Privacy policy

Fiscyn is operated by the company shown in the site footer (for example “Fiscyn Ltd”). For UK data protection law, that company is the “controller” of personal data described here — meaning we decide why and how it is used for the Fiscyn service.

Privacy questions or requests: hello@fiscyn.com or the contact form at fiscyn.com.

This policy applies to the Fiscyn website, web app, and related services we provide. It covers your account and the information you store in the product.

If you enter tenant, adviser, or client details about other people, you are usually the controller for that information and must have a lawful reason to hold it. We process it on your instructions to run the service — see section 10.

We collect the following types of information:

We use personal data to:

We rely on different legal bases depending on the activity:

Contract — processing needed to provide the service you signed up for (account, storing your records, billing Pro).

Legitimate interests — keeping the service secure, minimal first-party analytics to understand usage, and communicating about important service changes, balanced against your rights.

Consent — optional analytics cookies in Google Analytics. You can refuse and still use Fiscyn.

Legal obligation — where we must retain or disclose information to comply with law.

We do not sell, rent, or trade your personal information to data brokers or list providers.

We only share data with service providers who help us run Fiscyn (see section 7), when you connect a third-party integration, or when the law requires it.

We use carefully chosen suppliers (“processors”) who handle data on our behalf and only for the purposes below:

Some suppliers may process data outside the UK (for example in the United States or EU). Where that happens, we use appropriate safeguards such as UK adequacy regulations, standard contractual clauses, or equivalent protections required by law.

Google, Stripe, and other major providers publish their own data processing terms.

Essential cookies and local storage are used for sign-in, security, and remembering your cookie choice. These are required for the app to work.

Optional analytics cookies are used only if you click “Accept analytics” on the cookie banner. We use Google Consent Mode so Google does not receive analytics storage until you allow it. We do not use advertising cookies.

Change your choice anytime via Cookie settings in the footer.

Whether or not you accept analytics cookies, we record some events on our own servers — for example sign-up, login, and checkout started — together with any marketing src/cta you arrived with. This helps us understand if features work and which pages lead to sign-up.

These logs are not sold and are not sent to Google when you choose Essential only.

If you store tenant names, emails, or phone numbers in Fiscyn, you are responsible for telling tenants how their data is used and having a lawful basis (for example managing a tenancy).

We act as a processor for that information: we store and display it so you can manage your properties, and we protect it with the same security as the rest of the service.

We do not store your HMRC Government Gateway password. HMRC connection uses OAuth tokens you can revoke.

Open Banking uses regulated access tokens via TrueLayer. We receive transaction data your bank agrees to share for the accounts you link.

You control these connections in settings and can disconnect them.

We keep your account and product data while your account is active and for a reasonable period afterwards so you can reactivate or export records, unless you ask us to delete it sooner or we must keep it longer by law.

Server and security logs are kept for a limited period (typically months, not years) unless needed for an incident investigation.

First-party marketing and product event logs in our audit store are kept for analysis windows described in the app (for example rolling 30–90 day summaries) and then age out.

Google Analytics retention follows the settings in our Google Analytics property and Google’s policies.

Stripe retains payment records according to its legal and accounting obligations.

Under UK data protection law you have rights including access, correction, deletion, restriction, objection, and data portability where they apply.

To exercise these rights, email us at the address above. We may need to verify your identity. We will respond within one month in most cases.

You can complain to the Information Commissioner’s Office (ICO) at ico.org.uk if you are unhappy with how we handle your data — though we hope you will contact us first so we can help.

We use industry-standard measures including encryption in transit (HTTPS), access controls, and secure cloud infrastructure. No online service can guarantee perfect security, but we work to protect your account and content.

Keep your password safe and tell us promptly if you suspect unauthorised access.

Fiscyn is for adults managing property or trade income. It is not directed at under-18s and we do not knowingly collect children’s personal data.

We may update this policy from time to time. The “Last updated” date will change. Significant changes will be highlighted on the website or by email where appropriate.

See also our Terms of service for the contract between us when you use Fiscyn.