Effective: 1 June 2025 · Last updated: 1 June 2025
Hidbrain Ltd is registered with the UK Information Commissioner's Office (ICO) as a data controller, registration number ZA853964. Registered in England & Wales, Company No. 12170656.
This Privacy Policy explains how Hidbrain Ltd (“we”, “us”, “our”) — the company behind SpendToScope — collects, uses, stores and shares your personal data when you visit our website or use our platform. It applies to all users of the SpendToScope service.
We are the data controller for personal data we collect about you directly. Where we process personal data contained within your organisation's ERP or accounting system, we act as your data processor under a Data Processing Agreement — see Section 14 and our standalone Data Processing Agreement.
We take our obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR) seriously.
Hidbrain Ltd, registered in England & Wales (Company No. 12170656).
ICO registration number: ZA853964
Data protection enquiries: privacy@spendtoscope.com
We have assessed whether a Data Protection Officer (DPO) is required. As we do not carry out large-scale systematic monitoring of individuals or large-scale processing of special category data, appointment of a DPO is not currently mandatory. Data protection queries are handled by our designated data protection contact at the address above.
When you create an account: your name, work email address, company name, job title (if provided), and login credentials (stored as a secure hash).
SpendToScope connects to your accounting system (Xero, QuickBooks Online, or others) via OAuth 2.0 to read your chart of accounts, supplier records, invoices and line-item descriptions. This is necessary to calculate your organisation's carbon emissions. We request read-only access and never write to, modify or delete records in your ERP.
Your ERP data may contain personal data about your suppliers, employees or contractors. When processing that data we act as your data processor; you remain the data controller. Please see our Data Processing Agreement for full Article 28 UK GDPR terms.
We collect server logs including IP address, browser type and version, pages visited, time stamps and referring URLs. This data is used solely to operate and improve the platform.
Subscription payments are processed by our payment provider. We store only billing name, address, last four digits of card and payment status. We do not store full card numbers or bank details on our systems.
If you contact us by email or through the platform, we retain records of that correspondence, including any personal data you provide.
We do not knowingly collect special category personal data (health, biometric, racial or ethnic origin, religious beliefs, etc.) or data about children under 18. The Service is intended for business use only and is not directed at consumers or minors.
We process your personal data on the following legal bases under UK GDPR Article 6:
| Purpose | Legal basis |
|---|---|
| Providing and operating the SpendToScope platform | Contract performance (Art. 6(1)(b)) |
| Processing ERP data to calculate carbon emissions | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (invoices, security alerts, account notices) | Contract performance (Art. 6(1)(b)) |
| Improving and developing platform features | Legitimate interests — improving our service (Art. 6(1)(f))* |
| Detecting and preventing fraud and security incidents | Legitimate interests — protecting our systems and users (Art. 6(1)(f))* |
| Maintaining usage logs and analytics | Legitimate interests — service performance and security (Art. 6(1)(f))* |
| Retaining financial and transactional records | Legal obligation — UK tax and company law (Art. 6(1)(c)) |
| Sending optional marketing communications | Consent (Art. 6(1)(a)) — you may withdraw at any time |
* Where we rely on legitimate interests we have conducted a Legitimate Interests Assessment (LIA) balancing our interests against the impact on your rights. Copies of our LIAs are available on request.
We do not sell your personal data. We do not use your ERP or financial data to train machine learning models outside the scope of your own account.
We share personal data only with trusted sub-processors under written data processing agreements. Our current sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Cloud database, authentication and row-level security | EU (Ireland) |
| Vercel | Platform hosting, edge functions and CDN | Global (EU primary) |
| Climatiq | Emission factor data API — no personal data shared | EU |
| Stripe Inc. | Subscription billing and card processing | US (EU SCCs / UK IDTA) |
| Resend Inc. | Transactional and support emails | US (EU SCCs / UK IDTA) |
We may also disclose personal data when required by law, a court order, regulatory authority, or to protect the rights, property or safety of Hidbrain Ltd, our users or the public (see Section 11).
We endeavour to store and process data within the UK and EU. Where personal data is transferred outside the UK to countries without an adequacy decision, we rely on UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) as approved transfer mechanisms. Details of the safeguards applicable to each transfer are available on request.
