Privacy Policy

How we handle your data at Plutus

Last updated: 24 May 2026

The short version

We know privacy policies can be long. Here are the key things you should know:

  • You choose how your data gets into Plutus — enter transactions manually or optionally connect your bank accounts via open banking. We never store your bank login details or banking access tokens.
  • We never sell your personal or financial data to anyone.
  • Payments are handled by Stripe, our payment processor. We never see or store your full card details.
  • Your data is encrypted in transit and at rest, including full-disk encryption on our database server.
  • You can export or delete your data at any time.
  • We do not use automated decision-making or profiling that produces legal or similarly significant effects.

1. What This Policy Covers

This Privacy Policy explains how Telotek Ltd, trading as Plutus Finance ("Plutus", "we", "us", or "our"), collects, uses, shares, and protects your information when you use our website, web application, and related services (collectively, the "Service").

Telotek Ltd is the data controller responsible for your personal data. Our registered address is 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.

By using Plutus, you agree to the collection and use of information as described in this policy. If you do not agree with any part of this policy, please do not use our Service.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and a securely hashed version of your password. If you sign in with Google, we receive your name, email address, and profile picture from your Google account. We never store your Google password. If you enable two-factor authentication, we store the encrypted TOTP secret associated with your authenticator app.

Financial Data

Plutus supports two ways of managing your financial data: manual entry and optional bank account connections.

Manual entry. You can enter all transactions, budgets, categories, and account balances directly. No bank connection is required to use Plutus.

Bank connections (optional). If you choose to connect a bank account, we use FCA-regulated open banking providers to securely retrieve your account balances and transaction history. When you connect an account:

  • Your banking credentials are entered directly into your bank's secure authentication flow — Plutus never sees or stores your bank login details
  • We receive read-only access to your account balances and transaction data via the open banking provider
  • We store the transaction data and balances provided in order to deliver the Service
  • You can disconnect a linked account at any time from within Plutus
  • Open banking consent is time-limited (typically 90 days) and you will be prompted to re-authorise when it expires

By connecting a bank account, you acknowledge that the open banking provider's privacy policy applies to their handling of your data during the connection process. All financial data — whether entered manually or imported via open banking — is stored securely and is only accessible to you (and any workspace members you choose to share it with).

Workspace Data

If you create or join a workspace, we store membership information, roles, and shared financial data associated with that workspace. All members of a workspace can see the shared budgets and transactions within it.

Usage Data

We collect information about how you interact with Plutus, including the features you use, pages you visit, actions you take, and the time and frequency of your activity. This helps us understand how people use Plutus and where we can improve.

Device & Technical Data

When you access Plutus, we automatically collect certain technical information, such as your IP address, browser type and version, operating system, device type, screen resolution, and referring URL.

Payment Data

Payments for Plutus are processed by Stripe, our payment processor. Stripe handles all payment processing, tax calculation, and invoicing. We receive your subscription status, plan details, and billing country from Stripe, but we never see or store your full credit card number, bank account details, or other sensitive payment information.

Communications

If you contact us for support, send us feedback, or respond to our emails, we collect the content of those communications along with your email address and any other information you choose to provide.

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Plutus service
  • Process your subscription payments through Stripe
  • Send transactional emails such as password resets, billing receipts, and account notifications
  • Send marketing and onboarding emails where you have opted in to receive them (you can unsubscribe at any time using the link in any marketing email)
  • Provide customer support and respond to your requests
  • Send product updates, tips, and in-app notifications (which you can control via notification preferences in your settings). Security alerts and billing notifications are always sent regardless of your preferences.
  • Analyse usage patterns to improve features and user experience
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations and enforce our terms of service

We will not use your financial data — whether entered manually or imported via open banking — for any purpose other than providing you with the Plutus service. We do not use your data to build advertising profiles or serve ads.

