Privacy Policy

Last updated: 27 January 2026

1. Introduction

Eris AI Limited, trading as Bosh (“Bosh”, “we”, “us”, or “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use the Bosh mobile application and website (together, the “Service”).

Eris AI Limited is a company registered in England and Wales (Company No. 16897305) with its registered office at Cuthberts Cottage, Netherton Park, Northumberland NE61 6EG. We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Information

Full name
Email address
Phone number
Date of birth
Unique Taxpayer Reference (UTR)
National Insurance number
Business trading name and address

2.2 Financial Data

Bank transaction data (obtained via Open Banking - see Section 5)
Income and expense records
Tax calculations, estimates, and submission history
Payment and subscription information (processed by Stripe)

2.3 HMRC Data

HMRC Making Tax Digital (MTD) obligations, submissions, and confirmation receipts
Self Assessment tax return data
HMRC authentication credentials (used solely to submit on your behalf and not stored in plain text)

2.4 Technical Data

Device type, operating system, and app version
IP address
Usage analytics and crash reports
Cookies and similar technologies (see Section 10)

3. How We Use Your Data

We use your personal data to:

Provide and maintain the Service, including tax calculations and HMRC submissions
Retrieve and categorise your bank transactions via Open Banking
Generate tax estimates and reports
Submit tax returns and MTD updates to HMRC on your behalf
Process subscription payments
Send service notifications, deadline reminders, and important updates
Improve the Service through aggregated, anonymised analytics
Comply with legal and regulatory obligations
Respond to your support requests

4. Legal Basis for Processing

Under Article 6 of the UK GDPR, we process your personal data on the following legal bases:

Contract (Art. 6(1)(b)): Processing is necessary to perform our contract with you - i.e. to provide the Bosh Service, including retrieving transactions, categorising expenses, calculating tax, and submitting returns to HMRC.
Consent (Art. 6(1)(a)): Where you give explicit consent, such as authorising Open Banking access to your bank accounts or opting in to marketing communications. You may withdraw consent at any time.
Legal obligation (Art. 6(1)(c)): Where processing is necessary to comply with a legal obligation, such as anti-money laundering regulations or HMRC requirements.
Legitimate interests (Art. 6(1)(f)): Where processing is necessary for our legitimate interests, such as improving the Service, preventing fraud, and ensuring security, provided these interests are not overridden by your rights.

5. Open Banking Data

We use Finexer Ltd as our Open Banking provider to retrieve your bank transaction data. Finexer Ltd is authorised and regulated by the Financial Conduct Authority (FCA) as an Account Information Service Provider (AISP) under firm reference number 925695.

When you connect your bank account through Bosh:

You are redirected to your bank’s own authentication screen to authorise access - we never see your bank login credentials.
Finexer retrieves your transaction data on a read-only basis. Neither Bosh nor Finexer can move money or make payments from your account.
Your consent is valid for up to 90 days, after which you will be asked to re-authorise access in accordance with FCA regulations.
You can revoke Open Banking access at any time through the Bosh app or directly through your bank.

Finexer processes your data in accordance with its own privacy policy and FCA regulatory requirements. Bosh only uses the transaction data retrieved through Finexer for the purposes described in this Privacy Policy.

6. HMRC Making Tax Digital

Bosh is recognised by HMRC as compatible software for Making Tax Digital (MTD) for Income Tax Self Assessment. When you use Bosh to interact with HMRC:

We use HMRC’s official APIs to submit your tax data directly and securely.
Authentication with HMRC is handled through HMRC’s Government Gateway - we do not store your Government Gateway password.
Submission data and confirmation receipts are stored securely in your Bosh account for your records.
You are responsible for reviewing and confirming the accuracy of all data before submission (see our Terms & Conditions).

7. Data Sharing

We do not sell your personal data. We share your data only with the following categories of third parties, and only to the extent necessary:

Finexer Ltd - Our Open Banking provider (FCA firm ref 925695), to retrieve your bank transaction data with your consent.
HMRC - To submit tax returns, MTD updates, and related obligations on your behalf.
Stripe, Inc. - Our payment processor, to handle subscription billing securely. Stripe is PCI DSS Level 1 certified. We do not store your full card details.
Google Cloud / Firebase - Our cloud infrastructure provider, for secure data storage, authentication, and analytics.

We may also share data where required by law, regulation, or legal process, or to protect the rights, property, or safety of Bosh, our users, or the public.

8. Data Retention

We retain your personal data as follows:

Account data: Retained for as long as your account is active, plus 7 years after account closure (to comply with HMRC record keeping requirements).
Tax submission data: Retained for a minimum of 7 years from the end of the relevant tax year, as required by HMRC.
Bank transaction data: Retained for as long as your account is active. Upon account deletion, transaction data is deleted within 90 days, except where retention is required by law.
Payment data: Stripe retains payment records in accordance with its own retention policies and legal obligations.
Technical and analytics data: Retained for up to 26 months, then anonymised or deleted.

9. International Transfers

Your data is primarily stored and processed within the United Kingdom and European Economic Area. However, some of our service providers operate internationally:

Google Cloud: Data may be processed in data centres outside the UK, including in the United States. Google has implemented appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office and International Data Transfer Agreement (IDTA) addenda.
Stripe: Payment data may be processed in the United States. Stripe complies with the UK-US Data Bridge and has implemented SCCs and additional technical safeguards.

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place as required by the UK GDPR, including adequacy decisions, Standard Contractual Clauses, or other approved mechanisms.

10. Cookies

Our website uses cookies and similar technologies to provide functionality and improve your experience. We use:

Strictly necessary cookies: Required for the website to function (e.g. session management). These do not require consent.
Analytics cookies: To understand how visitors interact with our website. These are only set with your consent.

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our website.

11. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

Right of access: You may request a copy of the personal data we hold about you.
Right to rectification: You may request that we correct inaccurate or incomplete personal data.
Right to erasure: You may request that we delete your personal data, subject to legal retention requirements (e.g. HMRC 7-year retention).
Right to restrict processing: You may request that we limit how we use your data in certain circumstances.
Right to data portability: You may request a copy of your data in a structured, machine-readable format.
Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at hello@bosh.tax. We will respond within one month, as required by law.

12. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Secure authentication and access controls
Regular security audits and vulnerability assessments
Staff training on data protection
Incident response procedures in line with UK GDPR breach notification requirements

13. Children’s Privacy

The Bosh Service is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected data from someone under 18, we will take steps to delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the app, by email, or by posting a prominent notice on our website. We encourage you to review this page periodically.

15. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: hello@bosh.tax
Telephone: 07739 343 903
Postal address: Eris AI Limited, Cuthberts Cottage, Netherton Park, Northumberland NE61 6EG

16. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage you to contact us first so we can try to resolve your concerns directly.