Privacy Policy
Effective date: 1 May 2026
Privacy Policy
1. Who we are
Stalwa (Infosoft Consulting Ltd, company number 07025377, a company registered in England and Wales.) is the data controller for personal data collected through the Stalwa service.
We are registered in England and Wales. Our registered address is:
52 Le Marchant Road
Camberley
GU15 1HZ
England, United Kingdom
Privacy enquiries: support@stalwa.com
We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We will update this policy if our regulator registration or public contact details change.
2. What personal data we collect
Data you provide directly
- Account data: email address, full name, and password (stored as a hashed credential via Amazon Cognito — we never see your plain-text password).
- Business profile data: business name, registered address, company or registration number, logo, brand colours, tax identification numbers, and payment terms preferences.
- Invoice and client data: names, addresses, email addresses, and other contact details of your clients that you enter into the Service; invoice line items, amounts, due dates, and payment records.
- AI feature input: descriptive text you type into the AI line item extraction field (Pro/Trial users only).
- Payment data: billing information collected by Stripe (our payment processor). We do not store your full card number, CVV, or bank account details — these are handled directly by Stripe.
- Communications: any messages you send us via email or support channels.
Data collected automatically
- Usage data: pages visited, features used, actions taken, timestamps, and session duration.
- Device and browser data: IP address, browser type and version, operating system, and screen resolution.
- Log data: server logs recording requests, errors, and response times.
Data about your clients (third-party personal data)
When you use Stalwa to manage your clients and invoices, you input personal data about third parties (your clients). You are the data controller for this data. We process it as your data processor, only on your instructions. You must have a lawful basis to store your clients' personal data in Stalwa.
3. How we use your data
| Purpose | Data used | Basis |
|---|---|---|
| Create and manage your Account | Email, name, password | Contract |
| Provide the invoicing Service | Business profile, invoice & client data | Contract |
| Process subscription payments | Account data, billing data (via Stripe) | Contract |
| Send transactional emails (invoice delivery, receipts, password reset) | Email address, invoice data | Contract |
| Trial expiry and billing notifications | Email address, subscription status | Contract |
| Provide AI line item extraction (Pro/Trial) | AI input text | Contract |
| Improve the Service and fix bugs | Usage data, log data | Legitimate interests |
| Analyse usage patterns and feature adoption | Usage data (aggregated and anonymised) | Legitimate interests |
| Security monitoring and fraud prevention | IP address, log data, account data | Legitimate interests |
| Send product updates and marketing emails | Email address | |
| Comply with legal obligations (e.g. tax records) | Billing and account data | Legal obligation |
4. Lawful basis for processing
Under UK GDPR, we must have a lawful basis for processing personal data. We rely on the following bases:
- Contract (Article 6(1)(b)): Processing is necessary to perform our contract with you — i.e., to provide the Service you have signed up for.
- Legitimate interests (Article 6(1)(f)): We process data for purposes such as improving the Service, preventing fraud, and ensuring security. We have assessed that our interests are not overridden by your rights.
- Consent (Article 6(1)(a)): Where we ask for your consent (e.g. for marketing emails), we will ask for this separately and you may withdraw it at any time.
- Legal obligation (Article 6(1)(c)): We may be required to process and retain certain data to comply with legal requirements, such as financial record-keeping laws.
6. AI feature & your data
The AI line item extraction feature (available to Pro and Trial Period users) sends the text you type into the description field to Amazon Bedrock. Bedrock invokes the selected foundation model and returns suggested invoice line items for you to review.
What is sent
Only the text you type into the "Describe your work" field is sent to Bedrock for this feature. We do not intentionally send invoice numbers, client names, client email addresses, payment details, or full invoice records as part of AI requests.
How Amazon Bedrock handles AI requests
Based on AWS's published Bedrock privacy commitments, AWS and third-party model providers do not use Bedrock inputs or outputs to train foundation models, and model providers do not receive access to your prompts or completions through Bedrock. Amazon Bedrock is designed so that the model provider's model is deployed within AWS-controlled Bedrock infrastructure rather than sending your prompts directly to the model provider.
Region and transfer position
We aim to process AI requests in the AWS region configured for the Service where the selected model is available. If a selected model or Bedrock feature requires processing in another supported AWS region, we will rely on AWS's data processing terms and appropriate international transfer safeguards.
We do not train on your data
Stalwa does not use your Content — including AI feature inputs — to train, fine-tune, or improve any AI model.
Your responsibility
Do not include sensitive personal data, bank account details, National Insurance numbers, health information, or confidential third-party information in the AI description field. You are responsible for reviewing and editing AI-generated line items before saving or sending an invoice.
7. International data transfers
We are based in the United Kingdom, but some of the providers we use operate globally. This means personal data may be transferred to, accessed from, or processed in countries outside the UK and EEA.