5. How We Share Your Information

Service Providers and Partners

We work with trusted third-party services to operate Plutus. These providers operate under different legal and regulatory frameworks. Where a provider acts as a data processor on our behalf, they are bound by data processing agreements (DPAs). Some providers have independent regulatory obligations (noted below):

  • Stripe — Payment processing and invoicing. Your primary contracting party is Stripe Payments Europe Limited (Ireland). Stripe is PCI-DSS certified and processes payment data under its own regulatory obligations. Where Stripe transfers data to Stripe, LLC in the United States, that transfer relies on Stripe's certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, with EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as a contractual fallback.
  • Finexer Ltd — Open Banking (Account Information Services) provider, authorised by the Financial Conduct Authority under the Payment Services Regulations 2017 (Firm Reference Number: 925695) as an Authorised Payment Institution to provide account information services and payment initiation services. Telotek Ltd, the company that operates Plutus Finance, is registered on the FCA Register as an appointed agent of Finexer Ltd. Finexer processes bank account identifiers, account holder names, and transaction data. UK-based; no international transfer of personal data is required.
  • Hetzner — Server and database hosting (Nuremberg, Germany — within the EEA). No international transfer of personal data is required.
  • Cloudflare — Content delivery, DDoS protection, and DNS. Cloudflare, Inc. is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. Transfers from the UK/EEA to the United States rely on these frameworks, with EU SCCs and the UK International Data Transfer Addendum as a contractual fallback.
  • Resend — Transactional email delivery. Plus Five Five, Inc. (trading as Resend) is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. Transfers from the UK/EEA to the United States rely on these frameworks, with EU SCCs and the UK International Data Transfer Addendum as a contractual fallback.
  • Sentry — Error monitoring and performance tracking (technical data only, not financial data). Sentry data is stored in the EU. Functional Software, Inc. (trading as Sentry) is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. Where operational or support access occurs from the United States, the transfer relies on these frameworks, with EU SCCs and the UK International Data Transfer Addendum as a contractual fallback.
  • PostHog — Product analytics, feature flags, and session replay. PostHog collects usage data (page views, feature interactions, clicks) to help us understand how people use Plutus and improve the product. Session replay is enabled with all text, form inputs, and financial data masked by default. PostHog data at rest is stored in the EU (PostHog EU Cloud). PostHog Inc. is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. Where operational or support access occurs from the United States, the transfer relies on these frameworks, with EU SCCs (Module 2) and the UK International Data Transfer Addendum as a contractual fallback.
  • Axiom — Log management and monitoring. Axiom receives application and system logs for operational monitoring and security alerting. Logs may contain technical data such as IP addresses, user identifiers, request paths, error messages, and timestamps but do not contain financial data. Log data is retained for 30 days. Data at rest is stored in the EU (Frankfurt). Axiom, Inc. is not certified under the Data Privacy Framework. Transfers from the UK/EEA to the United States are covered by EU Standard Contractual Clauses (Module 2) and the UK International Data Transfer Addendum. A Transfer Impact Assessment has been completed for this processor.
  • Loops — Marketing and onboarding email delivery. Loops (operated by Astrodon Corporation) processes recipient email addresses and message content. Astrodon Corporation is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. Transfers from the UK/EEA to the United States rely on these frameworks, with EU SCCs and the UK International Data Transfer Addendum as a contractual fallback.
  • Crisp — In-app live chat support. When you use the chat widget, Crisp receives your name, email address, and the messages you send. Crisp does not receive your financial data. Crisp data is stored in the EU (Netherlands and Germany).

When bank sync is enabled, your open banking connection is provided through Finexer Ltd, which is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017 (Firm Reference Number: 925695) as an Authorised Payment Institution to provide account information services and payment initiation services. Telotek Ltd, the company that operates Plutus Finance (company number 17050370, registered at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ), is registered on the FCA Register as an appointed agent of Finexer Ltd. Finexer provides you with regulated account information services through Telotek Ltd as its agent, retrieving your account balances and transaction data from your bank to display them within Plutus. Finexer accesses your banking data only with your explicit consent, in accordance with open banking regulations, and processes it within the United Kingdom.

