Fiskl AI official logo
Start for free
Sign in
Start for free

Privacy Policy

This Privacy Policy explains how Fiskl Limited (“Fiskl”, “we”, “us”, “our”) collects, uses, shares, and protects information when you use the Fiskl Platforms, including FisklAI (the end-user accounting platform), Fiskl Atlas (the accountant practice-management platform), Fiskl Orbit (the multi-entity consolidation platform), Fi (Fiskl’s conversational AI and orchestration system), the A2A Gateway (the agent-to-agent infrastructure platform), the website (fiskl.com), the web application, mobile and desktop applications, and related services (collectively, the “Fiskl Platforms”).

It applies to: – Customers who hold an account with Fiskl; – Authorized Users invited to a Customer’s account; – Atlas Firms using the accountant portal; – Visitors to fiskl.com and our other websites; – Data Subjects whose information appears in Customer Data (the Customer’s customers, vendors, employees, and contractors); and – anyone else who interacts with Fiskl.

This Privacy Policy is incorporated into the Customer Terms of Service. Definitions used in the Customer Terms apply here unless otherwise stated.

Global scope. Fiskl operates a global Service across 200+ jurisdictions. This Privacy Policy is designed to provide a single, coherent description of our data practices that complies with applicable data protection laws worldwide, including but not limited to:

  • United Kingdom (UK GDPR, Data Protection Act 2018);
  • European Economic Area (EU GDPR, ePrivacy Directive);
  • United States — all states in which Fiskl serves Customers and the District of Columbia. As of the Effective Date this includes the comprehensive privacy laws of California (CCPA / CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (INCDPA), Delaware (DPDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Maryland (MDPA), Minnesota (MNCDPA), Rhode Island (DTPPA), Kentucky (KCDPA), Nebraska (NDPA), and other state privacy laws as enacted from time to time; the Washington My Health My Data Act (MHMDA) and Nevada SB 370 in respect of consumer health data; and sectoral and federal laws including HIPAA (where applicable per Customer-Specific Supplement section 3), GLBA (where applicable), FERPA, and equivalent;
  • Canada (PIPEDA federally, Quebec’s Law 25, and provincial laws);
  • Brazil (LGPD);
  • Australia (Privacy Act 1988 and the Australian Privacy Principles);
  • New Zealand (Privacy Act 2020);
  • Singapore (PDPA);
  • Japan (APPI);
  • South Korea (PIPA);
  • South Africa (POPIA);
  • Mexico (LFPDPPP);
  • India (DPDP Act);
  • United Arab Emirates (Federal PDPL; DIFC and ADGM data protection regulations);
  • Saudi Arabia (PDPL);
  • Turkey (KVKK);
  • Switzerland (FADP);
  • and other applicable laws in countries where the Fiskl Platforms are used.

Where a specific national or regional law grants you rights or imposes obligations on Fiskl beyond those set out in this Privacy Policy, those rights and obligations apply in addition to (and where stricter, in place of) the general provisions of this Privacy Policy. Section 18 contains jurisdiction-specific notices for selected regions.

1. Who is the controller of your data

The “Fiskl Group” means Fiskl Limited and its current and future direct and indirect Affiliates worldwide engaged in providing or supporting the Fiskl Platforms.

Within the Fiskl Group, the entity that controls or processes your personal data depends on your location and the context of the processing:

  • Fiskl Limited, a company incorporated in England and Wales (company number 09330290), registered at 6A Thirlmere Road, London, N10 2DN, United Kingdom — current Contracting Fiskl Entity for customers globally and Data Importer under cross-border transfer mechanisms;
  • Fiskl, Inc. (or another Fiskl Group entity formed in the United States) — once incorporated, the Contracting Fiskl Entity for US-domiciled customers and a member of the Fiskl Group acting as Sub-processor for other regions;
  • other Fiskl Group entities formed in future for specific regions, on the same basis.

The current list of Fiskl Group entities is published at https://fiskl.com/legal/fiskl-group/ once published, or available on request to dpo@fiskl.com.