Where a transfer is a restricted transfer under UK data protection law, we rely on one or more of the following safeguards:
- UK adequacy regulations — where the destination country has been recognised as providing an adequate level of protection;
- International Data Transfer Agreements (IDTAs), the UK Addendum to the EU Standard Contractual Clauses, or other approved contractual safeguards;
- Standard Contractual Clauses (SCCs) used by our service providers for EEA-related transfers; and
- Binding Corporate Rules or equivalent approved safeguards where applicable.
| Provider | Data / service | Transfer position |
|---|---|---|
| AWS | Hosting, storage, authentication, email delivery, logs, and Bedrock AI processing | Primary infrastructure is intended to be hosted in AWS UK/EU regions where configured. Some services, support, model availability, or Bedrock processing may involve other AWS regions. AWS data processing terms and approved transfer safeguards apply where required. |
| Stripe | Payment processing, subscription management, billing, fraud prevention, and receipts | Stripe operates globally, including in the United States. Stripe's data processing terms and transfer safeguards apply where required. |
| Sentry | Error diagnostics and performance monitoring | Data may be processed outside the UK/EEA depending on our Sentry configuration. Sentry's data processing terms and transfer safeguards apply where required. |
8. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Account and profile data | Duration of account + up to 30 days after closure | Account recovery period and orderly deletion |
| Invoice and client data | Duration of account + up to 30 days after closure | Service delivery, export period, and account recovery |
| Billing, tax, and accounting records | As long as required by applicable tax, accounting, company, and payment laws — typically up to 6 years from the end of the relevant financial year, or longer where legally required | Legal, tax, accounting, audit, and dispute-resolution obligations |
| Server, security, and diagnostic logs | Usually up to 90 days, unless we need to keep specific logs longer to investigate security incidents, abuse, bugs, or legal disputes | Security monitoring, fraud prevention, debugging, and service reliability |
| AI feature inputs | Not intentionally stored by Stalwa beyond the API request/response, except where captured in temporary operational logs or error diagnostics that we minimise and delete under our log-retention process | Processed to provide the AI feature and operate the Service securely |
| Marketing consent records | Until withdrawn + up to 3 years | Consent audit trail and suppression records |
| Support communications | Up to 3 years from last interaction, unless a longer period is needed for legal claims or dispute resolution | Customer support, quality assurance, and dispute resolution |
After the applicable retention period, data is securely deleted or irreversibly anonymised. Before closing your Account, you should export any invoices, client records, or reports you need to keep for your own legal, tax, or accounting obligations.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, and destruction. These measures include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256 via AWS);
- Authentication via Amazon Cognito with hashed credential storage;
- Access controls limiting data access to authorised personnel only;
- PDF files stored in private AWS S3 buckets accessible only via time-limited pre-signed URLs;
- Regular security reviews and dependency updates; and
- JWT tokens validated on every API request — we never trust user-supplied identity claims.
No method of data transmission or storage is 100% secure. If you believe your Account has been compromised, contact us immediately at support@stalwa.com.
Data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and will notify you without undue delay where required by law.
11. Your rights under UK GDPR
You have the following rights regarding your personal data. To exercise any of them, contact us at support@stalwa.com. We will respond within one calendar month.
Right of access
Request a copy of the personal data we hold about you (a Subject Access Request).
Right to rectification
Ask us to correct inaccurate or incomplete personal data.
Right to erasure
Ask us to delete your personal data, subject to legal retention obligations.
Right to restriction
Ask us to restrict how we process your data in certain circumstances.
Right to portability
Receive your personal data in a structured, machine-readable format.
Right to object
Object to processing based on legitimate interests, including for direct marketing.
Right to withdraw consent
Withdraw consent at any time where processing is based on consent (e.g. marketing emails).
Right to complain
Lodge a complaint with the ICO if you believe we have mishandled your data.
We will not charge for responding to rights requests unless they are manifestly unfounded or excessive.
12. Additional rights by jurisdiction
We serve users in multiple countries. Depending on where you are located, you may have additional privacy rights.
For all jurisdictions, please contact us using the details in Section 15 to exercise your rights. We will endeavour to respond within 30 days.
13. Children's privacy
The Service is not directed at or intended for use by children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at support@stalwa.com and we will take steps to delete that information.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:
- Update the "Effective date" at the top of this page;
- Notify you by email to the address on your Account; and
- Display a notice within the Service.
We encourage you to review this policy periodically. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
15. Contact us & complaints
For any privacy-related queries, Subject Access Requests, or to exercise your rights, please contact:
Data Controller: Stalwa (Infosoft Consulting Ltd)
52 Le Marchant Road, Camberley, GU15 1HZ, England, United Kingdom
Privacy email: support@stalwa.com
Right to complain to the ICO
If you are not satisfied with our response, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113
Australian users
Australian residents may also complain to the Office of the Australian Information Commissioner (OAIC) if they believe we have breached the Australian Privacy Act 1988:
Office of the Australian Information Commissioner (OAIC)
GPO Box 5218, Sydney NSW 2001
Website: oaic.gov.au
Phone: 1300 363 992
Canadian users
Canadian residents may contact the Office of the Privacy Commissioner of Canada (OPC) if they believe we have breached PIPEDA or applicable provincial privacy legislation:
Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec K1A 1H3
Website: priv.gc.ca
Phone: 1-800-282-1376
US users (California)
California residents who wish to exercise rights under the CCPA/CPRA, or who believe their rights have not been honoured, may contact the California Attorney General's Office or the California Privacy Protection Agency (CPPA). To exercise your rights directly with us, contact support@stalwa.com.
EU users
If you are located in the European Union, you may lodge a complaint with the data protection supervisory authority in your EU member state. A full list of EU supervisory authorities is available at edpb.europa.eu.