$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →

Who we are

FIT PUP LTD, 3rd Floor, 86-90 Paul Street, London, England, EC2A 4NE (company no. 15766852). Privacy contact: [email protected]. Supervisory authority: the UK Information Commissioner’s Office (ICO), registration ZC064795.

Website and demo requests (we are the controller)

  • What we collect: if you request a demo or contact us, the business-contact details and context you provide, plus the IP address used to complete the anti-bot check (sent to Cloudflare Turnstile to verify the token). The Turnstile anti-bot script loads when the demo page opens — so if you simply visit that page, Cloudflare already receives the request metadata (including your IP) needed to run the check, before and whether or not you submit the form.
  • Why (lawful basis): our legitimate interest (Art. 6(1)(f)) in responding to enquiries and evaluating fit, and consent where you opt in to updates.
  • How it is processed: demo and contact submissions are delivered to us as email through our email provider (Resend, US) and protected by an anti-bot check (Cloudflare Turnstile, US); both are listed on Sub-processors.
  • Retention: our target is to keep demo and enquiry details for no longer than 12 months after our last contact and then delete them; this is a periodic manual review today, not an automated deletion. If you become a customer, the customer agreement governs instead. You can ask us to delete your details sooner at any time.

The product (we are usually the processor)

When a customer uses PayHQ, we process supplier and invoice data on their documented instructions as a processor; the customer is the controller. Those terms are in the Data Processing Agreement.

Some individuals whose data we process — a supplier’s contact, for example — never signed up with us. Under UK GDPR Art. 14, the controller (our customer) is responsible for informing them; we support that and route any request we receive to the relevant controller.

Your rights

For data we hold as a controller, you have the rights of access, rectification, erasure, restriction, and objection under UK GDPR (and portability where it applies). Where we rely on consent — for example, product updates you opt into — you can withdraw it at any time by emailing [email protected]; this does not affect processing carried out before you withdraw. Where we rely on legitimate interests, you may object; we are documenting a legitimate-interests assessment for those cases as part of our compliance work. You may also complain to the ICO at ico.org.uk.

Cookies and similar technologies

Our public website uses only strictly-necessary storage: the anti-bot check (Cloudflare Turnstile) on the demo form, and, in the admin console, your login session. We do not use advertising or third-party analytics cookies. If we ever add anything non-essential, we will ask for your consent first (PECR).

Sub-processors and transfers

We use a small set of sub-processors listed at /trust/subprocessors. Product data is stored in the EU (Hetzner, Finland). Beyond that, the Cloudflare edge (US-established) terminates TLS for all traffic including invoice uploads, and — only where a customer enables them — Resend inbound and the Telegram intake bot can carry invoice content outside the EU (also a connected Microsoft 365 mailbox where an operator enables it; a Google/Gmail connector is planned); and outbound alert emails via Resend (US) plus the optional Telegram alert channel and a customer-configured alert webhook (typically Slack, but the destination is any URL the workspace enters) carry alert metadata only (workspace name, supplier name, amount, reason, the invoice number and its original filename, and a review link — and, for the Resend email alerts, the recipient’s email address). For our own website and demo data, transfers to a US-established provider (Resend, Cloudflare) rely on the UK IDTA / Addendum. Invoice content is not sent to a third-party AI or OCR service — extraction runs on models we host ourselves, and the worker enforces that boundary in code, failing closed unless the endpoint is self-hosted or on our explicit allowlist (which in our own deployment contains only self-hosted hosts).

Breaches and changes

Where we are the controller, we report qualifying personal-data breaches to the ICO within 72 hours. We update this notice as our processing changes and show the review date on every Trust Center page.

Operated by FIT PUP LTD · Company no. 15766852 · ICO ZC064795

Last reviewed 2026-07-13 · Next review by 2026-10-13 · [email protected]