// legal
Privacy Policy
1. Who we are
BOCY AI LIMITED ("BOCY", "we", "us", "our") is a company registered in England and Wales.
- Company number: 16760137
- Registered address: Apartment 15 Adlay Apartments, 3 Millet Place, London, England, E16 2YE
- SIC codes: 62012 — Business and domestic software development; 64999 — Financial intermediation not elsewhere classified
We are the data controller for the personal information we collect through the BOCY application, website (bocy.io), and related services (collectively, the "Service"). This means we decide how and why your personal data is processed.
At BOCY, we are building an AI-powered financial insights tool that helps you optimise where your money sits. Like all AI, BOCY relies on data to be effective — it is at the heart of what we do, letting us make your money work more efficiently and intelligently for you. We take the security of your data very seriously and are committed to assuring and respecting your privacy.
2. About this policy
This Privacy Policy sets out how and on what basis we collect information about you, and the ways in which it is used and protected. It covers your rights under:
- The UK General Data Protection Regulation (UK GDPR)
- The Data Protection Act 2018
- The Privacy and Electronic Communications Regulations 2003 (PECR)
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use the Service.
We may update this policy from time to time. If we make significant changes, we will notify you through the app or by email. The "Last updated" date at the top of this page indicates when the policy was last revised.
3. Information we collect
We collect and process the following categories of personal data:
3.1 Information you provide directly
- Account information: name, email address, and password when you create a BOCY account
- Profile information: date of birth, employment status, income details, and financial goals you choose to share
- Communications: messages, feedback, and support requests you send to us
3.2 Information collected through Open Banking
When you connect your bank accounts via Open Banking, we receive:
- Account data: account type, provider, balances, and account identifiers
- Transaction data: transaction history including amounts, dates, descriptions, and categories
- Standing orders and direct debits: recurring payment details
Open Banking data is provided through FCA-regulated third-party providers. We access this data in read-only mode — we cannot move your money or make changes to your accounts without your explicit approval.
3.3 Information collected automatically
- Device information: device type, operating system, browser type, and version
- Usage data: pages visited, features used, time spent, and interaction patterns
- Log data: IP address, access times, and referring URLs
- Cookies and similar technologies: see Section 9 for details
4. How we use your information
We use your personal data for the following purposes:
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Provide the Service — analyse your finances, generate insights, compare savings rates | Performance of contract (Art. 6(1)(b)) |
| Create and manage your account | Performance of contract (Art. 6(1)(b)) |
| Improve and personalise the Service through AI-driven analysis | Legitimate interest (Art. 6(1)(f)) |
| Send service notifications (e.g. rate changes, better savings options found) | Legitimate interest (Art. 6(1)(f)) |
| Send marketing communications (only with your consent) | Consent (Art. 6(1)(a)) |
| Detect fraud and ensure security | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations (e.g. anti-money laundering) | Legal obligation (Art. 6(1)(c)) |
| Respond to your support requests and feedback | Performance of contract (Art. 6(1)(b)) |
5. How our AI uses your data
BOCY uses artificial intelligence to analyse your financial data and provide personalised insights. Specifically:
- Financial analysis: our AI scans your income, bills, debts, and savings to identify your surplus and optimisation opportunities
- Rate comparison: we compare your current savings rates against live market data to find better options
- Personalised insights: the AI surfaces specific, data-backed insights (e.g. "moving £600 to pay down credit card could save £127/year")
- Pattern recognition: we identify spending patterns, recurring charges, and seasonal income fluctuations to help you plan ahead
Important: BOCY provides insights, not financial advice. We do not tell you what to do — we show you the data and the trade-offs so you can make informed decisions. BOCY never moves your money or takes action on your behalf without your explicit approval. You can override, modify, or dismiss any suggestion at any time.
We do not use your personal data to train general-purpose AI models. Your financial data is only used to provide the Service to you.
6. Who we share your data with
We do not sell your personal data. We will never directly or indirectly transfer your data for any monetisation-related service. We may share your data with the following categories of recipients:
- Open Banking providers: FCA-regulated Account Information Service Providers (AISPs) that facilitate secure access to your bank data
- Cloud infrastructure providers: to host and operate the Service securely
- Analytics providers: to help us understand how the Service is used (data is aggregated and anonymised where possible)
- Law enforcement or regulators: where we are legally required to do so
- Professional advisors: lawyers, auditors, and accountants where necessary
All third-party processors are bound by data processing agreements that require them to protect your data in accordance with UK GDPR.
7. Data retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Account data: retained while your account is active, and deleted within 30 days of account deletion request
- Financial data (Open Banking): retained while your account is active to provide the Service. Deleted within 30 days of account deletion or disconnection of bank link
- Transaction history: retained for up to 6 years after account closure to comply with financial record-keeping obligations
- Usage and log data: retained for up to 12 months, then anonymised or deleted
- Marketing consent records: retained for as long as you are subscribed, plus 12 months
If you request that your account be deleted, we will delete all retained personal information on you in line with the above retention periods, unless we are legally required to keep certain records.
8. Your rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access: request a copy of the personal data we hold about you
- Right to rectification: request correction of inaccurate or incomplete data
- Right to erasure: request deletion of your personal data ("right to be forgotten")
- Right to restrict processing: request that we limit how we use your data
- Right to data portability: receive your data in a structured, machine-readable format
- Right to object: object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent: where processing is based on consent, withdraw it at any time
- Rights related to automated decision-making: you have the right not to be subject to a decision based solely on automated processing that produces legal or significant effects. BOCY's AI provides insights only — all final decisions and actions are yours
To exercise any of these rights, contact us at hello@bocy.io. We will respond within one month, as required by law.
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
9. Cookies and tracking
We use cookies and similar technologies on our website and app. Cookies are small text files stored on your device that help us provide and improve the Service.
9.1 Types of cookies we use
- Essential cookies: required for the Service to function (e.g. authentication, security). These cannot be disabled
- Analytics cookies: help us understand how you use the Service so we can improve it. These are only set with your consent
9.2 Managing cookies
You can control cookies through your browser settings. Disabling essential cookies may affect the functionality of the Service. For analytics cookies, you can opt out through our cookie consent banner or your browser settings.
10. Data security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- 256-bit TLS encryption for all data in transit
- AES-256 encryption for data at rest
- Access controls and authentication for all internal systems
- Regular security assessments and penetration testing
- Employee access restricted on a need-to-know basis
While we take all reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
11. International transfers
Your data is primarily stored and processed in the United Kingdom. If we transfer your data outside the UK, we will ensure appropriate safeguards are in place, such as:
- UK adequacy regulations (transfers to countries deemed adequate by the UK government)
- International Data Transfer Agreements (IDTAs) or UK Addendum to EU Standard Contractual Clauses
12. Children's data
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at hello@bocy.io.
13. Third-party links
The Service may contain links to third-party websites, including banks and financial providers. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal data.
14. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or legal requirements. We will notify you of material changes by:
- Posting the updated policy on our website with a new "Last updated" date
- Sending you an in-app notification or email for significant changes
Your continued use of the Service after any changes constitutes acceptance of the updated policy.
15. Contact us
If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:
- Email: hello@bocy.io
- Postal address: BOCY AI LIMITED, Apartment 15 Adlay Apartments, 3 Millet Place, London, England, E16 2YE
- Company number: 16760137