Privacy Policy

Last Updated:

1. Introduction

Recap Technologies Limited ("we", "us", or "our") operates the Recap website (https://recap.io) and the Recap App (https://app.recap.io) (collectively, the "Service" or "Platform"). This Privacy Policy outlines how we collect, use, and share information when you use our Service, and explains your rights regarding your personal data under UK GDPR, EU GDPR, California Consumer Privacy Act (CCPA/CPRA), and other applicable laws.

Recap Technologies Limited is registered with the UK Information Commissioner's Office (ICO), demonstrating our commitment to safeguarding your data.

Organisation Name: Recap Technologies Limited
ICO Registration Reference: ZB735084
Company Number: 11218777

Our Data Protection Officer (DPO) is Daniel Howitt, who is responsible for overseeing questions related to this Privacy Policy. You can contact Daniel at dataprotection@recap.io for any privacy-related inquiries or concerns.

2. Definitions

"Advisor" means any individual or entity that uses the Platform to provide professional services to clients, including but not limited to accountants, tax advisors, bookkeepers, financial planners, and other professional service providers, regardless of their legal structure (whether sole trader, partnership, limited company, LLP, or otherwise).

"CASP" means a Cryptoasset Service Provider, including cryptoasset exchanges, custodians, and wallets.

"Cookies" means small files stored on your device used to track activities on our Service.

"Data Controller" means Recap Technologies Limited, which is responsible for determining how and why your personal data is processed.

"Data Processor" means third-party service providers we use to process personal data on our behalf.

"End Client" means a client or prospective client of an Advisor who uses the Platform, either directly or through their Advisor.

"Personal Data" means any information relating to an identified or identifiable individual, including email addresses, names, and usage data.

"Service" or "Platform" refers to the Recap website and applications.

"Usage Data" means information collected automatically, including your IP address, browser details, and the duration of your visits.

"You" means the individual accessing or using the Service.

3. Information Collection and Use

3.1 Personal Information We Collect

When you create an account with Recap, the only required personal information is your email address. We do not require your name or other personal identifiers unless you choose to provide them.

If you use Recap to share data with an Advisor (such as an accountant or tax advisor), you may be asked to provide your first and last name for identification purposes. You are free to use an alias or pseudonym in place of your real name.

We collect the following types of personal information:

  • Email Address: For account creation, authentication, and communication.
  • First and Last Name (or Alias): For sharing data with Advisors.
  • Crypto Wallet Addresses and CASP API Credentials: We collect wallet addresses and cryptoasset service provider (CASP) API credentials strictly for automating transaction retrieval. CASPs include crypto exchanges, custodians, or wallets.
  • Cryptoasset Transaction Records: We retrieve and process cryptoasset transaction histories including wallet addresses, timestamps, asset types, amounts, fees, and counterparties where applicable. This is used for portfolio management and tax calculation purposes.

3.2 Data Recap Can and Cannot Access

Recap employs a "zero-knowledge" approach to protect your privacy. Your portfolio data is encrypted on your device using your secret phrase before being uploaded to our servers.

Data Recap cannot access: Your encrypted portfolio data (including transaction details, holdings, and tax calculations) is encrypted on your device before upload. Recap cannot decrypt this data without your secret phrase, which we do not store.

Data Recap may process in unencrypted form: In order to provide the Services, certain data is processed before encryption or outside the encrypted portfolio, including:

(a) wallet addresses, when syncing blockchain data or performing wallet screening; (b) transaction data and portfolio balances retrieved from cryptoasset exchanges and CASPs via Recap's proxy infrastructure (this data passes through Recap's servers before being encrypted client-side); (c) authentication tokens exchanged during API connections to third-party exchanges (via OAuth or similar protocols); (d) your email address and account settings; and (e) usage data and analytics as described in this Privacy Policy.

3.3 Secret Phrase

When you create an account, you will be provided with a unique secret phrase. This secret phrase is used to derive the encryption keys for your portfolio data. Recap does not store your secret phrase and cannot recover it if lost.

Important: If you lose your secret phrase, you will permanently lose access to your encrypted portfolio data. Recap cannot restore this access.

