Privacy Policy

Hi Harley Ltd ("Hi Harley", "we", "us", or "our") operates the Hi Harley Copilot platform, accessible at hiharley.co.uk. We are the data controller for the personal data we collect through this service.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at [email protected]. Our registered address is in the United Kingdom.

We collect the following categories of personal data:

We do not collect special category data (e.g. health, biometric, or political data) and we do not knowingly collect data from children under 16.

Under UK GDPR, we rely on the following legal bases:

• Contract performance — processing necessary to provide the Hi Harley service you have signed up for (Article 6(1)(b)).
• Legitimate interests — improving the platform, preventing fraud, and ensuring security (Article 6(1)(f)).
• Consent — for optional communications such as email reminders and marketing updates (Article 6(1)(a)). You may withdraw consent at any time.
• Legal obligation — where we are required to retain or disclose data by law (Article 6(1)(c)).

We use your personal data to:

• Create and maintain your account and business profile.
• Calculate and display your HMRC filing deadlines and obligations.
• Analyse documents you upload using AI to extract metadata and summaries.
• Generate tax estimates based on your income and expense data.
• Send filing deadline reminders via platform notifications or email (if enabled).
• Answer questions through the Ask Harley AI assistant.
• Monitor and improve the performance and security of the platform.

We do not sell your personal data to third parties. We do not use your financial or business data to train AI models without your explicit consent.

We share your data only where necessary to provide the service, with the following categories of recipients:

• Infrastructure providers — cloud hosting, database, and file storage services (data processed within the UK or EEA, or under Standard Contractual Clauses).
• AI service providers — large language model APIs used to power Ask Harley and document analysis. Inputs are not retained for model training.
• Analytics providers — anonymised usage analytics to understand how the platform is used.
• Legal and regulatory authorities — where required by law or to protect our legal rights.

We retain your personal data for as long as your account is active. Specifically:

• Account and business profile data: retained for the life of your account plus 6 years after closure (to comply with HMRC record-keeping requirements).
• Financial transaction data: retained for 6 years from the end of the relevant tax year.
• Uploaded documents: retained until you delete them or close your account.
• Ask Harley conversation history: retained for 12 months, then automatically deleted.
• Usage logs: retained for 90 days.

When you close your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law.

You have the following rights regarding your personal data:

• Right of access — request a copy of the data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure — ask us to delete your data ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction — ask us to restrict processing of your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Rights related to automated decision-making — we do not make solely automated decisions that produce legal or similarly significant effects.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Hi Harley uses cookies and similar technologies to operate the service. We use:

• Strictly necessary cookies — session authentication cookies required to keep you logged in. These cannot be disabled.
• Analytics cookies — anonymised usage data to understand how the platform is used. You may opt out via your browser settings.

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings at any time.

We take the security of your data seriously. We use industry-standard measures including TLS encryption in transit, encrypted storage at rest, access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

If you believe your account has been compromised, please contact us immediately at [email protected].

Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the ICO, or transfers to countries with an adequacy decision. We will always tell you if we transfer your data internationally and the safeguards we rely on.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice on the platform at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection contact at: