Updated

March 2025



Privacy Policy

At Unmasked, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website, mobile applications, and services (“Services”).

Who We Are

Unmasked is a financial tracking and analytics platform built specifically for dental professionals. We are operated by Ruzivo Holdings Ltd, a company registered in the United Kingdom.

If you have any questions regarding data, or about how we handle data, please contact us at:

📧 data-protection@unmaskedfinance.com
If addressing a Data Protection Officer (DPO), please include “DPO” in your subject line.

What Information We Collect

We collect the following types of personal data:

  • Account Information: Name, email address, and password.

  • Financial Data: Payslips, spreadsheets, or other documents you upload, including gross/net income, pension deductions, expenses, and tax data.

  • Usage Data: Device information, IP address, browser type, and pages visited.

  • Open Banking Data: With your consent, we securely access transaction data via HMRC or bank integrations.

  • Payment Details: Handled securely by Stripe. We do not store card information.

How We Use Your Information

We process your personal data in order to:

  • Provide and maintain our Services

  • Generate tax summaries and analytics

  • Help you comply with Making Tax Digital (MTD) obligations

  • Improve and personalise your experience

  • Communicate updates and support responses

  • Fulfil our legal or regulatory obligations

Legal Basis for Processing (UK GDPR)

We process your data on one or more of the following lawful bases:

  • To perform our contract with you (e.g. processing your uploaded financial data)

  • To comply with legal obligations (e.g. HMRC reporting)

  • For our legitimate interests (e.g. fraud prevention, service improvement)

  • With your consent (e.g. marketing emails or Open Banking)

Third-Party Services and GDPR Compliance

We use third-party services to power our infrastructure and features. All such providers are GDPR compliant and only receive data necessary to perform their services:

  • Stripe – Payment processing. Stripe Privacy Policy

  • Microsoft Azure – Cloud hosting, UK/EU servers where possible. Microsoft Privacy

  • Amazon Web Services (AWS) – Infrastructure and storage. AWS Privacy

  • Anthropic, Google Gemini (OpenAI-like tools) – Only for anonymised, automated document analysis. No identifiable user data is processed.

All international data transfers (outside the UK/EEA) are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards.

OAuth and HMRC Access

When you connect your HMRC account, you log in directly via HMRC’s secure OAuth system. We do not store your HMRC credentials. Instead, we retain encrypted tokens that allow us to access and submit data to HMRC only with your permission.

Data Retention

  • HMRC and accounting data: Retained for 6 years in accordance with UK tax regulations.

  • General account data: Retained for as long as your account is active.

  • Deletion requests: Processed within 1–2 business days, subject to legal retention requirements.

  • Backup copies may be retained for audit and disaster recovery purposes.

Data Portability and Your Rights

Under UK GDPR, you have the right to:

  • Access your data

  • Correct inaccurate data

  • Request erasure (“right to be forgotten”)

  • Restrict or object to certain processing

  • Request your data in a portable format (e.g. CSV download)

  • Lodge a complaint with the Information Commissioner’s Office (ICO)

To exercise your rights, email data-protection@unmaskedfinance.com.

Security Measures

We use encryption, secure access controls, and best practices to protect your data:

  • All data is encrypted at rest and in transit

  • OAuth tokens are securely stored and isolated

  • Only authorised personnel (e.g. CTO, admin) have access to user data

  • Role-Based Access Control (RBAC) policies are enforced internally

Security Breach Notification

If we become aware of a data breach involving your personal information, we will:

  • Notify HMRC and the ICO within 72 hours, as required

  • Contact affected users promptly via email

  • Provide details on what was affected and what actions are being taken

To report a security issue, contact security@unmaskedfinance.com

Cookies and Tracking

We use cookies and tracking technologies to:

  • Remember preferences

  • Measure performance

  • Analyse site usage

You can manage cookies through your browser settings. More detailed cookie usage is outlined in our [Cookie Policy].

Changes to This Policy

We may update this policy to reflect changes in legal requirements, technology, or our services. When we do, we’ll notify users by email or via our website. Continued use of our platform after any changes implies acceptance of the updated policy.

Contact Us

📧 support@unmaskedfinance.com – General enquiries
📧 data-protection@unmaskedfinance.com – Privacy and rights
📧 security@unmaskedfinance.com – Report vulnerabilities or security concerns

Ruzivo Holdings Ltd
Registered in the United Kingdom
Company No: 16462529

Try here