Privacy Policy

Effective Date: 24 March 2026
Last Updated: 30 June 2026

At Built for Small Business ("BFSB", "we", "our", or "us"), protecting your privacy is a core part of how our platform is designed and operated.

We provide tools that help small businesses manage invoicing, payments, payroll, client records, and expense tracking. Because this involves sensitive personal, business, and financial information, we are committed to handling your data responsibly, transparently, and securely.

This Privacy Policy explains what information we collect, why we collect it, how it is used and protected, who we share it with, and the rights you have over your data. By using BFSB, you agree to the practices described in this policy.

1. Who We Are

Business Name: Built for Small Business
Contact Email:[email protected]
Website:https://builtforsmallbusiness.com

BFSB is the data controller responsible for your personal data. We operate in compliance with applicable data protection laws, including the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation (NDPR), and where we process the personal data of individuals located in the United Kingdom or European Economic Area, the UK GDPR and the EU GDPR, respectively.

If you are a UK-based user and wish to raise a concern about how we handle your data, you have the right to contact the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

ICO Registration Number: ZC183462

2. Information We Collect

We collect only the information necessary to provide and improve our services.

When you generate a shared expense link to send to your accountant, we log the IP address, browser type, and timestamp of anyone who views that link or downloads associated files, including bank statements you choose to attach. This applies even if the person accessing the link does not have a BFSB account. We retain these activity logs for 12 months, after which they are automatically deleted.

If you choose to upload a bank statement to share with your accountant, we store the file securely and store a password you set to protect it, using one-way encryption so that the original password cannot be recovered or viewed by BFSB at any time, including by our own staff.

2.1 Account and Identity Information

When you create an account, we collect:

  • Full name
  • Email address
  • Encrypted password
  • Business or company name
  • Country of operation

This information is used to create, authenticate, and manage your account.

2.2 Business, Client, and Operational Data

Depending on how you use BFSB, you may choose to store:

  • Client names, contact details, and invoice history
  • Staff information and employment records
  • Payroll data, including salaries, deductions, and tax information
  • Expense records and supporting documents

This data is entered and controlled entirely by you. We do not use it for advertising, profiling, or resale.

2.3 Financial Information

If you use our invoicing features, you may choose to include bank or payment details on your invoices so that your clients know how to pay you. This information is entered by you, stored as part of your invoice content, and displayed only on the invoices you create. It is treated the same as the other business information you enter.

Payments and Stripe: When you accept payments through the platform, this is handled entirely by Stripe. If you connect a Stripe account to accept invoice payments, Stripe collects and verifies your identity and payout details directly, and processes your clients' payment card details under its own terms. BFSB does not collect, process, or store payment card details, payout bank accounts, or the identity information Stripe verifies during onboarding. Stripe acts as the controller for that information under its own privacy policy at stripe.com/privacy.

We also retain:

  • Invoice and payment records (amounts, dates, status)
  • Transaction history within the platform

Invoice and transaction records are encrypted at rest and in transit.

2.4 Usage and Technical Information

To maintain platform performance and security, we collect limited technical data, including:

  • Device type and browser information
  • IP address
  • Feature usage patterns
  • Login timestamps and activity logs

This information is used to improve reliability, detect misuse, and ensure platform security. It does not expose your private business content.

3. Lawful Basis for Processing

Under UK GDPR and EU GDPR, we are required to identify a lawful basis for each type of personal data processing. We rely on the following:

Processing ActivityLawful Basis
Creating and managing your accountContractual necessity processing is necessary to provide the service you have signed up for
Providing invoicing, payroll, and expense featuresContractual necessity, these are the core features of the platform you have agreed to use
Sending service-related communications (account updates, security alerts)Contractual necessity and Legitimate interests, necessary to maintain a secure and functional service
Sending marketing communications and product updatesConsent: We will only send marketing emails where you have explicitly opted in. You may withdraw consent at any time
Monitoring platform usage and improving performanceLegitimate interests: We have a legitimate interest in maintaining and improving our platform, provided this does not override your privacy rights
Complying with legal obligations (tax records, regulatory requests)Legal obligation where applicable law requires us to retain or disclose data

For users in Nigeria, processing is conducted in accordance with the NDPA 2023, relying on consent, contractual necessity, and legitimate interests as appropriate.

4. How We Use Your Information

We use the information we collect to:

  • Create and manage your BFSB account securely
  • Provide the invoicing, payroll, expense tracking, and client management features you use
  • Process payments and generate accurate financial records
  • Send you important service notifications, security alerts, and account updates
  • Respond to your support requests and enquiries
  • Monitor and improve platform performance and security
  • Comply with applicable legal and regulatory obligations
  • Send you product updates or marketing communications where you have given explicit consent

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.

If you invite an accountant to access your records through our accountant access feature, that accountant can view the categories of data you specifically permit them to see, such as invoices, expenses, payroll, or profit and loss reports. This is a permission you control directly, and it is distinct from how we share data with third-party service providers. The accountant is another user of the BFSB platform, not an external vendor, and their access exists only because you granted it and can be revoked by you at any time, taking effect immediately.

5. Third-Party Processors

We work with a small number of trusted third-party service providers who process data on our behalf. All third-party processors are bound by data processing agreements and are required to handle your data in accordance with applicable data protection laws.

ProcessorPurposeData Shared
StripeSubscription billing, and connecting users to Stripe to accept invoice payments from their own clients (via Stripe Connect) | For subscriptions: your billing information and transaction amounts. For invoice payments, where you connect a Stripe account to accept payments, Stripe collects and verifies your identity and payment information directly under its own terms. BFSB does not collect, process, or store your clients' card details or your Stripe identity verification data. Stripe processes this data under its own privacy policy at stripe.com/privacyPayment card details, transaction amounts, and billing information. Stripe processes this data under its own privacy policy at stripe.com/privacy
Hosting and infrastructure providersSecure server hosting and data storageEncrypted account and platform data
Analytics providersPlatform performance and usage analyticsAnonymised or aggregated usage data only
NamecheapServer hosting and data storage — Phoenix, Arizona, USAEncrypted account and platform data, including user records, invoices, expenses, and payroll data
Cloudflare R2Live file storage, image delivery, content delivery (CDN), and encrypted offsite backupsFiles you upload (such as bank statements, receipts, and business logos) are delivered and stored via Cloudflare R2 and Cloudflare Images, together with encrypted backup archives. Files are encrypted, and Cloudflare cannot access their contents.
MailtrapSending transactional and service emails (account, security, billing) and, where you have opted in, marketing emails | Your name, email address, and the content of the relevant communication. Mailtrap processes this under its own privacy policy at mailtrap.io/privacy-policyYour name and email address, and the content of the relevant communication
Analytics providersPlatform performance and usage analyticsAnonymised or aggregated usage data only

We do not sell your personal data to any third party. We do not share your private business, client, or financial data with third parties for commercial purposes. We do not use any third-party artificial intelligence or content-generation tools to process your personal or business data.

6. Data Hosting and International Transfers

BFSB's primary platform is hosted by Namecheap Inc., a US-based hosting provider, on VPS infrastructure located in Phoenix, Arizona, United States. Files you upload, including bank statements, receipts, and business logos, together with our encrypted backups, are stored using Cloudflare R2 and delivered through Cloudflare's global infrastructure. This means that personal data collected from UK and EEA users is transferred to and stored in the United States and on Cloudflare's infrastructure, which may be located outside the UK and EEA.

We ensure these transfers are lawful by relying on Standard Contractual Clauses (SCCs) as the appropriate safeguard under UK GDPR and EU GDPR. These clauses are incorporated into our agreements with our providers through their Data Processing Addenda, available at:

Your data is encrypted both at rest and in transit. Uploaded files, such as bank statements, are stored in private cloud storage that is not publicly accessible, and bank statement passwords you set are stored using one-way encryption that cannot be reversed or viewed by BFSB.

Backups and disaster recovery: BFSB performs automated daily backups of all platform data. Backups are encrypted and stored offsite on Cloudflare R2 infrastructure, physically separate from the primary hosting environment.

In the event of a personal data breach that is likely to pose a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected users where required, within 72 hours of becoming aware of the breach, in accordance with our obligations under UK GDPR Article 33.

For users in Nigeria, data is processed in accordance with the Nigeria Data Protection Act 2023 (NDPA). Where data is transferred outside Nigeria, appropriate safeguards are in place to ensure equivalent protection.

