Version 1.1 — Last updated: February 2026
Stack Zero Limited (“we”, “us”, “our”) operates savvibills.com and the Savvi platform (the “Service”). We are committed to protecting and respecting your privacy. This privacy policy explains how we collect, use, store and share your personal data when you use our Service.
We are the data controller for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Stack Zero Limited is registered in England and Wales. Company number: 09373967. Registered address: Bridge Farm, Holt Lane, Ashby Magna, LE17 5NJ.
If you have any questions about this privacy policy or our data practices, please contact us at privacy@savvibills.com.
We collect and process the following categories of personal data:
When you create an account, we collect your name, email address and password (which is stored only in hashed form using industry-standard encryption). If you sign in using Google, we also receive your profile image from Google.
Information you provide or that we extract from your documents to organise your records into Profiles. This includes postal addresses, property details, vehicle information, business names and person names. Profiles may represent a Property, Person, Vehicle, Business or Asset.
Bills, contracts, certificates, manuals and other documents you upload to the Service, including the file content, file type and associated metadata such as upload date and file size.
Information that our AI systems automatically extract from your uploaded documents. This includes supplier names, account numbers, monetary amounts, dates, payment terms, line items and other structured data identified within your documents.
Your relationships with suppliers, including supplier names, account numbers, payment frequencies, contract start and end dates and renewal dates. This data may be entered by you directly or extracted from your uploaded documents.
Your Stripe customer ID, subscription status and plan type so that we can manage your subscription. We do not store your payment card details — these are held securely by our payment processor, Stripe, in accordance with PCI DSS standards.
When you connect third-party services such as Xero, QuickBooks or Google Drive, we store OAuth access tokens and refresh tokens necessary to maintain the connection and synchronise data on your behalf. When you connect Google Drive, we access file contents only for files you explicitly select via the Google Picker, as well as your Google account email address to display which account is connected. See Section 6 for full details on our use of Google API data.
Session tokens, trusted device tokens, IP addresses and browser information collected automatically when you access the Service. This data is necessary for authentication, security and the proper functioning of the platform.
Emails sent to your Savvi inbox email address for the purpose of document upload, as well as transactional emails we send to you, including welcome emails, password reset emails and two-factor authentication codes.
Your preferences such as table column settings and dismissed banners, as well as activity logs recording actions taken on profiles and supplier accounts within the Service.
We collect your personal data through the following means:
When you create an account, upload documents, enter information manually, update your profile details or connect third-party integrations. You provide this data voluntarily through your use of the Service.
Through cookies and session tokens when you use our Service. We collect technical data such as session identifiers and trusted device tokens to authenticate your access and maintain security.
Via Google when you sign in using Google authentication, including your name, email address and profile image. From Google Drive when you select and import files into Savvi via the Google file picker. From Xero or QuickBooks when you synchronise your accounting data with the Service.
Data derived from your uploaded documents via our automated AI extraction systems. When you upload a document, our AI analyses its contents and extracts structured data such as supplier names, account numbers, dates and amounts.
When you send or forward documents to your unique Savvi inbox email address, we receive and process the email and any attachments for document upload and extraction.
Under Article 6 of the UK GDPR, we rely on the following lawful bases to process your personal data:
| Processing Activity | Lawful Basis | Explanation |
|---|---|---|
| Account creation and authentication | Performance of contract | Necessary to provide you with the Savvi service |
| Document storage and organisation | Performance of contract | Core functionality of the service you signed up for |
| AI document extraction and classification | Performance of contract | Core functionality of the service |
| Billing and subscription management | Performance of contract | Necessary to manage your paid subscription |
| Transactional emails (welcome, password reset, 2FA) | Performance of contract | Necessary service communications |
| Third-party integrations (Xero, QuickBooks, Google Drive) | Consent | You explicitly choose to connect each integration |
| Activity logging and audit trails | Legitimate interest | Security monitoring and service improvement |
| Session and cookie management | Legitimate interest | Necessary for secure operation of the service |
We share your personal data with the following third-party processors who act on our behalf and under our instructions:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| OpenAI / Google (Gemini) | AI document extraction and classification | Document text and images | United States |
| Stripe | Payment processing | Email address, subscription data | United States |
| Mailgun (Sinch) | Email delivery | Email addresses, email content | European Union |
| Authentication (OAuth); Google Drive import at user's direction (we access data from Google, not share data with Google) | We receive: name, email, profile image (auth); contents of files you select for import (Drive). See Section 6. | United States | |
| Xero | Accounting software sync | Supplier and bill data | Global |
| Intuit (QuickBooks) | Accounting software sync | Supplier and bill data | United States |
| Serper | Supplier contact information lookup | Supplier names (no personal data) | United States |
| Cloud storage provider | Document file storage | Uploaded document files | Configured per deployment |
All third-party processors are bound by data processing agreements that require them to process your data only on our instructions and in accordance with applicable data protection legislation.
