with others where you have given us your consent to do so.

Your personal data is primarily stored and processed in the United Kingdom. Some of our service providers and third-party partners are based outside the UK, and in the course of providing the Services we may transfer your personal data to countries whose laws do not provide the same level of data protection as UK law.

Where we transfer your personal data outside the UK, we ensure that appropriate safeguards are in place to protect your personal data, including one or more of the following:

1. the transfer is to a country which has been granted adequacy status by the UK Secretary of State under the UK GDPR;
2. we have entered into the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses with the recipient; or
3. another lawful transfer mechanism recognised under UK Data Protection Laws applies.

Where required, we carry out transfer risk assessments prior to transferring personal data outside the UK to ensure that an equivalent level of protection is maintained.

You may request further information about the safeguards we have in place for international transfers, including copies of any relevant transfer agreements, by contacting our Data Protection Officer at dpo@getapron.com.

We have put in place appropriate technical and organisational measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We limit access to your personal data to those employees, agents, contractors, and other third parties who have a legitimate business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.

We maintain the following administrative, technical, and physical safeguards to protect your personal data:

1. Encrypted data transmission and storage;
2. Regular security audits and access reviews;
3. Two-factor authentication (internally and on Customer accounts) and session controls;
4. Data minimisation and pseudonymisation where appropriate; and
5. Ongoing staff training on data protection and information security obligations.

As a regulated payment services provider, our security measures are designed to meet the requirements of applicable financial services regulations, including those relating to the security of payment transactions and the protection of payment card data.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach where we are legally required to do so.

Despite our best efforts, no online system is completely secure. If you suspect that the security of your personal data has been compromised, please contact us immediately at dpo@getapron.com.

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected and processed, as outlined in this Privacy Notice, including to satisfy our legal and regulatory obligations, resolve disputes, and enforce our terms and conditions.

As a regulated payment services provider, Apron is subject to specific record-keeping requirements under applicable financial services regulations. For personal data processed in connection with our regulated activities — including transaction records, AML monitoring records, sanctions screening results, and KYC documentation — we retain personal data for a minimum of five years from the date of the relevant transaction or the end of our relationship with you, whichever is later, or such longer period as may be required by applicable financial services regulations.

For personal data processed in connection with our other activities, we retain your personal data for as long as is necessary for the relevant purpose, and in any event for no longer than five years following the end of our relationship with you or your last interaction with us, unless a longer retention period is required or permitted by law.

The exceptions to the above retention periods are where:

1. The law requires us to hold your personal data for a longer period, or to delete it sooner;
2. You exercise your right to have your personal data erased and we are not required or permitted to retain it under applicable law — note that for data retained to meet our FCA and regulatory obligations, we may not be able to comply with an erasure request until the applicable retention period has expired;
3. You exercise your right to require us to retain your personal data for a period longer than our standard retention period; or
4. We bring or defend legal claims or other proceedings during the retention period, in which case we will retain your personal data until those proceedings have concluded and no further appeals are possible.

After the applicable retention period has expired, your personal data will be securely deleted or anonymised. Where data is anonymised, it may be retained and used for analytical, research, or service improvement purposes, including AI development, as it will no longer constitute personal data.

Under Data Protection Laws, you have the following rights in relation to your personal data:

1. Right of Access: you have the right to request a copy of the personal data we hold about you and information about how we process it.
2. Right to Rectification: you have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
3. Right to Erasure: you have the right to request that we delete your personal data where there is no longer a lawful basis for us to process it. Please note that this right is not absolute and we may be required to retain certain personal data to comply with our legal and regulatory obligations, including our FCA record-keeping requirements. See Section 8 for further information.
4. Right to Restriction of Processing: you have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data or object to our processing of it.
5. Right to Data Portability: where we process your personal data on the basis of your consent or in performance of a contract, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to request that we transfer it to another organisation where technically feasible.
6. Right to Object: you have the right to object to our processing of your personal data where we rely on legitimate interests as our lawful basis. We will cease processing unless we can demonstrate compelling legitimate grounds for the processing which override your rights and interests.
7. Right to Object to Direct Marketing: you have the right to object to the processing of your personal data for direct marketing purposes at any time. To opt out, click "unsubscribe" in any marketing email or contact us at dpo@getapron.com. Where you object, we will immediately cease sending you marketing communications and may retain your contact details on a suppression list to ensure you are not contacted again.
8. Rights in relation to Automated Decision-Making: you have the right not to be subject to a decision based solely on automated processing which produces legal or similarly significant effects concerning you. Where we carry out any such automated decision-making, we will inform you and provide you with the opportunity to request human review of the decision.
9. Right to Withdraw Consent: where we rely on your consent as the lawful basis for processing, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal.

To exercise any of the above rights, please contact our Data Protection Officer at dpo@getapron.com. We will respond to your request within one month of receipt, though this period may be extended by a further two months where your request is complex or where we receive a high volume of requests, in which case we will notify you accordingly.

We may need to verify your identity before responding to your request. We will not charge a fee for handling your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to respond.

If you have concerns about how we handle your personal data and are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters:

1. Website: www.ico.org.uk
2. Telephone: 0303 123 1113

We may update this Privacy Notice from time to time.

1. For material changes (affecting your rights or how we use your data), we will use reasonable efforts to notify you clearly and, if required, seek your consent.
2. The "Last Updated" date shows the latest revision.