Privacy Policy
Effective Date: January 21, 2026
Last Updated: January 21, 2026
Version: 2.1
1. Introduction
Welcome to Settel. We are committed to protecting your privacy and handling your personal and financial data with the highest standards of security and transparency. This Privacy Policy explains how Settel ("we," "us," or "our") collects, uses, stores, and protects your information when you use our platform at www.settel.io (the "Service"). By using Settel, you agree to the practices described in this Privacy Policy.
Who We Are
Company Name: Settel
Contact Email: privacy@settel.io
Support Email: support@settel.io
Security Email: security@settel.io
ICO Registration Number: ZC039135
Verify: https://ico.org.uk/ESDWebPages/Search
Regulatory Status
Settel is NOT regulated by the Financial Conduct Authority (FCA). We are a financial planning and tax estimation tool. We do not:
- Provide regulated investment advice
- Manage client money or assets
- Offer financial products (investments, insurance, loans, etc.)
The information and estimates provided by Settel are for planning purposes only and should not be considered professional financial, investment, or tax advice.
2. Information We Collect
2.1 Information You Provide to Us
Account Information:
- Name, email address, password
- Country of residence, tax residency status
- Phone number (optional, for multi-factor authentication)
Financial Information:
- Bank account balances (you enter manually or via document upload)
- Investment portfolio values
- Property values and locations
- Income sources and amounts
- Tax-related information (residency days, income types, deductions)
- Currency preferences
Document Uploads:
- Financial statements, tax documents, investment reports
- Important: We extract only the numerical values needed (balances, income, etc.) and immediately delete the original documents. We never store or retain your uploaded files.
Communication Information:
- Messages you send us via support email (support@settel.io) or contact forms
- Feedback and survey responses
2.2 Information We Collect Automatically
Usage Information:
- Pages visited, features used, time spent on platform
- Dashboard interactions, calculation requests
- Login times and frequency
Technical Information:
- IP address (hashed for privacy)
- Browser type and version
- Device type and operating system
- Screen resolution
- Language preferences
Cookies and Tracking:
- See our detailed Cookie Policy for information about cookies we use
2.3 Information We Do NOT Collect
We do not collect:
- Credit card numbers or payment card details (handled securely by Stripe)
- Social Security Numbers or National Insurance Numbers
- Passport or driver license numbers
- Biometric data
- Information about children under 18
3. How We Use Your Information
3.1 To Provide Our Service
- Create and manage your account
- Display your multi-currency wealth dashboard
- Calculate tax estimates based on your inputs
- Provide residency and treaty analysis
- Send compliance reminders and deadline alerts
- Process your subscription payments
Legal Basis (GDPR): Contract performance (Article 6(1)(b)), legitimate interests (Article 6(1)(f)).
3.2 To Improve Our Service
- Analyze usage patterns to improve features
- Identify and fix bugs
- Develop new functionality
- Conduct user research and surveys
Legal Basis (GDPR): Legitimate interests (Article 6(1)(f)); consent for analytics cookies (Article 6(1)(a)).
3.3 To Communicate With You
- Send account-related notifications (password resets, security alerts)
- Provide customer support
- Send tax deadline reminders
- Share product updates (you can opt out)
Legal Basis (GDPR): Contract performance (Article 6(1)(b)); legitimate interests (Article 6(1)(f)); consent for marketing (Article 6(1)(a)).
3.4 For Security and Fraud Prevention
- Detect and prevent unauthorized access
- Monitor for suspicious activity
- Comply with legal obligations
- Enforce our Terms of Service
Legal Basis (GDPR): Legal obligation (Article 6(1)(c)); legitimate interests (Article 6(1)(f)).
3.5 For Legal Compliance
- Respond to legal requests and court orders
- Comply with tax and financial regulations
- Maintain audit logs for compliance purposes
Legal Basis (GDPR): Legal obligation (Article 6(1)(c)).
4. Automated Decision-Making and Profiling
Does Settel Use Automated Decision-Making?