References in this Privacy Policy to “Fiskl”, “we”, “us”, and “our” mean the relevant Fiskl Group entity that is processing your personal data in the relevant context.

For data protection purposes, our role depends on what data is involved:

Data category Fiskl’s role
Customer Data submitted by a Customer or its Authorized Users (e.g. invoices, transactions, banking data, client and vendor records, attachments) Processor acting on the instructions of the Customer (who is the Controller)
Account information of the Customer and its Authorized Users (registration details, billing data, login credentials, role, plan) Controller
Usage data, telemetry, device data, log data, cookies, analytics Controller
Aggregated and de-identified data derived from the Fiskl Platforms Controller, where any residual personal-data character remains
Data of visitors to fiskl.com Controller

For Customer Data we process as a Processor, the terms of our Data Processing Addendum (DPA) govern that relationship.

Our Data Protection Officer can be contacted at dpo@fiskl.com.

2. Information we collect

2.1 Customer Data

Customer Data is the information a Customer or its Authorized Users submit to or generate within the Fiskl Platforms. This includes:

  • Invoices, quotes, and customer records;
  • Expense records, bills, and vendor records;
  • Bank transactions, balances, and account metadata imported via banking integrations;
  • Payment processor data imported via Stripe and other payment integrations;
  • Time and mileage tracking entries;
  • Journal entries, chart of accounts data, and accounting records;
  • Tax records and tax authority registration data;
  • Documents, attachments, and receipts uploaded to the Fiskl Platforms;
  • Inputs and outputs of conversations with Fi, and other AI-processed and AI-interpreted data Fi handles on your instruction;
  • Configuration, preferences, and settings within the Customer’s account.

2.2 Account information

Account information is data about a Customer or Authorized User as a holder of an account. This includes:

  • Name, business name, business registration number, and tax identification numbers;
  • Email address, phone number, postal address;
  • Login credentials (passwords are stored hashed; we never receive bank login credentials);
  • Role and permissions within the account;
  • Subscription plan, billing currency, and Atlas branch where applicable;
  • Payment method information, processed by our payment partner (Stripe). We do not store full card numbers.

2.3 Usage data and telemetry

Usage data describes how the Fiskl Platforms are used. This includes:

  • Pages, features, and screens accessed within the Fiskl Platforms;
  • Actions taken (invoices created, reports run, AI queries submitted, integrations connected);
  • Click and scroll behaviour within the application;
  • Device type, operating system, browser, screen resolution, language, time zone;
  • IP address (used for security, fraud prevention, and approximate geolocation);
  • Application logs, crash reports, performance traces;
  • Cookies and similar identifiers (see the Cookie Policy);
  • AI interaction metadata (request count, latency, error rates).

2.4 Banking integration data

When a Customer connects a bank, payment processor, or other financial account, we receive transaction data, balances, and account metadata via our banking partners (Yodlee, Salt Edge, Stripe, WIO Bank, and others as listed in the Subprocessors page). Login credentials to the financial institution are handled by the relevant banking partner under their direct relationship with the Customer. Fiskl never sees, stores, or has access to those credentials.

2.5 Communications with Fiskl

When you contact us by email, in-app chat, or other channels, we receive your communications and any information you choose to share, including support requests, feedback, and questions for Fi.

2.6 Information about Data Subjects in Customer Data

Customer Data submitted by a Customer often includes personal data of other natural persons — the Customer’s own customers, vendors, employees, contractors, and other individuals (collectively, “Data Subjects”). This data may include name, contact details, payment details, banking information relevant to a transaction, and other information necessary to invoice, pay, or account for a transaction.

Fiskl processes Data Subjects’ personal data on the instructions of the Customer (who is the Controller), unless otherwise stated in this Privacy Policy.

2.7 Information from third parties

We may receive information about you from:

  • Banking partners delivering transaction data to your account;
  • Payment processors (such as Stripe) confirming payment status;
  • Identity verification or fraud-prevention services (where used);
  • Public information, such as company registers and tax authority public databases;
  • Marketing partners and advertising networks for visitors to fiskl.com;
  • Atlas firms who invite a client into the platform.