7. How We Protect Your Data

We implement industry-standard security measures to protect your information:

  • SSL/TLS encryption secures all data transmitted between your browser and our servers
  • AES encryption protects sensitive data stored in our databases at rest
  • Access controls ensure that only authorised systems and personnel can access platform data
  • We regularly review, update, and test our security infrastructure
  • BFSB staff do not access your private business, client, or financial data except where necessary to provide technical support at your request, investigate a security issue, or comply with a legal obligation.

While we take every reasonable precaution to protect your data, no system is completely immune to security risks. In the event of a data breach that is likely to affect your rights and freedoms, we will notify the relevant supervisory authority and you, where required, within 72 hours of becoming aware, in accordance with applicable law.

You can delete any bank statement you have uploaded at any time from your account settings, and the file is permanently removed from our storage at that point. You can revoke a shared expense link or an accountant's access at any time, which immediately prevents any further viewing of your data through that link or by that accountant.

8. Data Retention

We retain these records for 7 years as a conservative standard across all users, which meets or exceeds the minimum retention periods required under UK and Nigerian tax law (5 years for UK sole traders from the relevant filing deadline, 6 years for UK limited companies, and applicable FIRS requirements for Nigerian businesses).

Data TypeRetention Period
Account informationFor the duration of your account, plus 30 days after deletion, to allow recovery
Invoice and financial records7 years from the date of the transaction, to comply with HMRC (UK) and FIRS (Nigeria) requirements
Payroll records7 years from the date of the payroll run, in line with statutory record-keeping obligations
Usage and technical logsUp to 12 months, used for security monitoring and platform improvement
Marketing consent recordsUntil you withdraw consent, plus 12 months thereafter for audit purposes

Upon account deletion, your personal data is securely deleted or anonymised within 30 days, except where longer retention is required by law.

Activity logs associated with shared expense links, including IP addresses and access timestamps, are retained for 12 months from the date of the activity and are then automatically deleted.

9. Cookies

We use cookies to provide a functional and improved experience on our platform.

Essential cookies — required for the platform to function. These cannot be disabled without affecting core features such as login, session management, and security.

Analytics cookies — are used to understand how users interact with our platform so we can improve it. These collect anonymised or aggregated data only.

Preference cookies — used to remember your settings and preferences across sessions.

We do not use advertising or third-party tracking cookies.

You can control or disable non-essential cookies through your browser settings at any time. Please note that disabling certain cookies may affect platform functionality.

For full details of the cookies we use, please see our Cookie Policy.

10. Your Privacy Rights

Depending on your location, you have the following rights over your personal data:

For all users:

  • Right to access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure — request deletion of your data, subject to legal retention requirements
  • Right to restrict processing — request that we limit how we use your data in certain circumstances
  • Right to data portability — request your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

For UK and EU users (additional rights under UK GDPR / EU GDPR):

  • Right to lodge a complaint with a supervisory authority. UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113. EU users may contact their national data protection authority.
  • Right not to be subject to solely automated decisions that produce significant legal effects

For Nigerian users (rights under NDPA 2023):

  • The right to object to processing
  • The right to request deletion
  • The right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing your request.

11. Marketing Communications

We will only send you marketing emails, product updates, or promotional communications where you have explicitly opted in to receive them.

You may withdraw your consent and unsubscribe at any time by:

Withdrawing consent does not affect service-related communications such as security alerts, account notifications, or billing receipts, which are necessary for us to provide the service.

12. Children's Privacy

BFSB is not intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at [email protected], and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, features, or applicable law. When we make material changes, we will notify you by email or through a prominent notice on the platform at least 14 days before the changes take effect.

We encourage you to review this policy periodically. The effective date at the top of this page will always reflect the most recent version.

Your continued use of BFSB after changes take effect constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us:

Email:[email protected]
Website:https://builtforsmallbusiness.com/contact
Business: Built for Small Business

We aim to respond to all privacy-related enquiries within 5 working days.

This Privacy Policy was last updated on 30 June 2026.

We use cookies to keep the platform running and to understand how it is used.

Essential cookies are always active. Analytics cookies help us improve BFSB you can decline these if you prefer. Cookie Policy