EarnlyJoin the Wait List
other

Data Processing Policy

Last updated 5/11/2026

1. Introduction

This Data Processing Policy defines how Earnly Ltd collects, processes, stores, and protects personal data as part of its platform and services. The policy ensures that all data processing activities are conducted in accordance with applicable data protection legislation, including UK GDPR and the Data Protection Act 2018.

Earnly processes personal and financial data, including transaction data obtained via Open Banking, to deliver its core services such as financial insights, categorisation, and tax-related calculations. Protecting this data is fundamental to maintaining user trust and ensuring regulatory compliance.

 

2. Scope

This policy applies to all personal data processed by Earnly across its systems, applications, and infrastructure. It covers all employees, contractors, and third parties who access or process personal data on behalf of Earnly.

The policy applies across all environments, including development, testing, and production, and covers all stages of the data lifecycle, from collection through to storage, processing, and deletion.

 

3. Roles and Responsibilities

Earnly operates as a Data Controller for its direct users and may act as a Data Processor where it processes data on behalf of partners or third parties.

Responsibility for oversight of data processing activities sits with senior management and technical leadership, who ensure that appropriate controls, policies, and procedures are implemented. All staff are responsible for complying with this policy, handling data appropriately, and reporting any concerns or incidents.

 

4. Lawful Basis and Purpose of Processing

Earnly processes personal data only where there is a valid lawful basis to do so. This includes user consent, contractual necessity, and compliance with legal or regulatory obligations.

Data is processed strictly for defined purposes, including providing financial insights, categorising transactions, calculating tax obligations, and improving platform functionality. Personal data is not used for any unrelated or unauthorised purposes.

 

5. Data Collection and Usage

Earnly collects and processes personal data including user identification details, bank account information, transaction data, and financial records. Data is obtained either directly from the user or via authorised Open Banking connections.

All data collected is limited to what is necessary to deliver the platform’s functionality. Data minimisation principles are applied to ensure that excessive or irrelevant data is not collected or retained.

 

6. Data Storage and Hosting

All systems and data are hosted within secure cloud infrastructure provided by Microsoft Azure. Data is stored in a secure and controlled environment with appropriate safeguards in place to prevent unauthorised access.

Data is encrypted both in transit and at rest using industry-standard protocols, and access to stored data is strictly controlled.

 

7. Access Control

Access to personal data is restricted to authorised individuals based on their role and responsibilities. Earnly follows a least-privilege approach, ensuring that individuals only have access to the data necessary to perform their duties.

Access rights are subject to approval processes, regularly reviewed, and revoked when no longer required.

 

8. Use of Third Parties (Sub-processors)

Earnly may engage third-party providers to support its services, including cloud hosting providers, Open Banking providers, and infrastructure services.

All third parties are subject to due diligence and are required to implement appropriate data protection and security measures. Contracts with third parties include provisions to ensure compliance with data protection requirements.

 

9. Data Transfers

All data transfers are conducted securely using encryption protocols such as TLS. When integrating with third-party services, secure APIs and industry-standard methods are used to ensure the confidentiality and integrity of data.

Cross-border data transfers, where applicable, are conducted in compliance with relevant data protection regulations.

 

10. Data Retention and Deletion

Personal data is retained only for as long as necessary to fulfil its intended purpose and to meet legal or regulatory requirements. Retention periods are defined based on the type of data and its use.

Users have the right to request deletion of their personal data. Such requests are handled in accordance with GDPR requirements, and data is securely deleted or anonymised where appropriate.

 

11. Data Subject Rights

Earnly supports the rights of individuals under data protection law, including the right to access, rectify, erase, restrict processing, and request portability of their data.

Processes are in place to respond to such requests within required timeframes and in accordance with legal obligations.

 

12. Security of Data

Earnly implements appropriate technical and organisational measures to protect personal data from unauthorised access, loss, or misuse. This includes encryption, access controls, monitoring, and secure system design.

Staff are trained on data protection responsibilities, and security awareness is maintained across the organisation.

 

13. Incident Management

Earnly maintains processes to detect, report, and respond to data breaches and security incidents. Incidents are investigated promptly, and appropriate actions are taken to mitigate risks.

Where required, breaches are reported to relevant authorities and affected individuals in line with regulatory obligations.

 

14. Development and Testing Controls

Production data is not used within development or testing environments unless strictly necessary. Where required, data is minimised and appropriate safeguards such as anonymisation or obfuscation are applied.

 

15. Business Continuity and Resilience

Earnly maintains backup and disaster recovery processes to ensure data availability and system resilience. Recovery objectives are defined and reviewed periodically to ensure services can be restored within acceptable timeframes.

 

16. Compliance and Monitoring

Earnly regularly reviews its data processing activities to ensure compliance with legal, regulatory, and internal requirements. Monitoring, audits, and risk assessments are used to maintain and improve data protection practices.

 

17. Review and Maintenance

This policy is reviewed at least annually, or following significant changes to the business, systems, or regulatory environment. Earnly is committed to continuous improvement of its data processing practices.