Tax Calculations: YES (with human oversight)
Settel's tax estimator uses algorithms to calculate your estimated tax liability based on:
- Your inputs (income, residency, deductions)
- Publicly available tax rules and treaties
- Historical tax data
Important: These are estimates for planning purposes only, not binding determinations. We strongly recommend consulting a tax professional for filing decisions.
Marketing and Analytics: NO
We do not use automated profiling for credit decisions, loan approvals, insurance pricing, employment decisions, or any legally significant decisions.
Your Rights Under GDPR Article 22: If we engage in automated decision-making that has legal or similarly significant effects, you have the right to:
- Request human intervention
- Express your point of view
- Contest the decision
- Obtain an explanation of the decision
Contact Us: privacy@settel.io.
5. Cookie Data vs. Your Financial Data
At Settel, we handle two separate types of data.
What Cookies Track (Optional and Limited):
- Which pages you visit on Settel (e.g., dashboard, tax estimator, settings)
- How long you use certain features
- Technical information (browser type, device, screen size)
- Your cookie consent preferences
What Cookies NEVER Contain:
- Your bank account numbers or financial account credentials
- Investment holdings, portfolio values, or asset details
- Tax calculations or tax return information
- Uploaded document contents (these are never stored)
- Transaction history or payment information
- Personal identification numbers or sensitive financial data
Your Financial Data Protection: Your financial data (wealth tracking, tax estimates, account information) is stored separately from cookies, encrypted with bank-level AES-256 encryption, and protected by multiple security layers including:
- Multi-factor authentication
- End-to-end encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Regular security audits
- Strict access controls
- Zero document retention policy
Cookies only help the website function and improve user experience-they never touch your sensitive financial information. See our Cookie Policy for details.
6. How We Share Your Information
We do not sell your personal information. We only share data in the following limited circumstances.
6.1 Service Providers
We work with trusted third-party companies that help us provide the Service.
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| AWS (Amazon Web Services) | Cloud hosting, database storage | Encrypted financial data, account info | AWS Privacy |
| Stripe | Payment processing | Email, payment amount (not card details) | Stripe Privacy |
| Google Analytics | Usage analytics (optional) | Anonymized usage data, IP address | Google Privacy |
All service providers are contractually obligated to protect your data, use it only for the specified purpose, and comply with GDPR and applicable laws.
6.2 Data Processing Agreements
Settel acts as a data controller for personal information you provide directly to us. When we use third-party service providers (such as AWS, Stripe, Google Analytics), we are the controller and they are processors. We maintain Data Processing Agreements (DPAs) with all processors, which include instructions, categories, purposes, confidentiality, subprocessor agreements, security requirements, and breach notifications.
Our processors must:
- Process data only on our instructions
- Maintain appropriate security measures
- Assist with data subject requests
- Notify us of any data breaches
- Delete or return data when services end
Request our DPA template at privacy@settel.io.
6.3 Legal Requirements
We may disclose information if required by law to comply with a subpoena, court order, government request, protect legal rights, defend claims, or prevent fraud/illegal activity.
6.4 Business Transfers
If Settel is acquired or merged, your information may transfer to the new entity. You will be notified.
6.5 With Your Consent
We may share information for other purposes with your explicit consent.
7. Data Security
We take the security of your financial data seriously.
7.1 Technical Security Measures
Encryption:
- In Transit: TLS 1.3
- At Rest: AES-256
Access Controls:
- Multi-factor authentication (MFA) for all accounts
- Role-based access controls for staff
- Regular access audits and monitoring
Infrastructure Security:
- Hosted on secure AWS infrastructure with SOC 2 Type II certification
- Regular security audits and penetration testing
- Automated vulnerability scanning
- 24/7 security monitoring
Network Security:
- Web Application Firewall (WAF) protection
- DDoS protection
- Intrusion detection systems
7.2 Document Handling Security (Zero Retention)
- The file is transmitted via encrypted connection (TLS 1.3).
- Our system extracts only the numerical values needed (balances, income, etc.).
- The original document is immediately and permanently deleted.
- Only the extracted values (encrypted) are stored.
