Privacy Policy

Torbera Ltd (“Torbera”, “we”, “us”, “our”) is a private company limited by shares, incorporated in England and Wales. Our registered office and company number, together with our contact details for data-protection matters, are set out at the end of this policy.

We are the controller of personal data we collect through our marketing website (torbera.com) and the Torbera workspace (app.torbera.com), together the “Services”. Where you use the Services on behalf of an advisor firm or vendor organisation, that organisation is the controller of the deal, customer, commission, and statement data submitted to the Services, and Torbera acts as a processor on its behalf under a written data processing agreement.

We collect and process the following categories of personal data:

• Account data. Your name, email address, mobile telephone number, profile image (if provided), role within your firm, and a hashed identifier issued by Google Identity Platform for authentication.
• Workspace activity. Records of your sign-ins, actions taken (such as locking a commission track or marking a variance), notification preferences, and audit log entries that attribute each material change to a user account.
• Business contact data. Where you submit deal context describing customers, advisors, or vendor contacts, this data may include names and business contact details. This is processed on behalf of your firm.
• Technical data. IP address, approximate location derived from that IP address (used only to pre-select a country dialling code at sign-in), browser type, device identifiers, language, and pages visited.
• Communications. Emails and other messages you send us, and our replies, for support, billing, and feedback purposes.

We do not knowingly collect special category data (Article 9 UK GDPR) or data relating to criminal convictions or offences. Please do not submit such data through the Services.

We rely on the following lawful bases under Article 6 of the UK General Data Protection Regulation:

• Performance of a contract (Art. 6(1)(b)) — to provide the Services to you and your firm, including operating the commission engine, sending you transactional emails, and verifying your identity.
• Legitimate interests (Art. 6(1)(f)) — to keep the Services secure, prevent and detect fraud, monitor performance, improve our product, and conduct business analytics. We have assessed these interests against your rights and freedoms and have concluded that they do not override yours; you may object at any time using the contact details below.
• Legal obligation (Art. 6(1)(c)) — to comply with our obligations under English law, including tax, accounting, anti-money-laundering, and lawful requests from competent authorities.
• Consent (Art. 6(1)(a)) — for non-essential marketing communications and for the placement of non-strictly- necessary cookies. You may withdraw consent at any time, without affecting the lawfulness of processing carried out beforehand.

We use personal data to:

• create and administer your user account and your firm’s workspace;
• authenticate you, including by SMS one-time password where you choose mobile sign-in;
• operate the commission engine, including generating expectations, matching payments, and flagging variances;
• send transactional notifications you have opted to receive;
• respond to your enquiries and provide customer support;
• monitor, secure, and improve the Services;
• comply with our legal and regulatory obligations.

We share personal data with the following categories of recipient, each of whom acts as our processor under a written contract that imposes UK GDPR-equivalent obligations:

• Cloud infrastructure — Google LLC and Google Cloud EMEA Limited, who provide the hosting platform (Cloud Run), database (Cloud SQL), object storage, Identity Platform, and Vertex AI services that power the Services.
• Email and SMS — Identity Platform and connected SMS gateways send authentication codes to your mobile number when you choose mobile sign-in.
• Error reporting and analytics — Sentry (in the UK or EEA) for client and server error monitoring, configured to suppress personal data wherever possible.
• Professional advisers — our solicitors, accountants, and insurers, on a need-to-know basis.
• Competent authorities — where required by law (for example, in response to a court order or a request from HMRC, the ICO, or another public body).
• Successors in interest — in the event of a sale, merger, reorganisation, insolvency, or similar transaction, personal data may be transferred to the acquiring entity, subject to equivalent protections.

Personal data is primarily processed within the United Kingdom and the European Economic Area. Where personal data is transferred outside the UK to a country not covered by an adequacy regulation, we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism, together with such additional safeguards as may be required following a transfer risk assessment.

We retain personal data only for as long as we need it for the purposes set out in this policy, or as required by law. As a guide:

• Account data — for the lifetime of your account, then for up to 24 months after closure for legal and dispute-resolution purposes.
• Workspace activity and audit logs — for at least seven years from the end of the relevant accounting period, to support reconciliation and respond to disputes.
• Email correspondence — for up to six years.
• Server and security logs — for up to 90 days.

At the end of the relevant period we will delete or irreversibly anonymise the data.

Under the UK GDPR you have the following rights, exercisable free of charge in most circumstances:

• the right of access to a copy of your personal data (Art. 15);
• the right to rectification of inaccurate or incomplete data (Art. 16);
• the right to erasure in certain circumstances (Art. 17);
• the right to restriction of processing (Art. 18);
• the right to data portability (Art. 20) where processing is based on consent or contract and carried out by automated means;
• the right to object to processing based on legitimate interests (Art. 21);
• the right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects (Art. 22);
• the right to withdraw consent at any time, where processing is based on consent.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data-protection matters, at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the chance to address your concern before you approach the ICO.

We use a small number of cookies and similar technologies. Strictly necessary cookies (including the __session authentication cookie) are set without consent because they are required to deliver the Services you have requested. Non-essential cookies (analytics, performance) are set only where you have consented through the cookie banner.

Our use of cookies is governed by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). You can withdraw consent at any time by clearing cookies in your browser or by adjusting your preferences via the cookie banner.

The Services are intended for use by business users aged 18 or over. We do not knowingly collect personal data from children.

We maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These include encryption of data in transit and at rest, multi-factor authentication for privileged accounts, least-privilege IAM controls, continuous logging, automated vulnerability scanning, and a documented incident-response process. No system can be perfectly secure, however, and we cannot guarantee absolute security.

We may update this policy from time to time. We will post the updated version on this page and revise the effective date above. If the changes are material, we will notify you by email or through the Services before the changes take effect.

For any privacy-related question, request, or complaint, please contact us at:

Companies House registration number: [to be inserted]. ICO registration number: [to be inserted].