Compliance and Data Protection

Last Updated: January 21, 2026
Version: 2.1

At Settel, protecting your financial data and respecting your privacy is fundamental. This page summarizes how we comply with major data protection regulations and what it means for you.

1. Regulatory Overview

1.1 Applicable Regulations

Settel complies with: UK GDPR and Data Protection Act 2018; EU GDPR; ePrivacy Directive (Cookie Law); CCPA/CPRA (California); DPDPA (India); PIPEDA (Canada); POPIA (South Africa).

1.2 ICO Registration (UK)

Settel is registered with the UK Information Commissioner's Office (ICO) under ZC039135 (https://ico.org.uk/ESDWebPages/Search).

1.3 FCA Regulatory Status

Settel is NOT regulated by the FCA. We do not provide regulated investment advice, manage client assets, offer financial products, or execute trades. We provide wealth tracking, multi-currency net worth calculations, tax estimates (informational), compliance deadline reminders, and financial document data extraction. For regulated advice, consult an FCA-authorized advisor.

2. GDPR/UK GDPR Compliance

2.1 Your Rights

Access, rectification, erasure, restriction, portability (JSON/CSV), objection, withdraw consent, not be subject to automated decisions with legal effect, and lodge complaints (UK ICO or your EU authority). Email privacy@settel.io. Response: 30 days.

2.2 Legal Bases

• Account creation/management: contract (Art. 6(1)(b))
• Wealth tracking and tax calculations: contract (Art. 6(1)(b))
• Payment processing: contract (Art. 6(1)(b))
• Security/fraud: legitimate interests (Art. 6(1)(f))
• Customer support: legitimate interests (Art. 6(1)(f))
• Analytics cookies: consent (Art. 6(1)(a))
• Marketing cookies/emails: consent (Art. 6(1)(a))
• Legal compliance/audit logs: legal obligation (Art. 6(1)(c))

2.3 Data Protection Officer

We are not required to appoint a DPO today. The privacy team handles DPO-style duties (privacy@settel.io). We will appoint a DPO if thresholds are met.

2.4 Data Retention

• Account info and financial data: account life + 30 days; backups 90 days
• Uploaded documents: never stored; deleted immediately after extraction
• Support: 3 years after last interaction
• Audit logs: 7 years
• Cookie consent logs: 7 years
• Active consent preferences: 13 months (rolling)
• Backups: 90 days After these periods, data is deleted or anonymized.

2.5 International Transfers

We use SCCs, UK addenda, and provider DPAs. Providers with international operations: AWS, Stripe, Google Analytics (with consent). We do not rely on the invalidated EU-US Privacy Shield.

3. ePrivacy Directive (Cookie Law)

• Cookie banner on first visit with Accept All and Reject All equally prominent.
• Granular consent (analytics, marketing, functional) and pre-consent blocking.
• Easy withdrawal via Cookie Preference Center.
• Consent logs kept 7 years with versioning; re-consent when policies change.
• DNT and GPC honored for opt-out; no tracking before consent.

4. CCPA/CPRA (California)

Rights: know, delete, correct, opt-out of sale/sharing (we do not sell; marketing cookies may be sharing), limit use of sensitive personal information, and non-discrimination. Opt-out via footer "Do Not Sell or Share" link, GPC signal, or privacy@settel.io. Response: 45 days (extendable by 45 with notice). GPC is honored automatically for marketing cookies.

5. DPDPA (India)

Rights: access, correction, erasure (in some cases), portability, grievance redressal, nominate a representative. Grievance Officer: privacy@settel.io (acknowledge within 24 hours; target resolution within 15 days). Consent-first processing for personal data and optional cookies/marketing.

6. Data Protection Complaints and Grievance Procedure

1. Contact privacy@settel.io (subject: "Data Protection Complaint - [Your Name]"); acknowledge within 24 hours, investigate, respond within 15 business days, propose remedy.
2. Escalate to Data Protection Lead if unsatisfied; final response within 10 additional business days.
3. If still unsatisfied, complain to UK ICO, your EU authority, India DPDP Board (when established), or California AG.

7. Security and Compliance Standards

• Encryption in transit (TLS) and at rest (AES-256 via providers); encrypted backups with separate keys.
• MFA for all users; RBAC for staff; least privilege; regular access audits.
• Hosted on AWS infrastructure with SOC 2 Type II and ISO 27001 attestations (via provider).
• Regular penetration testing, automated vulnerability scanning, and patching cadence.
• WAF/DDoS protections; SQL injection/XSS/CSRF safeguards.
• Zero document retention: uploads parsed, values stored, originals deleted immediately.
• Annual internal and third-party security reviews; summaries available on request (security@settel.io).
• Incident response: contain, notify within 72 hours where required, inform affected users without undue delay.

8. Privacy by Design

Data minimization, purpose limitation, transparency, user control, security by default, zero document storage, consent-first tracking, privacy-enhancing measures (IP hashing, anonymization, encrypted backups, secure session management). DPAs with processors include instructions, categories, purposes, confidentiality, subprocessor flow-down, security, breach notice, and deletion/return.

9. Third-Party Compliance

All third parties must sign DPAs, commit to GDPR/CCPA compliance, implement security, allow audits, notify of breaches, and delete/return data when services end. We assess providers annually.

10. Accessibility and Vulnerability Support

WCAG 2.1 AA structure, clear headings, plain language, high contrast, keyboard navigation. Compliance docs available in multiple formats; summaries provided. Support available in multiple languages and for vulnerable users via support@settel.io.

11. FAQs

• Data security: AES-256, MFA, audits; uploads never stored.
• Employee access: tightly controlled and logged; only with permission for support.
• Acquisition: data would transfer with notice; protections continue.
• Ads: we do not sell personal data.
• Deletion timing: 30 days for active data, 90 days for backups; audit logs 7 years.
• Opt-out of marketing: unsubscribe links or Settings -> Notifications.
• Export data: Settings -> Account -> Export Data (JSON/CSV).
• Suspected breach: email security@settel.io immediately.
• DNT/GPC: honored.
• Regulation coverage: see Section 1.1; ask privacy@settel.io if unsure.

12. Certifications and Attestations

• ICO Registration: ZC039135 (active)
• AWS SOC 2 Type II and ISO 27001 (via infrastructure)
• Stripe PCI-DSS Level 1 (payments)
• GDPR and CCPA compliance: self-assessed annually
• GPC recognition: implemented

Audit report summaries available on request (compliance@settel.io; full reports may be confidential).

13. Regulatory Contacts

• UK ICO: https://ico.org.uk
• EU authorities: https://edpb.europa.eu
• California AG: https://oag.ca.gov/privacy
• India DPDP Board: details to be confirmed by authority
• Settel privacy: privacy@settel.io (5 business days)
• Security: security@settel.io (24/7)
• Compliance: compliance@settel.io (5 business days)
• Grievance Officer (India): privacy@settel.io (acknowledge within 24 hours, resolve within 15 days)

14. Version History

• 2.1 (January 21, 2026): Added GPC recognition, DPA details, enhanced complaint procedures, automated decision-making disclosures.
• 2.0 (January 21, 2026): Complete rewrite with enhanced compliance details.
• 1.0: Initial publication.

Previous versions available on request at privacy@settel.io. Annual transparency report planned January 2027.

Last Updated: January 21, 2026
Version: 2.1
Next Review: April 2026