3. How we use information

We use the information described in section 2 for the purposes set out below. The legal basis under UK GDPR / EU GDPR for each purpose is identified in section 4.

3.1 To provide the Fiskl Platforms

We use Customer Data and Account information to deliver the Fiskl Platforms, process transactions, run reports, deliver AI features, sync banking data, send invoices, accept payments, and otherwise perform the Customer Terms.

3.2 To operate Fiskl as a business

We use Account information, Usage data, and other operational data to administer accounts, bill Customers, enforce the Customer Terms, prevent fraud and abuse, ensure security and integrity, comply with law, and manage corporate matters.

3.3 To improve the Fiskl Platforms and develop new products

We use Customer Data, Aggregated Data, and Usage data to improve features, fix defects, develop new features and products, conduct research, and produce statistical reporting on the Fiskl Platforms. This includes the AI training and Data Product activities described in sections 3.4 and 3.5.

3.4 To train, fine-tune, and evaluate AI models

We use Customer Data and Aggregated Data to train, fine-tune, evaluate, refine, and improve: – Fiskl’s own AI models, including Fi and any future Fiskl AI features and products; – AI models that are owned by, exclusively licensed to, or developed for the exclusive use of Fiskl (“Fiskl-Exclusive Models”), where Fiskl engages an AI Provider, research partner, or other third party to build them.

We do not provide raw Customer Data to third-party AI developers for training of those third parties’ general-purpose AI models. Where third-party AI Providers receive data from Fiskl, that data is either Aggregated Data, or it relates to a Fiskl-Exclusive Model.

When we use AI Providers (such as model and inference providers) to deliver AI features to you, we contract with them on terms that prohibit the AI Provider from using Customer Data to train their own general-purpose models, prohibit unnecessary retention, and prohibit onward disclosure.

3.5 To develop and operate Data Products

We use Customer Data and Aggregated Data to develop, operate, market, license, and sell Data Products as defined in the Customer Terms — including industry benchmarking, market intelligence, credit and lending insight products, analytics, AI-powered services for banks and financial institutions, regulatory and compliance products, embeddings and trained model artefacts, data feeds and APIs, and research outputs. Data Products are developed using Aggregated Data unless they are Fiskl-Exclusive Models built on Customer Data.

3.6 To communicate with you

We use Account information and Usage data to send Service-related communications (security alerts, billing notifications, feature updates), to respond to support requests, and — where you have opted in or where law allows — to send marketing communications about Fiskl products and partner offers.

3.7 To meet legal and regulatory obligations

We use information as needed to comply with applicable law, respond to legal requests, exercise or defend legal claims, and meet regulatory or audit obligations.

3.8 To detect and prevent fraud, abuse, and harm

We use information to detect, prevent, and respond to fraud, security incidents, abuse of the Fiskl Platforms, and risks to Customers, Authorized Users, Data Subjects, Fiskl, or third parties.

Where the law of your jurisdiction requires a legal basis for processing personal data (such as UK GDPR, EU GDPR, LGPD in Brazil, POPIA in South Africa, and similar regimes), we rely on the bases set out in the table below. Where we rely on legitimate interests (or its functional equivalent under non-EU law), we have conducted a Legitimate Interests Assessment (LIA) and balanced our interests against the rights and freedoms of data subjects. You can request a summary of the relevant LIA by contacting dpo@fiskl.com.

The table references UK GDPR / EU GDPR Article numbers because they are the most widely-recognised reference framework. The same purposes are supported under equivalent provisions in LGPD, POPIA, PIPEDA, and other regimes (including consent, performance of contract, legal obligation, legitimate interests, and similar bases).