- No one at Settel can view your original documents.
7.3 What We Cannot Guarantee
No system is 100% secure. While we implement strong measures, we cannot guarantee absolute security. You are responsible for keeping your password confidential, using a strong unique password, enabling MFA, and not sharing access. If you believe your account is compromised, contact security@settel.io immediately.
8. Data Breach Notification
Our 72-hour commitment:
Within 72 hours of discovery, if a breach poses risk, we will notify the ICO and relevant EU authorities, assess scope, contain, remediate, and investigate. If high risk to you, we will notify you without undue delay via email, in-app notice, or website notice.
We will share: nature of the breach, categories of data affected, approximate number of users affected, likely consequences, measures taken, steps you should take, and contact information. We will not hide or delay disclosure.
If you suspect unauthorized access, contact security@settel.io. We keep a record of past incidents and lessons learned upon request.
9. Data Retention
We retain data only as long as necessary.
Retention Periods:
- Account Information: until you delete your account + 30 days
- Financial Data: until you delete your account + 30 days
- Tax Calculations: until you delete your account + 30 days
- Uploaded Documents: never stored; deleted immediately after extraction
- Support Messages: 3 years after last interaction
- Audit Logs: 7 years (regulatory)
- Cookie Consent Records: 7 years (GDPR Article 7)
- Active Consent Preferences: 13 months (rolling renewal)
- Anonymized Analytics: kept indefinitely (cannot identify you)
Consent Record Keeping:
We log timestamp, consent choices, hashed IP, browser/device, consent version, user ID (if logged in), and country. Consent logs are encrypted, immutable, access-restricted, retained 7 years; active preferences 13 months. Request copies at privacy@settel.io.
Account Deletion:
When you delete your account, data is marked for deletion immediately, removed from active systems within 30 days, and backups within 90 days. Some data may be retained longer if required by law (e.g., audit logs for 7 years). Delete in Settings -> Account -> Delete Account, or contact support@settel.io.
10. Your Rights (GDPR, UK GDPR, CCPA)
10.1 European Union and United Kingdom
- Right to Access (Article 15)
- Right to Rectification (Article 16)
- Right to Erasure (Article 17)
- Right to Restrict Processing (Article 18)
- Right to Data Portability (Article 20)
- Right to Object (Article 21)
- Right to Withdraw Consent (Article 7)
- Right not to be Subject to Automated Decision-Making (Article 22)
- Right to Lodge a Complaint: UK ICO or your EU authority
10.2 California, USA (CCPA/CPRA)
- Right to Know
- Right to Delete
- Right to Opt-Out of sale/sharing (we do not sell data; some cookies may be sharing)
- Right to Correct
- Right to Limit Use of Sensitive Personal Information
- Right to Non-Discrimination
- Do Not Sell or Share My Personal Information: footer link or privacy@settel.io
10.3 India (DPDPA)
- Right to Access and Correction
- Right to Erasure (in certain cases)
- Right to Data Portability
- Right to Grievance Redressal (Grievance Officer: privacy@settel.io)
- Right to Nominate a representative
10.4 United Arab Emirates
You may request access, correction, deletion, and object to processing under applicable UAE data protection laws. Contact privacy@settel.io.
10.5 How to Exercise Rights
Email privacy@settel.io with subject "Data Rights Request - [Your Name]". Include your full name, email, request description, and proof of identity. Response time: 30 days (GDPR/UK GDPR) or 45 days (CCPA). DPDP grievances acknowledged within 24 hours and targeted resolution within 15 days. UAE requests handled without undue delay.
11. International Data Transfers
Settel serves users globally. Your data may be transferred outside your country.
Data Transfer Mechanisms (EU/UK users):
- Standard Contractual Clauses (SCCs)
- Adequacy Decisions where available
- AWS Data Processing Addendum for cloud storage
Providers with international operations: AWS, Stripe, Google Analytics. All providers must protect data according to GDPR regardless of location. We do not rely on the invalidated EU-US Privacy Shield.
