Back to home

Privacy Policy

Last updated: March 2026

1. Introduction

Incorra Ltd (“Incorra”, “we”, “us”, or “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use the Incorra platform, website, and related services.

We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our registered address is in England and Wales.

2. What Data We Collect

We collect the following categories of personal data:

  • Account information: name, email address, phone number, and password when you register an account.
  • Company information: company name, registered address, Companies House number, SIC codes, director and shareholder details, and incorporation documents.
  • Identity verification data: government-issued identification documents and biometric data processed by our verification partners for KYC/AML compliance.
  • Financial data: bank account details, transaction records, invoices, and accounting data connected via integrated services.
  • Usage data: IP address, browser type, device information, pages visited, and interaction patterns.
  • Communications: messages sent through our support channels and interactions with the Incorra Agent.

3. How We Use Your Data

  • To provide and maintain the Incorra platform, including company formation, compliance monitoring, and financial management.
  • To process company formations and filings with Companies House and HMRC on your behalf.
  • To verify your identity and comply with anti-money laundering regulations.
  • To power the Incorra Agent, our AI assistant, which uses your company data to provide personalised insights and recommendations.
  • To process payments and manage your subscription.
  • To send you important service notifications, compliance reminders, and filing deadlines.
  • To improve our platform through aggregated, anonymised usage analytics.

4. Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

  • Contract performance: processing necessary to provide our services, including company formation, compliance management, and financial tools.
  • Legal obligation: processing required to comply with UK law, including AML/KYC checks, Companies House filings, and HMRC requirements.
  • Legitimate interests: improving our platform, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
  • Consent: where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time.

5. Data Sharing and Third Parties

We share your data with the following categories of third-party service providers, strictly as necessary to deliver our services:

  • Supabase: cloud database and authentication infrastructure. Data is stored securely with encryption at rest and in transit.
  • Stripe: payment processing for subscriptions and one-off charges. Stripe is PCI DSS Level 1 certified.
  • Companies House: company formation filings, annual returns, and public register data as required by UK company law.
  • Veriff / Didit: identity verification and biometric checks for KYC/AML compliance. Biometric data is processed in accordance with their respective privacy policies.
  • Anthropic: AI model provider powering the Incorra Agent. Conversation data is sent to Anthropic for processing but is not used to train their models.
  • Accounting integrations: Xero, QuickBooks, and FreeAgent when connected by you, to sync financial data.
  • Banking integrations: TrueLayer for open banking data access when authorised by you.

We do not sell your personal data to any third party. Data transfers outside the UK are protected by appropriate safeguards, including Standard Contractual Clauses and adequacy decisions.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide our services. After account closure, we retain data for a minimum of 6 years to comply with UK legal and regulatory requirements (including Companies Act 2006 and HMRC record-keeping obligations). Identity verification records are retained for 5 years after the end of the business relationship, as required by the Money Laundering Regulations 2017. You may request deletion of non-legally-required data at any time.

7. Your Rights

Under the UK GDPR, you have the following rights:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your data, subject to legal retention requirements.
  • Right to restrict processing: request that we limit how we use your data in certain circumstances.
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to object: object to processing based on legitimate interests or for direct marketing.
  • Rights related to automated decision-making: request human review of significant decisions made solely by automated means.

To exercise any of these rights, contact us at privacy@incorra.com. We will respond within one month.

8. Cookies

We use cookies and similar technologies to operate our platform and improve your experience. For full details on the cookies we use and how to manage them, please see our Cookie Policy.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), encryption at rest, access controls, regular security audits, and incident response procedures. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our platform. Continued use of Incorra after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.