3.4 API Connections and Data Import

Recap integrates with CASPs on a read-only basis solely for transaction retrieval. Recap does not request or process write-access permissions (e.g., trading or withdrawal rights). It is your responsibility to configure access scopes when providing API credentials. Recap provides guidance in-platform to help ensure strictly read-only permissions.

Recap disclaims liability for user misconfiguration of API credentials.

3.5 Usage Data

We automatically collect Usage Data when you interact with our Service. This includes data such as your device's browser type, operating system, pages visited, and time spent on each page.

4. Sharing Data with Advisors

The Platform allows you to share access to your portfolio with Advisors (such as accountants, tax advisors, bookkeepers, or financial planners). Sharing is only permitted with Advisors - you cannot share portfolio access with family members, friends, or other non-professional third parties through the Platform.

When you share access with an Advisor:

(a) you grant that Advisor permission to view, and where you enable it, to edit or manage the data in your portfolio; (b) you remain responsible for all activity within your portfolio; (c) you may revoke access at any time through the Platform.

Advisors may also create portfolios on behalf of their End Clients (including prospective clients for due diligence purposes). In such cases, the Advisor acts as the data controller for that data and is responsible for ensuring appropriate privacy notices are in place with their End Clients.

4.1 Advisor Employee Data

If you are an employee or contractor of an Advisor using the Platform as an Authorised User, your personal data (such as your name, email address, and login credentials) is processed by Recap as Controller under this Privacy Policy. Your employer's Data Processing Addendum with Recap covers End Client and prospective client data, not your own employee account data.

5. Legal Basis for Processing Personal Data

5.1 Under UK GDPR and EU GDPR

We process personal data based on the following legal grounds:

  • Consent: You have provided clear consent for us to process your data.
  • Performance of a contract: Processing is necessary to fulfil our obligations under a contract with you.
  • Legal obligation: Processing is necessary to comply with legal obligations.
  • Legitimate interests: Processing is necessary for our legitimate interests (such as improving the Service) unless these interests are overridden by your rights.

5.2 Under CCPA/CPRA (for California Residents)

For California residents, under the CCPA/CPRA, you have the following rights:

  • Right to know what personal data is being collected, its purposes, and any third parties with whom it is shared.
  • Right to request deletion of your personal data.
  • Right to opt out of the sale of your personal data.
  • Right to non-discrimination for exercising your privacy rights.

6. How We Use Your Data

We use your personal data for the following purposes:

  • To provide and maintain our Service, including portfolio tracking and tax calculations.
  • To notify you of any changes to the Service.
  • To provide customer support via Intercom or email.
  • To monitor the performance of the Service and identify areas for improvement.
  • To send transactional emails through Postmark regarding your account activity.
  • To send product-related communications through Intercom.
  • To analyse website traffic using anonymous analytics (Fathom Analytics, which captures no personal data).
  • With explicit consent, to collect and analyse user interaction data for improving functionality and user experience (PostHog).
  • To track errors and improve the stability of the Service (Sentry).
  • To prevent fraud during payment processing via Google reCAPTCHA.
  • To perform wallet screening against sanctions and terrorist financing databases for enhanced due diligence.
  • To comply with legal obligations.

6.1 Use of Artificial Intelligence

Recap does not use AI for its core tax calculation, portfolio management, or cryptoasset processing services. All tax calculations are performed by Recap's own deterministic algorithms. However, some third-party services we use include AI features:

Intercom (Fin AI): Our customer support platform uses an AI-powered chatbot (built on OpenAI's ChatGPT technology) to help answer common queries. Fin may process your name, email address, support conversation content, and limited portfolio metadata (such as total transaction counts and connected account counts). Fin does not have access to encrypted portfolio data such as transaction details, wallet addresses, holdings, or tax calculations. If Fin cannot resolve your query, it is escalated to a human support agent.

Sentry (AI-assisted error analysis): Our error tracking service uses AI features to analyse technical errors and suggest potential resolutions. This processes technical data (error logs, stack traces, IP addresses) and user email addresses for error correlation. Sentry does not process portfolio data.

No AI is used for profiling, scoring, eligibility decisions, or any automated decision-making with legal or significant effects on individuals.

7. Data Retention

We retain your personal data only for as long as necessary for the purposes outlined in this Privacy Policy, or to comply with legal obligations.