Purpose Legal basis
Providing the Fiskl Platforms to a Customer Performance of a contract (Article 6(1)(b))
Customer billing and payment Performance of a contract (Article 6(1)(b))
Account creation and management Performance of a contract (Article 6(1)(b))
Service improvement and product development Legitimate interests (Article 6(1)(f))
AI model training and fine-tuning (Fiskl and Fiskl-Exclusive Models) Legitimate interests (Article 6(1)(f)), with right to object
Development and operation of Data Products Legitimate interests (Article 6(1)(f)), with right to object
Use of Aggregated Data (no longer personal data once de-identified) Falls outside UK GDPR / EU GDPR once anonymised
Special category data (health, biometric, religious, etc.) used for AI training or Data Products Explicit consent (Article 9(2)(a))
Direct marketing to existing customers Legitimate interests (Article 6(1)(f)), with opt-out
Direct marketing to non-customers Consent (Article 6(1)(a))
Fraud prevention, security, abuse detection Legitimate interests (Article 6(1)(f))
Compliance with law and legal claims Legal obligation (Article 6(1)(c)) and legitimate interests (Article 6(1)(f))

For our processing of Data Subjects’ personal data on behalf of a Customer (Customer Data), the Customer is the Controller and is responsible for ensuring there is a valid legal basis for that processing.

You have the right to object to processing based on legitimate interests. See section 8.

5. AI training, Data Products, and your data

This section explains in plain English what Fiskl does and does not do with your data in connection with AI and data monetisation.

What Fiskl does: – Trains Fi and other Fiskl AI models on Customer Data. – Engages selected AI Providers and research partners to build AI models that are owned by, exclusively licensed to, or developed for Fiskl, using Customer Data. – Calls third-party AI inference providers (such as large language model providers) to deliver AI features to you, on contracts that prohibit those providers from training their own general-purpose models on your Customer Data. – Generates Aggregated Data — irreversibly de-identified, anonymised, or statistical data — from Customer Data and Service usage. – Uses Aggregated Data to develop, market, license, and sell Data Products to third parties (including banks, lenders, fintechs, regulators, and other businesses). – Treats Aggregated Data and AI models trained on Customer Data as Fiskl assets.

What Fiskl does not do: – Sell raw Customer Data. – Share raw Customer Data with third-party AI developers so they can train their general-purpose AI models. – Use special category data (health, biometric, religious or philosophical belief, sexual orientation, ethnic origin, trade union membership) for AI training or Data Products without explicit consent. – Train AI models on a Customer’s data in ways that would expose that Customer’s information to other Customers in their use of Fi.

Your controls:Opt-out from AI training and Data Products — you can opt your Customer Data out of use for AI training and Data Products in your Account settings, where required by data protection law. The opt-out is forward-looking and does not require Fiskl to delete or retrain models that have already been built using your data prior to your opt-out. – Special category data — excluded by default, with an opt-in mechanism for explicit consent if needed for a specific use case. – Atlas firms — accounting firms using Atlas have additional controls over AI training and Data Product use of their clients’ Customer Data, set out in the Atlas Terms Supplement. – Right to object — under UK GDPR / EU GDPR Article 21, you may object to processing based on legitimate interests. Fiskl will assess the request and respond in accordance with the law.

6. How we share information

We share information only in the circumstances described below.

6.1 With Subprocessors

We use third-party Subprocessors to deliver the Fiskl Platforms, including infrastructure providers (AWS, Google Cloud), banking integration partners (Yodlee, Salt Edge, WIO Bank), payment processors (Stripe), AI Providers, communications providers (SendGrid, Twilio), analytics providers, customer-support tools, and others. The current list is at https://fiskl.com/legal/fiskl-subprocessors/. Subprocessors process information only on Fiskl’s instructions and on contractual terms aligned with this Privacy Policy and the DPA.

6.2 With banking and payment partners

When a Customer connects a banking integration or payment processor, the Customer’s data flows between the Customer, Fiskl, and the relevant partner. The partner’s own privacy policy governs the partner’s processing of that data.

6.3 With Atlas firms and accountants

Where a Customer is connected with an Atlas firm or accountant, the firm or accountant has access to the Customer’s data based on the connection level chosen by the Customer. Atlas firm access is governed by the Atlas Terms Supplement.

6.4 With other Authorized Users and Customers in shared contexts

Information appears within the Customer’s account based on the role and permissions configured by the Customer.

6.5 With Data Product purchasers and partners

We share Aggregated Data and Fiskl-Exclusive Model outputs with third parties as part of Data Products, on the basis described in section 3.5. Aggregated Data shared in this way is de-identified and is not, in our reasonable assessment, capable of re-identification to you, your Authorized Users, or Data Subjects.