We apply the principle of storage limitation — we retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law. Our retention periods are:
| Category | Retention period | Reason |
|---|---|---|
| Account and identity data | Duration of subscription + 6 years after termination | UK limitation period for contract claims |
| ERP-sourced invoice and financial data | Duration of subscription + 6 years after termination | HMRC / Companies Act 2006 accounting records requirement |
| Carbon calculation outputs | Duration of subscription + 6 years after termination | Audit trail integrity |
| Payment and billing records | 7 years from transaction | HMRC VAT and accounting obligation |
| Usage and server logs | 12 months from creation | Security monitoring and incident investigation |
| Support correspondence | 3 years from last interaction | Resolving disputes and quality assurance |
| Marketing consent records | Until consent withdrawn + 12 months | Demonstrating compliance with PECR / UK GDPR |
When a retention period expires, data is securely deleted or anonymised. You may request early deletion of your personal data subject to our legal retention obligations (see Section 9).
As a UK data subject you have the following rights. To exercise any of them, contact us at privacy@spendtoscope.com. We will respond within one calendar month (extendable by two further months for complex requests, with notice).
| Right | What it means |
|---|---|
| Right of access (Art. 15) | Receive a copy of the personal data we hold about you and information about how we use it. |
| Right to rectification (Art. 16) | Ask us to correct inaccurate or incomplete personal data. |
| Right to erasure / "right to be forgotten" (Art. 17) | Request deletion of your personal data. We will comply unless we have a legal obligation or legitimate reason to retain it. |
| Right to restrict processing (Art. 18) | Ask us to limit how we process your data in certain circumstances (e.g. while a dispute is resolved). |
| Right to data portability (Art. 20) | Receive your personal data in a structured, commonly used, machine-readable format and transfer it to another controller, where technically feasible. |
| Right to object (Art. 21) | Object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests. |
| Rights in relation to automated decision-making (Art. 22) | We do not make solely automated decisions that produce legal or similarly significant effects on you. If this changes, we will update this policy and obtain consent. |
| Right to withdraw consent | Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. |
If you are unsatisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
We implement technical and organisational measures appropriate to the risk, including:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where the risk is high, as required by UK GDPR Article 33–34.
We use cookies and similar technologies in accordance with PECR. Cookies on the SpendToScope platform fall into the following categories:
| Category | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Session authentication, CSRF protection, security tokens | No — essential for the service to function |
| Analytics | Understanding how users navigate the platform to improve it | Yes — placed only after you consent via our cookie banner |
| Marketing / advertising | We do not use these | N/A |
You can manage or withdraw cookie consent at any time through the cookie settings banner, or via your browser settings. Withdrawing analytics consent will not affect your ability to use the platform.
We may disclose personal data to law enforcement agencies, courts, regulators or other public authorities where we are required or permitted to do so by applicable law, without notifying you where doing so would prejudice the investigation or be otherwise prohibited. We will only disclose the minimum data necessary to comply with the legal obligation.
We may send you marketing communications about SpendToScope in the following circumstances:
We do not use automated profiling to target marketing. You may withdraw consent or opt out of soft opt-in marketing at any time.
SpendToScope is a business-to-business service intended solely for use by individuals acting on behalf of a business or organisation. It is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@spendtoscope.com and we will delete it promptly.
When you use SpendToScope to process invoices and ERP data that contains personal data about your suppliers, employees or contractors, Hidbrain Ltd acts as your data processor and you act as the data controller for that personal data.
Our full Data Processing Agreement (DPA) — which satisfies the requirements of UK GDPR Article 28 — is incorporated by reference into our Terms of Service and applies automatically when you subscribe to SpendToScope. You do not need to sign a separate document; acceptance of our Terms of Service constitutes acceptance of the DPA.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. For material changes, we will notify registered account holders by email at least 30 days before the change takes effect. The “Last updated” date at the top of this page will always reflect the most recent version. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
For any privacy-related questions, requests or complaints:
Email: privacy@spendtoscope.com
Legal queries: legal@spendtoscope.com
Hidbrain Ltd, Registered in England & Wales (Company No. 12170656)
ICO Registration: ZA853964
If you are not satisfied with how we handle your complaint, you may contact the ICO at ico.org.uk or call 0303 123 1113.
This policy is governed by the laws of England & Wales. Hidbrain Ltd is registered in England & Wales (Company No. 12170656). ICO registration: ZA853964.