Workspace Members

If you belong to a shared workspace in Plutus, other members of that workspace can see shared budgets, transactions, and categories. Your personal account details (such as your email or password) are never shared with other workspace members.

Legal Requirements

We may disclose your information if required to do so by law or if we believe in good faith that such action is necessary to comply with a legal obligation, protect and defend our rights or property, prevent fraud, or protect the personal safety of users or the public.

Business Transfers

If Plutus is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

We Never Sell Your Data

To be completely clear: we do not sell, rent, or trade your personal information or financial data to third parties. Ever.

6. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures to protect it:

  • All data is encrypted in transit using TLS/SSL
  • Database storage is protected by full-disk encryption (LUKS2/AES-XTS)
  • Banking connections use consent-based access through FCA-authorised providers — no banking credentials or access tokens are stored by Plutus
  • Passwords are securely hashed and never stored in plain text
  • Two-factor authentication (2FA) is available for your account, using time-based one-time passwords (TOTP)
  • We use secure, HTTP-only cookies for session management
  • Access to production systems is restricted and monitored
  • We regularly review and update our security practices

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to keeping your data as safe as reasonably possible.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide you with the Service.

If you choose to delete your account, we will remove your personal data and financial records within 30 days. Some information may be retained for longer if necessary to comply with legal obligations, resolve disputes, or enforce our agreements.

Anonymised, aggregated data that cannot be used to identify you may be retained indefinitely for analytical and product improvement purposes.

8. Cookies & Tracking

Essential Cookies

We use essential cookies to keep you signed in and to maintain your session. These cookies are strictly necessary for Plutus to function and cannot be disabled:

  • plutus.session_token — Stores your authentication session token. HTTP-only, secure, same-site. Expires when you sign out or after 7 days of inactivity.
  • plutus.session_data — Caches session data to reduce database lookups. HTTP-only, secure, same-site. Refreshed every 5 minutes, cleared on sign out.

Additional cookies may be set temporarily during two-factor authentication flows.

Error & Performance Monitoring

We use Sentry solely for error and performance monitoring — not for advertising or behavioural analytics. Sentry collects technical information about errors you may encounter (such as stack traces, browser type, and the page URL) to help us identify and fix issues. This data does not include your financial information. Sentry data is stored in the EU.

Sentry Session Replay is enabled to help us understand and reproduce errors. A small percentage of sessions (10%) are recorded, and all sessions where an error occurs are recorded. Session replays capture page interactions (clicks, scrolls, navigation) but all text, form inputs, and sensitive content are masked by default — no financial data, passwords, or personal information is visible in replays. Sentry may set cookies to track error and replay sessions.

Product Analytics

We use PostHog for product analytics to understand how people use Plutus and to improve the product. PostHog collects usage data such as page views, feature interactions, and clicks. PostHog session replay is enabled for a small percentage of sessions to help us understand user journeys and identify usability issues — all text, form inputs, and financial data are masked by default. No financial data, passwords, or personal information is visible in replays. PostHog may set cookies to track analytics sessions. PostHog data is stored in the EU.

Live Chat Support

We use Crisp for in-app live chat support. When you use the chat widget, Crisp sets a session cookie to maintain your conversation. This cookie is functional (not used for analytics or advertising) and expires after 6 months, renewed on each visit. If you do not start a conversation, the session expires after 30 minutes. Crisp data is stored in the EU (Netherlands and Germany). Your IP address is stored server-side for active conversations as required by applicable law.

What We Do Not Use

We do not use cookies for advertising purposes. We do not use third-party advertising or cross-site behavioural analytics services (such as Google Analytics). We do not allow third-party advertising networks to set cookies through our Service. Sentry and PostHog are used exclusively for technical monitoring and product analytics as described above.

Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing ones. Please note that disabling essential cookies may prevent you from using certain features of Plutus.

9. Your Rights

Under the UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you
  • Correction — Ask us to correct any inaccurate or incomplete data
  • Deletion — Request that we delete your account and personal data
  • Export — Download your data in a portable format (CSV export is available within the app)
  • Withdraw consent — Where processing is based on consent (such as bank connections or marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing
  • Restrict processing — Ask us to limit how we use your data in certain circumstances
  • Object — Object to our processing of your data where we rely on legitimate interests
  • Data portability — Receive your personal data in a structured, commonly used, and machine-readable format

Right to Complain

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office

Website: ico.org.uk/make-a-complaint

Telephone: 0303 123 1113

For EEA Residents

If you are located in the European Economic Area, you have equivalent rights under the EU GDPR and may lodge a complaint with your local data protection authority.

For Other Jurisdictions

If you are located in another jurisdiction with data protection laws, you may have similar rights under your local laws. This includes, but is not limited to, residents of California (CCPA/CPRA), Canada (PIPEDA), Australia (Privacy Act 1988), and Brazil (LGPD). We are committed to honouring those rights. Please contact us at privacy@plutusfinance.app if you have questions about how your local laws apply to your use of Plutus.

To exercise any of these rights, please contact us at privacy@plutusfinance.app. We will respond to your request within 30 days.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, providing details of the breach, its likely consequences, and the measures we have taken or propose to take to address it.

11. Children's Privacy

Plutus is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child under 18, we will take steps to delete that information as quickly as possible. If you believe a child has provided us with their data, please contact us at privacy@plutusfinance.app.

12. International Data Transfers

Plutus is operated from the United Kingdom. Our primary database and application server are hosted by Hetzner in Nuremberg, Germany. Error monitoring (Sentry), product analytics (PostHog), and log management (Axiom) data at rest is stored in the EU. These intra-UK/EEA transfers are permitted under the UK-EU adequacy decision.

Several of our service providers are incorporated in the United States and may access personal data from outside the UK and EEA for operational purposes. Where your data is transferred to the United States, we rely on one or more of the following safeguards:

  • EU-U.S. Data Privacy Framework and UK Extension. Where a US provider is certified under the EU-U.S. Data Privacy Framework (DPF) and its UK Extension, we rely on that certification as the primary transfer mechanism. The following processors hold active DPF certifications: Stripe, LLC; Cloudflare, Inc.; Functional Software, Inc. (Sentry); PostHog Inc.; Plus Five Five, Inc. (Resend); and Astrodon Corporation (Loops). Certification status can be verified on the Data Privacy Framework participant register.
  • Standard Contractual Clauses. All US processors are also bound by the European Commission's Standard Contractual Clauses (SCCs, Module 2: controller-to-processor) and the UK International Data Transfer Addendum, which apply as a contractual fallback in the event that the DPF certification is invalidated or withdrawn.
  • Transfer Impact Assessments. For processors that are not DPF-certified (currently Axiom, Inc.), we have completed a Transfer Impact Assessment to evaluate the legal framework in the destination country and confirm that the SCCs provide adequate protection.

UK-based processors (Finexer Ltd) and EU-based processors (Hetzner, Crisp) do not require an international transfer mechanism. Transfers between the UK and EEA are covered by the UK-EU adequacy decision.

13. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Features such as budget alerts, transaction categorisation, and spending summaries are tools to help you manage your finances — they do not make decisions about you or restrict your access to services.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting a notice within the Plutus app or by sending you an email.

We encourage you to review this policy periodically. Your continued use of Plutus after any changes indicates your acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please get in touch:

Email: privacy@plutusfinance.app

Data Controller: Telotek Ltd

Registered Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

We aim to respond to all enquiries within 30 days.

© 2026 Plutus. Plutus is a trading name of Telotek Limited, Company No. 17050370 (England & Wales).