12. Marketing Communications
What We Send (with consent unless service-essential):
- Product updates (monthly)
- Tax and financial tips (weekly during tax season, monthly otherwise)
- Newsletter (bi-weekly)
- Promotional offers (occasional)
- Service-related notices (deadline reminders you requested, security alerts, legal changes, account notifications, billing, password resets)
Frequency:
- Max 2-3 emails per week in tax season
- Max 1-2 emails per week off-season
How to Opt Out:
- Click "Unsubscribe" in marketing emails or Settings -> Notifications
- Push notifications via device settings or Settings -> Notifications
- Essential service communications cannot be opted out of (security/legal notices)
13. Children's Privacy and Age Restrictions
- Age requirement: 18+ only. We do not knowingly collect data from anyone under 18.
- If you are under 18, do not use Settel, create an account, provide personal information, or upload documents.
- Parents/guardians: if you believe a child under 18 has provided data, contact privacy@settel.io. We will cease processing, delete data, and confirm within 30 days.
- Age verification: we may request age verification if we suspect an under-18 account. For regions with age of consent 16, we may require parental consent for 16-18.
14. Accessibility and Support for Vulnerable Customers
We aim to make Settel accessible, including for language barriers, disabilities, limited financial literacy, mental health challenges, age-related considerations, or other circumstances.
Accessibility features: screen reader compatibility (WCAG 2.1 AA), keyboard navigation, high contrast mode, adjustable text sizes, clear language. Support: one-on-one guidance via support@settel.io, language assistance, accommodations, extended support, confidential handling. Priority support for accessibility needs.
15. Data Protection Complaints and Grievance Procedure
Internal Complaint Process:
- Contact privacy@settel.io (subject: "Data Protection Complaint - [Your Name]"). We acknowledge within 24 hours, investigate, respond within 15 business days, and propose remedies.
- If unsatisfied, request escalation to our Data Protection Lead; final response within 10 additional business days.
- If still unsatisfied, you may contact regulators: UK ICO, your EU authority, India DPDP Board (when established), or California AG (privacy@doj.ca.gov).
16. Changes to This Privacy Policy
We may update this policy to reflect practice or legal changes. We notify by email for material changes, show a website notice, and update the "Last Updated" date. Continued use after changes means acceptance. Request prior versions at privacy@settel.io.
17. Third-Party Links
Settel may link to third-party sites (banks, government tax portals). We are not responsible for their privacy practices or content. Review their policies before use.
18. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:
Privacy Team:
Email: privacy@settel.io
Response Time: Within 5 business days
General Support:
Email: support@settel.io
Response Time: Within 24 hours
Security Concerns:
Email: security@settel.io
Response Time: Immediate priority
Mailing Address:
Settel
167-169 Great Portland Street
Fifth Floor
London, W1W 5PF
United Kingdom
ICO Registration:
Number: ZC039135
Verify: https://ico.org.uk/ESDWebPages/Search
Data Protection Officer (if applicable):
Email: dpo@settel.io
19. Regulatory Information
- ICO registration: ZC039135.
- FCA status: NOT regulated. We do not provide regulated investment advice, manage client assets, or offer financial products. For regulated advice, consult an FCA-authorized advisor.
Compliance Standards: UK GDPR and Data Protection Act 2018; EU GDPR; ePrivacy Directive; CCPA/CPRA; DPDPA; others as applicable.
20. Definitions
- Personal Data: information relating to an identified or identifiable individual.
- Processing: operations on personal data (collection, storage, use, disclosure, deletion).
- Controller: entity determining how personal data is processed (Settel).
- Processor: third party processing on behalf of controller (e.g., AWS, Stripe).
- Consent: freely given, specific, informed, unambiguous agreement.
- Legitimate Interests: lawful purposes balanced against individual rights.
- Data Subject: the individual whose personal data is processed.
Summary: We collect and use your financial data solely to provide the Settel service. We protect your information with bank-level security, never sell your data, and give you full control over your privacy. You can access, correct, or delete your data at any time.
Last Updated: January 21, 2026
Version: 2.1
Next Review: April 2026