6.6 With professional advisers

We share information with our auditors, lawyers, accountants, insurers, and similar advisers under confidentiality obligations.

6.7 In a corporate transaction

If Fiskl is involved in a merger, acquisition, financing, restructuring, sale of business, or insolvency event, information may be transferred to a counterparty, prospective counterparty, or successor entity, subject to confidentiality protections.

6.8 To comply with law

We share information where required by law, court order, or regulatory authority, or where we believe disclosure is necessary to protect rights, property, or safety of Fiskl, our Customers, Data Subjects, or others.

6.9 With your consent

We share information at your direction or with your consent.

We do not sell Customer Data. References to selling, licensing, or sharing of Aggregated Data and Data Products in this Privacy Policy and the Customer Terms relate exclusively to data that has been de-identified or that constitutes outputs of Fiskl-Exclusive Models, in accordance with section 5.

7. International transfers

Fiskl is established in the United Kingdom. Subprocessors and Service infrastructure are located in multiple jurisdictions, including the United States, the European Economic Area, the United Kingdom, the United Arab Emirates, Canada, and other countries. Customer Data may be processed in any of these jurisdictions in connection with the Fiskl Platforms.

We use lawful cross-border transfer mechanisms appropriate to the source jurisdiction:

Transfers from the UK: – UK International Data Transfer Agreement (IDTA); – UK Addendum to the EU Standard Contractual Clauses; – Adequacy decisions (e.g. UK adequacy regulations).

Transfers from the EEA: – EU Standard Contractual Clauses in their then-current form; – Adequacy decisions of the European Commission; – Other Article 46 GDPR safeguards as applicable.

Transfers from Switzerland: – Swiss-equivalent Standard Contractual Clauses recognised by the FDPIC.

Transfers from Brazil (LGPD): – ANPD-approved standard contractual clauses, adequacy decisions, or Customer consent as applicable.

Transfers from other jurisdictions: – We rely on the lawful transfer mechanisms recognised in each source jurisdiction, including consent, contractual safeguards, binding corporate rules, adequacy decisions, and other mechanisms applicable under PIPEDA, the Australian Privacy Principles, Singapore PDPA, UAE PDPL, POPIA, India DPDP Act, and equivalent laws.

Supplementary measures. Where required by supervisory authority guidance (such as the Schrems II framework in the EEA), we apply additional technical, organisational, and contractual measures to ensure equivalent protection during transfer.

Data residency. Certain banking integration data is subject to data residency requirements imposed by banking regulators (for example, banking data sourced through WIO Bank for UAE customers, or US-sourced banking data). We design the Fiskl Platforms to comply with such residency obligations where applicable.

Copies of the relevant transfer mechanisms are available on request to dpo@fiskl.com or as part of our DPA.

8. Your rights

Subject to applicable law, you have rights in respect of your personal data. Where Fiskl is the Controller, you can exercise these rights with us directly. Where Fiskl is the Processor (for Customer Data on a Customer’s instructions), please contact the Customer first, and Fiskl will assist the Customer in responding.

The rights described below are not exhaustive. Where the law of your jurisdiction grants additional or different rights, those rights apply.

8.1 UK and EEA (UK GDPR, EU GDPR)

  • Right of access;
  • Right to rectification;
  • Right to erasure (“right to be forgotten”);
  • Right to restriction of processing;
  • Right to data portability;
  • Right to object — including to processing based on legitimate interests, AI training, and Data Products;
  • Right to withdraw consent;
  • Right not to be subject to solely automated decision-making with legal or similarly significant effects;
  • Right to lodge a complaint with a supervisory authority.

