Privacy Policy
Last updated: April 2026
1. Who we are
Kibbl (“we”, “us”, “our”) operates the Kibbl platform, a financial data verification service for UK SMB business sales. Kibbl acts as a data controller in respect of broker account data, and as a data processor in respect of seller financial data processed on behalf of brokers.
For data protection enquiries, contact us at: ricoashmore2003@gmail.com
2. Data we collect
Broker account data
- Name and company name
- Email address and hashed password
- Company logo (if uploaded)
- Subscription and billing information (processed via Stripe)
- Usage data — deals created, reports generated, login timestamps
Seller financial data
When a seller completes the consent flow, we access and store the following data on the broker’s behalf, solely to generate the financial due diligence report:
- Bank account details and up to 24 months of transaction history, obtained via TrueLayer Open Banking
- Profit & loss statements, balance sheets, and aged receivables/payables from Xero or QuickBooks
- Seller email address (provided by the broker when creating a deal)
Technical data
- IP addresses and browser information collected automatically by Vercel (our hosting provider)
- Cookies required for session management (NextAuth.js session tokens)
3. How we use your data
- To provide the service — generating financial summary reports for UK SMB business sale transactions.
- To manage your account — authentication, subscription billing, and account administration.
- To send transactional emails — deal status notifications and password reset emails. We do not send marketing emails.
- To improve the service — aggregated, anonymised usage analytics. We do not sell personal data.
Our lawful basis for processing broker data is contract performance (providing the service you have subscribed to). Our lawful basis for processing seller financial data is legitimate interests of the broker and seller in completing a lawful business sale transaction, combined with the seller’s explicit consent given through the Kibbl consent portal.
4. Data retention
- Broker account data — retained for the duration of your subscription plus 12 months after account closure, then deleted.
- Seller financial data and reports — retained for 24 months from the date the report was generated, then permanently deleted. Brokers may request earlier deletion by emailing us.
- Open Banking tokens — access tokens are short-lived and refreshed only during active ingestion. We do not retain live banking access after report generation is complete.
- Password reset tokens — expire after 1 hour and are deleted upon use.
5. Third-party processors
We share data with the following sub-processors, each bound by data processing agreements:
| Processor | Purpose | Data shared |
|---|---|---|
| TrueLayer | Open Banking data access | Seller bank credentials (via OAuth), transaction data |
| Xero / Intuit (QuickBooks) | Accounting data access | Seller accounting credentials (via OAuth), financial reports |
| Stripe | Subscription billing | Broker name, email, payment card data |
| Vercel | Application hosting | All application data (hosted infrastructure) |
| Resend | Transactional email delivery | Broker and seller email addresses, email content |
| Anthropic (Claude API) | AI-generated report narrative | Anonymised financial summary figures |
All processors are either UK-based or operate under UK GDPR-compliant transfer mechanisms (Standard Contractual Clauses or adequacy decisions).
6. Your rights under UK GDPR
You have the following rights in relation to your personal data:
- Right of access — to request a copy of personal data we hold about you.
- Right to rectification — to correct inaccurate or incomplete data.
- Right to erasure — to request deletion of your data, subject to legal retention obligations.
- Right to restriction — to request we limit how we use your data while a dispute is resolved.
- Right to data portability — to receive your data in a structured, machine-readable format.
- Right to object — to object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at ricoashmore2003@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
7. Cookies
Kibbl uses only strictly necessary cookies for session management (authentication tokens). We do not use tracking, analytics, or advertising cookies. No cookie consent banner is therefore required.
8. Changes to this policy
We may update this policy from time to time. Material changes will be notified to registered brokers by email. Continued use of the platform after the effective date of changes constitutes acceptance.
9. Contact
For any privacy-related queries: ricoashmore2003@gmail.com