  • Personal Data: Retained for the duration of your use of the Service or until you request deletion, subject to retention requirements for legal or financial purposes.
  • Usage Data: Retained for a shorter period unless required for security or legal reasons.

8. Your Rights

Under UK GDPR, EU GDPR, and CCPA/CPRA, you have several rights regarding your personal data, including:

  • The right to access your data.
  • The right to rectify any inaccuracies in your data.
  • The right to delete your data ("right to be forgotten").
  • The right to restrict processing of your data.
  • The right to data portability, allowing you to receive your data in a structured, machine-readable format.
  • The right to object to the processing of your data for certain purposes, such as direct marketing.
  • The right to withdraw consent at any time, where applicable.

To exercise any of these rights, contact us at dataprotection@recap.io.

9. Cookies

Our Service uses cookies and similar tracking technologies to track activity and improve user experience. For more detailed information on how we use cookies and how you can manage your cookie preferences, please visit our Cookie Policy at https://recap.io/legal/cookies.

10. Third-Party Services

We use several third-party services to help deliver our Service effectively. These third-party processors handle personal data under strict privacy and security measures:

Auth0 – Authentication and user management. User emails, names, and login details are stored on their EU infrastructure. Privacy Policy: https://auth0.com/privacy

Chargebee – Billing management. Chargebee stores user emails, names, and payment details for subscription management. Privacy Policy: https://www.chargebee.com/privacy

Intercom – Customer communication and support. User emails and names are stored on their infrastructure. Privacy Policy: https://www.intercom.com/legal/privacy

Sentry – Error reporting. Technical data including IP addresses and error details are stored when issues occur. Privacy Policy: https://sentry.io/privacy/

Postmark – Email delivery. User emails are stored to facilitate transactional email delivery. Privacy Policy: https://postmarkapp.com/privacy-policy

Stripe – Payment processing. Stripe stores user emails, names, and payment details to facilitate secure transactions. Privacy Policy: https://stripe.com/privacy

PayPal – Payment processing. PayPal stores user emails, names, and payment details for transaction purposes. Privacy Policy: https://www.paypal.com/uk/legalhub/privacy-full

PostHog – Product analytics (only enabled with explicit cookie consent). User interaction data and usage patterns are stored on their EU infrastructure. Privacy Policy: https://posthog.com/privacy

Google reCAPTCHA – Fraud prevention. Google collects IP addresses and browser behaviour to assess fraud risk. Google acts as an independent controller for this data. Privacy Policy: https://policies.google.com/privacy

Fathom Analytics – Website analytics. Fathom provides privacy-focused analytics that do not collect personal data or use cookies. Privacy Policy: https://usefathom.com/privacy

These third parties have access to your personal data solely for the purpose of performing their services and are required not to use or disclose it for any other purpose.

10.1 Blockchain Data Providers

Recap queries public blockchain data via third-party indexing services (such as blockchain explorers and RPC node providers). When we sync your wallet data:

  • Only wallet addresses (public blockchain identifiers) are shared with these services.
  • No identifying information (such as your name or email) is shared.
  • Wallet addresses are pseudonymous public data on the blockchain and do not constitute personal data when processed in isolation.

For this reason, blockchain data providers are not listed as subprocessors in our Data Processing Addendum.

11. Children's Privacy

Our Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe that a child has provided us with personal data, please contact us at dataprotection@recap.io so we can delete it.

12. International Data Transfers

Some of our third-party service providers are located outside the UK and European Economic Area. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

  • UK Addendum to EU Standard Contractual Clauses
  • EU adequacy decisions (for services with data stored in adequate jurisdictions)
  • Transfers to UK-based processors (no additional safeguards required)

For more details on the safeguards we use for specific processors, please refer to our Data Processing Addendum at https://recap.io/legal/dpa.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of any material changes by posting the updated policy on this page and, where required, by sending an email notification. We encourage you to review this Privacy Policy regularly.

14. Contact Us

If you have any questions or concerns about this Privacy Policy, your personal data, or how we process it, please contact us:

Email: dataprotection@recap.io
Data Protection Officer: Daniel Howitt
Address: 71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ
ICO Registration Reference: ZB735084

Requests for signed Data Processing Addendums can be made by contacting dataprotection@recap.io.