Privacy Policy

1. Who we are

Flocator ("we", "us", "our") is a UK-based company that provides cash optimisation insights and treasury visibility tools for businesses. We are in the process of applying to the Financial Conduct Authority (FCA) for registration as an appointed agent of an authorised Account Information Service Provider (AISP) under the Payment Services Regulations 2017.

Our Account Information Service is not yet live and will only be made available once we have received the necessary FCA approvals. This privacy policy has been prepared in anticipation of that registration and describes how we will collect, use and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Payment Services Regulations 2017.

2. Data controller

Flocator is the data controller for the personal data described in this policy. Our contact details are:

• Email: flocatorapp@gmail.com
• Postal address: [REGISTERED ADDRESS]
• Data Protection Officer / Contact: [DPO NAME / CONTACT EMAIL]

Once our FCA registration is confirmed, our principal firm will be jointly responsible for ensuring compliance with the Payment Services Regulations 2017. Details of our principal firm will be published here upon approval.

3. Information we collect

We collect the following categories of personal data:

3.1 Information you provide directly

• Contact and identity data: name, email address, company name, job title, phone number
• Business information: company size, approximate cash holdings, industry sector
• Communication data: any information you provide when contacting us or submitting forms

3.2 Payment account data (Account Information Service)

When you use our Account Information Service and provide explicit consent, we access the following data from your payment accounts via secure Open Banking APIs:

• Account details: account name, account number, sort code, account type, currency
• Balance information: current balance, available balance
• Transaction data: transaction history, payment references, dates, amounts, counterparty details
• Account holder information: name and address associated with the account

Important: We access your payment account data on a read-only basis. We cannot and do not initiate payments, move funds, or make any changes to your accounts. Our access is strictly limited to viewing account information.

3.3 Technical data

• Device and usage data: IP address, browser type and version, operating system, time zone, pages visited, time spent on pages
• Cookie data: see Section 10 below

4. How and why we use your information

We process your personal data for the following purposes and on the following lawful bases:

5. Consent for Account Information Services

Before we access any of your payment account data, we will always obtain your explicit consent. This consent is obtained through the following process:

1. You select which bank accounts you wish to connect
2. You are redirected to your bank's secure authentication page
3. You authenticate directly with your bank using Strong Customer Authentication (SCA) — we never see or store your banking login credentials
4. Your bank confirms the connection and grants us read-only access to the agreed account data

You may withdraw your consent at any time by:

• Contacting us at flocatorapp@gmail.com and requesting disconnection
• Revoking access directly through your bank's online banking or app
• Using the account management features within the Flocator platform

Withdrawal of consent will not affect the lawfulness of any processing carried out before you withdrew consent. Upon withdrawal, we will cease accessing your accounts and delete your payment account data in accordance with our retention policy (see Section 7), unless we are required to retain it for legal or regulatory reasons.

Open Banking consent is typically valid for a period of 90 days, after which you will need to re-authenticate with your bank to continue the service. We will notify you before your consent is due to expire.

6. How we share your information

We do not sell your personal data. We may share your information with the following categories of recipients:

• Our principal firm: once our FCA registration is confirmed, our principal firm (as the FCA-authorised firm under whose permissions we will operate) may have access to data as necessary for regulatory compliance and oversight of our account information service activities
• Open Banking infrastructure providers: regulated third parties that facilitate secure API connections between Flocator and your bank (e.g. Open Banking Limited-approved providers)
• Technology service providers: hosting, cloud infrastructure, and analytics providers who assist in delivering our services, all of whom are bound by data processing agreements
• Professional advisers: lawyers, auditors, and accountants where necessary for business operations or legal compliance
• Regulatory bodies: the FCA, the ICO, or other authorities where required by law, regulation, or regulatory investigation
• Law enforcement: where required by law, court order, or legal proceedings

All third parties with whom we share data are required to process it securely and in accordance with applicable data protection law. Where they process data on our behalf, they do so under written data processing agreements that comply with Article 28 UK GDPR.

7. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected. Our specific retention periods are:

• Payment account data (balances and transactions): retained for the duration of your active service, plus up to 6 months after disconnection to allow you to access historical reports. After this period, data is permanently deleted unless regulatory retention applies.
• Contact and business information: retained for the duration of our relationship plus 6 years, in line with standard UK limitation periods and regulatory record-keeping requirements
• Regulatory records: certain records relating to our account information service activities are retained for a minimum of 5 years as required by the Payment Services Regulations 2017
• Technical and analytics data: retained for up to 26 months

If you request deletion of your data, we will action this within 30 days unless we have a legal or regulatory obligation to retain it, in which case we will inform you of the specific retention requirement.

8. Data security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption: all data is encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
• Secure API access: payment account data is accessed exclusively through regulated Open Banking APIs using secure, authenticated connections. We use eIDAS-qualified certificates as required by the Payment Services Regulations 2017
• No credential storage: we never access, see, or store your bank login credentials. Authentication is handled entirely by your bank via Strong Customer Authentication (SCA)
• Access controls: strict role-based access controls ensure only authorised personnel can access personal data, on a need-to-know basis
• Monitoring and logging: we maintain audit logs of access to payment account data and monitor for suspicious activity
• Incident response: we have documented procedures for detecting, reporting, and responding to personal data breaches in accordance with UK GDPR and FCA requirements

While we take all reasonable precautions, no method of electronic transmission or storage is 100% secure. If you become aware of any security concerns, please contact us immediately.

9. International data transfers

Your personal data is primarily stored and processed within the United Kingdom and European Economic Area (EEA). Where we transfer data outside the UK/EEA (for example, to cloud infrastructure providers), we ensure appropriate safeguards are in place, such as:

• UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs)
• Transfer to countries with an adequacy decision from the UK Secretary of State

You may request further details of the safeguards in place by contacting us.

10. Cookies

Our website uses the following types of cookies:

• Strictly necessary cookies: required for the website to function correctly, including maintaining your session and security. These do not require consent.
• Analytics cookies: used to understand how visitors interact with our website, helping us improve our services. These are only placed with your consent.

You can manage your cookie preferences through your browser settings. Disabling strictly necessary cookies may affect website functionality.

11. Your rights

Under UK data protection law, you have the following rights:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your data (subject to legal and regulatory retention requirements)
• Right to restrict processing: request that we limit how we use your data in certain circumstances
• Right to data portability: receive your data in a structured, commonly used, machine-readable format
• Right to object: object to processing based on legitimate interests or for direct marketing purposes
• Right to withdraw consent: withdraw consent at any time where processing is based on consent (including consent for our Account Information Service)
• Rights related to automated decision-making: we do not currently make any decisions based solely on automated processing that produce legal or similarly significant effects

To exercise any of these rights, please contact us at flocatorapp@gmail.com. We will respond to your request within one month. In complex cases, we may extend this by a further two months, but we will inform you if this is necessary.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been infringed:

• Website: ico.org.uk
• Phone: 0303 123 1113

12. Special category and criminal offence data

We do not intentionally collect or process special category data (e.g. health, racial or ethnic origin, political opinions) or criminal offence data. Payment transaction data may incidentally reveal information about your spending habits, but we do not analyse or use such data to infer any special category information.

13. Children's data

Our services are directed at businesses and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children.

14. Changes to this policy

We may update this privacy policy from time to time. Any material changes will be notified to you via email or a prominent notice on our website. The "last updated" date at the top of this page indicates when the policy was last revised.

15. Contact us

If you have any questions about this privacy policy, wish to exercise your data rights, or have concerns about how we handle your data, please contact us at:

Email: flocatorapp@gmail.com

Postal address: [REGISTERED ADDRESS]

Once our FCA registration is confirmed, contact details for our principal firm will be published here.