Savvi's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
When you connect Google Drive to Savvi, we request the following scopes:
Files you select for import are downloaded from Google Drive to our secure storage (S3). Once imported, they are processed through the same AI-powered extraction pipeline as documents you upload directly — including classification, data extraction and organisation into Profiles, Accounts and Contracts. Your connected Google account email is displayed in your integration settings so you can see which account is linked.
OAuth access tokens and refresh tokens are stored in our database for as long as the Google Drive integration remains connected. Imported files are stored in our S3-compatible storage with the same security measures applied to all uploaded documents (see Section 11). We do not maintain a persistent cache or mirror of your Google Drive — files are only imported when you explicitly initiate an import.
The content of documents imported from Google Drive is sent to our AI providers (OpenAI or Google Gemini) for extraction and classification, under data processing agreements. This is the same processing applied to all documents in Savvi, regardless of how they were uploaded. No other third parties receive your Google Drive data.
In accordance with Google's Limited Use requirements, we confirm that we do NOT use Google user data for:
Human access to Google user data is limited to situations where the user has given affirmative consent, it is necessary for security purposes (such as investigating abuse), it is required to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymised.
You can disconnect Google Drive at any time from your Savvi integration settings. When you disconnect, we revoke the OAuth tokens with Google and delete them from our database, and Savvi loses all further access to your Google Drive. Documents that were previously imported from Google Drive remain in your Savvi account until you choose to delete them, as they have been incorporated into your document library.
You can also revoke Savvi's access externally at any time by visiting your Google Account permissions page.
Some of our third-party processors are located outside the United Kingdom. Where we transfer your personal data to processors in the United States, we rely on the UK-US Data Bridge (the UK Extension to the EU-US Data Privacy Framework) as our transfer mechanism.
We ensure that all processors to whom we transfer data provide adequate safeguards for your personal data in accordance with UK GDPR. Where applicable, we implement supplementary measures such as Standard Contractual Clauses to protect your data during international transfers.
We retain your personal data only for as long as necessary for the purposes set out in this policy. Our specific retention periods are as follows:
Under the UK GDPR, you have the following rights in relation to your personal data:
To exercise any of these rights, please contact us at privacy@savvibills.com. We will respond to your request within one month of receipt. In exceptional circumstances, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for it.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated. You can contact the ICO at ico.org.uk.
We use cookies and similar technologies that are strictly necessary for the operation of the Service. The following table sets out the cookies we use:
| Name | Type | Purpose | Duration |
|---|---|---|---|
| savvi-customer-session | Essential | Authenticates your session | Browser session |
| savvi-trusted-device | Essential | Remembers trusted devices for two-factor authentication | 30 days |
| xero_oauth_state | Essential | Verifies Xero integration OAuth flow | 10 minutes |
| qbo_oauth_state | Essential | Verifies QuickBooks integration OAuth flow | 10 minutes |
| gdrive_oauth_state | Essential | Verifies Google Drive integration OAuth flow | 10 minutes |
In addition to cookies, we use browser localStorage for functional preferences. Items such as savvi_column_prefs_* (table column display settings) and savvi_banner_dismissed (dismissed notification banners) are stored locally on your device. These do not track you across websites and are used solely to remember your interface preferences.
We do not use analytics cookies, advertising cookies or marketing cookies. We do not engage in cross-site tracking of any kind.
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it. These measures include:
Savvi is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe that we may have collected data from someone under 18, please contact us at privacy@savvibills.com.
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. Where we make material changes to this policy, we will notify you by email to the address associated with your account.
Your continued use of the Savvi service after notification of changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically to stay informed about how we protect your data.
If you have any questions, concerns or requests regarding this privacy policy or your personal data, please contact us:
Stack Zero Limited, trading as Savvi
Company number: 09373967
Registered address: Bridge Farm, Holt Lane, Ashby Magna, LE17 5NJ
Email: privacy@savvibills.com