8.2 United States (CCPA / CPRA and other state privacy laws)

You have rights under the comprehensive privacy law of your state of residence. The exact rights vary by state but include the following (provided in California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, Kentucky, Nebraska, and other state privacy laws as enacted):

  • Right to know what personal information is collected, used, shared, sold, or processed;
  • Right to access a copy of your personal information;
  • Right to delete personal information;
  • Right to correct inaccurate personal information;
  • Right to data portability;
  • Right to opt out of sale or sharing of personal information;
  • Right to opt out of processing for targeted advertising;
  • Right to opt out of profiling that produces legal or similarly significant effects;
  • Right to limit use and disclosure of sensitive personal information;
  • Right to appeal a privacy-rights-request decision (where required by state law);
  • Right to non-discrimination for exercising privacy rights.

Specific health-data rights apply under the Washington My Health My Data Act (MHMDA) and Nevada SB 370 for consumer health data. Where applicable, Fiskl Customers (rather than Fiskl) are typically the regulated party for “consumer health data” under these laws; see Customer-Specific Supplement section 3.

Fiskl does not “sell” personal information in the conventional commercial sense. Our processing of Aggregated Data and operation of Data Products is described in section 5; we do not provide raw Customer Data to third-party AI developers for training their general-purpose models. Where state law defines “share” or “process for targeted advertising” expansively, we honour your opt-out — including via Global Privacy Control (GPC) signals where recognised by state law (currently California under CPRA and Colorado under CPA).

8.3 Canada (PIPEDA, Quebec Law 25, and provincial laws)

  • Right to access;
  • Right to challenge accuracy;
  • Right to withdraw consent;
  • Right to be informed of automated decision-making;
  • Right to data portability (Quebec).

8.4 Brazil (LGPD)

  • Right to confirmation and access;
  • Right to correction;
  • Right to anonymisation, blocking, or deletion;
  • Right to portability;
  • Right to information about sharing;
  • Right to revoke consent;
  • Right to oppose processing;
  • Right to review of automated decisions.

8.5 Australia (Privacy Act / Australian Privacy Principles) and New Zealand (Privacy Act 2020)

  • Right to access;
  • Right to correction;
  • Right to make a privacy complaint;
  • Right to anonymity or pseudonymity where practicable.

8.6 Singapore (PDPA), Japan (APPI), South Korea (PIPA)

  • Right to access;
  • Right to correction;
  • Right to withdraw consent;
  • Right to deletion or restriction in defined circumstances;
  • Other rights as provided under each law.

8.7 South Africa (POPIA)

  • Right of access;
  • Right to correction or deletion;
  • Right to object to processing;
  • Right to lodge a complaint with the Information Regulator.

8.8 UAE (Federal PDPL, DIFC, ADGM)

  • Right to access;
  • Right to correction;
  • Right to deletion;
  • Right to object;
  • Right to data portability;
  • Right to restrict processing;
  • Right to withdraw consent.

8.9 Other jurisdictions

Where the data protection law of your jurisdiction grants you rights not listed above (including but not limited to Mexico’s LFPDPPP, Turkey’s KVKK, India’s DPDP Act, Saudi Arabia’s PDPL, and others), those rights apply.

8.10 Exercising your rights

To exercise your rights, contact dpo@fiskl.com or use the privacy controls in your Account. We respond within the timeframes required by the applicable law (typically 30 days under UK/EU GDPR, 45 days under CCPA, 15 days under LGPD, and similar timeframes elsewhere). Where the law allows, we may extend this period for complex requests on notice to you.

We do not discriminate against anyone for exercising privacy rights.

9. Data protection authorities and complaints

If you believe we have infringed your data protection rights, you have the right to lodge a complaint with the supervisory authority in your jurisdiction. Selected authorities:

Region Authority URL
United Kingdom Information Commissioner’s Office (ICO) https://ico.org.uk
European Economic Area European Data Protection Board (EDPB) — and the supervisory authority of your country of residence https://edpb.europa.eu
Switzerland Federal Data Protection and Information Commissioner (FDPIC) https://www.edoeb.admin.ch
United States — California California Privacy Protection Agency (CPPA) https://cppa.ca.gov
United States — California California Attorney General https://oag.ca.gov/privacy
Canada Office of the Privacy Commissioner of Canada (OPC) https://www.priv.gc.ca
Canada — Quebec Commission d’accès à l’information du Québec (CAI) https://www.cai.gouv.qc.ca
Brazil Autoridade Nacional de Proteção de Dados (ANPD) https://www.gov.br/anpd
Australia Office of the Australian Information Commissioner (OAIC) https://www.oaic.gov.au
New Zealand Office of the Privacy Commissioner https://www.privacy.org.nz
Singapore Personal Data Protection Commission (PDPC) https://www.pdpc.gov.sg
Japan Personal Information Protection Commission (PPC) https://www.ppc.go.jp/en
South Korea Personal Information Protection Commission (PIPC) https://www.pipc.go.kr/eng
South Africa Information Regulator https://inforegulator.org.za
Mexico INAI https://home.inai.org.mx
India Data Protection Board (constituted under DPDP Act); MeitY https://www.meity.gov.in
United Arab Emirates — federal UAE Data Office https://www.uaedataoffice.ae
United Arab Emirates — DIFC DIFC Commissioner of Data Protection https://www.difc.com/business/laws-and-regulations/data-protection
United Arab Emirates — ADGM ADGM Office of Data Protection https://www.adgm.com/operating-in-adgm/office-of-data-protection
Saudi Arabia Saudi Data and Artificial Intelligence Authority (SDAIA) https://sdaia.gov.sa
Turkey Personal Data Protection Authority (KVKK) https://www.kvkk.gov.tr/en

URLs are provided for convenience and may change over time. The current version of this Privacy Policy is always available at https://fiskl.com/legal/privacy-policy/.

Our lead supervisory authority in the UK is the ICO. For EEA-related matters, we welcome contact through any EEA supervisory authority and will cooperate with the lead authority designated under the one-stop-shop mechanism where applicable.

We invite you to contact us first at dpo@fiskl.com so we have the opportunity to address your concerns.

10. Data retention

We retain personal data for as long as necessary for the purposes for which it was collected, including:

  • Customer Data: while the Customer’s account is active and as required to provide the Fiskl Platforms. After account termination, Customer Data is deleted in accordance with section 12.6 of the Customer Terms (typically within 30 days, subject to legal retention obligations).
  • Account information: while the account is active and for a reasonable period afterwards for record-keeping, billing, and legal purposes.
  • Usage data: typically for up to 24 months, unless a longer retention is justified for security, fraud, or legal reasons.
  • Aggregated Data and Fiskl-Exclusive Models: indefinitely. Once Customer Data has been used to train a model or has been irreversibly aggregated, the resulting model or Aggregated Data does not need to be deleted on the Customer’s request, because it does not constitute Customer Data and is, in the case of Aggregated Data, not personal data.
  • Records of communications: typically for 6 years for legal, audit, and dispute purposes.
  • Information required to be retained by law: for the period required.

11. Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit (TLS) and at rest;
  • Access controls, authentication, and least-privilege access;
  • Logging, monitoring, and intrusion detection;
  • Vendor due diligence and contractual safeguards with Subprocessors;
  • Employee training on security and privacy;
  • Incident response procedures;
  • Regular security reviews and testing.

No system is completely secure. If we become aware of a personal data breach affecting your data, we will notify the Customer (where Fiskl is the Processor) or you directly (where Fiskl is the Controller) and, where required, the relevant supervisory authority, in accordance with applicable law.

12. Children

The Fiskl Platforms are not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data, please contact dpo@fiskl.com and we will take reasonable steps to delete it.

13. Cookies and tracking

We use cookies and similar technologies on fiskl.com and in the Fiskl Platforms. Our use of cookies, the categories of cookies, and your choices are described in the Cookie Policy at https://fiskl.com/legal/cookie-policy/.

14. Marketing communications

You may opt out of marketing emails using the unsubscribe link in any marketing email or by emailing privacy@fiskl.com. Service communications (security alerts, billing, account notifications) are not marketing and continue to be sent regardless of marketing opt-out, while you have an account.

15. Atlas-specific privacy notes

Atlas firms are themselves Customers of Fiskl. The Atlas Terms Supplement and the DPA describe additional aspects of how data flows in Atlas, including:

  • Atlas firm access to clients’ Customer Data based on the billing model and connection level;
  • Default protections for Customer Data of clients managed under Atlas firm relationships in respect of AI training and Data Products;
  • Atlas firm controls and disclosure obligations to their clients;
  • Ownership transfer of accounts when an Atlas firm relationship ends.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes take effect 30 days after we post notice (typically by email and in-app). Non-material changes (clarifications, corrections, structural updates) take effect on posting. Continued use of the Fiskl Platforms after the effective date constitutes acceptance.

The current version is always available at https://fiskl.com/legal/privacy-policy/.

17. Jurisdiction-specific notices

This section provides supplementary notices for selected jurisdictions. Where there is conflict between this section and the general provisions of this Privacy Policy, the more protective provision applies.

17.1 United States — California (CCPA / CPRA)

Categories of personal information collected in the past 12 months. Identifiers (name, email, IP address); commercial information (subscription, billing); internet/network activity (logs, usage data); geolocation (approximate, from IP); professional or employment-related information (business name, role); inferences (categorisations); financial information (transaction data submitted by Customers); sensitive personal information limited to login credentials and account access information.

Sources are described in section 2 and purposes in section 3.

Disclosures. We disclose personal information to Subprocessors as service providers (section 6.1). We do not “sell” personal information for monetary consideration. We do “share” personal information for cross-context behavioural advertising in limited circumstances on our marketing site (fiskl.com), and you may opt out via the cookie preference centre.

Sensitive personal information. We use sensitive personal information only as needed to provide the Fiskl Platforms or as required by law, and we do not use it for inferring characteristics about you.

Authorized agents. California residents may use an authorised agent to submit requests, with verification.

17.2 European Economic Area and United Kingdom (GDPR)

The lead supervisory authority is the UK ICO. Where you are an EEA data subject, the GDPR applies and you may exercise rights with the supervisory authority of your country of residence.

17.3 Brazil (LGPD)

Fiskl’s representative for LGPD purposes can be contacted at dpo@fiskl.com. Data subjects may exercise rights under LGPD Article 18 by contacting us. ANPD is the data protection authority.

17.4 Canada (PIPEDA, Quebec Law 25)

Fiskl complies with PIPEDA and applicable provincial laws. For Quebec residents, Fiskl appoints a person responsible for the protection of personal information, contactable at dpo@fiskl.com. Quebec residents have rights under Law 25 including data portability and a right to know about automated decision-making.

17.5 Australia and New Zealand

Fiskl complies with the Australian Privacy Principles (APPs) and the New Zealand Privacy Act 2020. Complaints may be made directly to us or to the OAIC (Australia) or the Office of the Privacy Commissioner (New Zealand).

17.6 Singapore (PDPA)

Fiskl complies with the Singapore Personal Data Protection Act. Our DPO is contactable at dpo@fiskl.com.

17.7 South Africa (POPIA)

Fiskl complies with POPIA. The Information Regulator is the relevant authority. Operator obligations apply where Fiskl processes personal information on behalf of a Customer (Responsible Party).

17.8 United Arab Emirates (Federal PDPL, DIFC, ADGM)

Fiskl complies with the UAE Federal PDPL and, where the Customer is established in DIFC or ADGM, the relevant DIFC Data Protection Law or ADGM Data Protection Regulations. Banking integration data sourced through WIO Bank is subject to UAE banking regulator residency requirements.

17.9 India (DPDP Act)

Fiskl complies with the Digital Personal Data Protection Act 2023. Indian residents may exercise rights including the right to access, correction, erasure, grievance redressal, and to nominate another individual to exercise rights in the event of death or incapacity.

17.10 Other jurisdictions

For all other jurisdictions, applicable national or regional law governs and we comply with it. If you are unsure how this Privacy Policy applies to you, contact dpo@fiskl.com.

18. Contacting Fiskl about privacy

Topic Email
Data protection, exercising rights, DPO matters dpo@fiskl.com
General privacy questions privacy@fiskl.com
Customer support support@fiskl.com
Legal notices legal@fiskl.com

Postal address: Fiskl Limited, 6A Thirlmere Road, London, N10 2DN, United Kingdom

Effective: 15 March 2026

Terms & Policies

Quick Navigation