Last updated: April 2026
This Privacy Policy explains how Creator Business OS Ltd ("Company", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use Filssi and its associated services.
Filssi is a software platform owned and operated by Creator Business OS Ltd, a company registered in England and Wales under company number 17168418, with registered office at [Registered Office Address]. Further information about Creator Business OS Ltd is available at www.creatorbusinessos.com.
This policy is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR).
We are committed to protecting your privacy and ensuring that your personal data is handled responsibly, transparently, and in accordance with all applicable data protection legislation. This Policy should be read alongside our Terms and Conditions.
Creator Business OS Ltd is the Data Controller for personal data we collect about you as a user of our platform — for example, your account information, contact details, and usage data.
When you use the Filssi Service to process personal data of your own clients, customers, employees, or other third parties, you act as the Data Controller for that business data, and Creator Business OS Ltd acts as your Data Processor. We process that data only on your documented instructions and in accordance with our Data Processing Agreement (DPA) and applicable law.
If you have any questions about this Privacy Policy or our data practices, please contact us using the details above.
We collect and process the following categories of personal data, depending on how you use the Service:
When you register for an account, we collect:
When you use our financial management features, the following data may be stored within the Service:
We automatically collect certain information about how you interact with the Service:
We use cookies and similar technologies to facilitate your use of the Service. For detailed information, see Section 11 (Cookies Policy).
We process your personal data only where we have a lawful basis to do so under the UK GDPR. The table below sets out the purposes for which we process your data and the corresponding legal basis:
| Purpose | Legal Basis (UK GDPR Article 6) |
|---|---|
| Providing and operating the Service — account management, invoicing, payroll, accounting, CRM, and all platform features | Contract performance (Art. 6(1)(b)) — Processing necessary to perform our contract with you |
| Processing subscription payments and billing | Contract performance (Art. 6(1)(b)) — Processing necessary to fulfil billing obligations |
| Sending transactional emails (invoices, notifications, account updates, trial communications) | Contract performance (Art. 6(1)(b)) — Communications necessary for service delivery |
| Ensuring platform security, preventing fraud, and monitoring for abuse | Legitimate interests (Art. 6(1)(f)) — Our legitimate interest in maintaining a secure platform |
| Analysing usage patterns to improve the Service | Legitimate interests (Art. 6(1)(f)) — Our legitimate interest in developing and improving the Service |
| Sending marketing communications and product updates | Consent (Art. 6(1)(a)) — Only with your explicit opt-in consent, which you may withdraw at any time |
| Maintaining financial records for tax, audit, and legal purposes | Legal obligation (Art. 6(1)(c)) — We are legally required to retain certain records |
| Responding to legal requests and complying with court orders or regulatory obligations | Legal obligation (Art. 6(1)(c)) — Processing necessary to comply with legal obligations |
Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests (see Section 10).
Where customers use the payroll features within Filssi, the Service may process personal data relating to employees of the Customer. In this context, the Customer is the Data Controller and Creator Business OS Ltd is the Data Processor of that employee data.
Payroll-related personal data processed through the Service may include:
As Data Processor, Creator Business OS Ltd processes employee data only on the instructions of the Customer (Data Controller). Customers are responsible for ensuring they have a lawful basis to process their employees' personal data and for maintaining appropriate employee-facing privacy notices in their own right.
Creator Business OS Ltd processes employee data solely to provide the payroll functionality within Filssi. We do not use employee data for any other purpose.
We share your personal data only with trusted third-party service providers ("sub-processors") who assist us in operating the Service. Each sub-processor is bound by a data processing agreement that requires them to protect your data in accordance with UK GDPR.
We use Stripe to process subscription payments and manage billing. Stripe receives payment information directly and is PCI DSS Level 1 certified. We do not store full card details on our servers. Stripe's privacy policy is available at stripe.com/privacy.
We use Resend to deliver transactional emails including invoices, payment confirmations, account notifications, and system alerts. Resend processes your email address and the content of transactional communications on our behalf.
Your application data is stored in a PostgreSQL database hosted by Neon. All data is encrypted at rest and in transit using industry-standard protocols. Neon provides enterprise-grade security and is subject to data protection contractual obligations.
When you use the receipt or invoice scanning feature, document images are sent to OCR.space for optical character recognition. Documents are processed in real time and are not permanently stored by OCR.space following processing.
Where the AP email capture feature is enabled, inbound emails sent to your assigned capture address are processed by Mailgun on our behalf. Email content (including any attached documents) is passed through our processing pipeline and then discarded by Mailgun. We retain only the extracted data and original document relevant to the AP bill created.
We may update or replace sub-processors from time to time as the Service evolves. Where such changes are material to the processing of your personal data, we will provide advance notice in accordance with our legal obligations. An up-to-date list of sub-processors is available upon request to support@filssi.com.
We do not sell, rent, lease, or trade your personal data to any third party for marketing or commercial purposes. Your data is used exclusively for the purpose of providing and improving the Service.
Some of our sub-processors may process data outside the United Kingdom and the European Economic Area (EEA). Where such transfers occur, we ensure that appropriate safeguards are in place in compliance with UK GDPR Chapter V.
For transfers of personal data to countries that have not received a UK adequacy decision, we rely on one or more of the following mechanisms:
We monitor changes to adequacy decisions and transfer mechanisms regularly and update our arrangements accordingly.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The table below sets out our standard retention periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (name, email, company details) | Duration of account + 30 days | Necessary for service provision; 30-day grace period for data export after account closure |
| Financial records (invoices, expenses, payments, journals, tax records) | 7 years from creation | Legal requirement under UK tax legislation (HMRC requirements) |
| Payroll records (payslips, P60s, PAYE data) | 7 years from tax year end | HMRC statutory requirement for payroll record-keeping |
| Usage logs (login times, feature usage, IP addresses) | 12 months | Legitimate interest in security monitoring, troubleshooting, and service improvement |
| Marketing consent and preferences | Until consent is withdrawn | Consent-based processing; retained until you opt out |
| Technical and cookie data | Session or up to 12 months | Necessary for platform functionality and analytics |
Retention periods may be extended beyond those stated above where required for legal obligations, fraud prevention, dispute resolution, regulatory enforcement, or other legitimate record-keeping purposes. When data is no longer required, it is securely deleted or anonymised in accordance with our data management procedures.
We take the security of your personal data seriously. We implement appropriate technical and organisational security measures designed to protect personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction.
Our security measures include:
While we apply robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials and for notifying us immediately of any suspected unauthorised access.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority (the ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exemptions under applicable law.
You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed. We will respond to your request within one month of receipt.
You have the right to request that we correct any inaccurate personal data or complete any incomplete data we hold about you. You can also update most information directly through your account settings.
You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where processing is unlawful. This right does not apply where we are legally required to retain data (for example, financial records for tax compliance).
You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while you contest the accuracy of data we hold about you.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. The Service provides built-in export features (Excel, CSV, PDF) to support this right.
You have the right to object to processing based on legitimate interests. Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Where we process your data on the basis of consent (for example, marketing communications), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of any processing carried out before the withdrawal.
If you believe our processing of your personal data infringes data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
To exercise any of the rights above, please contact our Data Protection Officer at support@filssi.com. We will respond within one month. In complex cases, this may be extended by up to two further months, in which case we will inform you promptly of the extension and the reasons for it.
To protect your privacy, we may request verification of your identity before processing certain requests. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive in nature.
Cookies are small text files placed on your device when you use the Service. We use cookies strictly to ensure the proper functioning of the platform and, where you have consented, to improve your experience.
These cookies are strictly necessary for the operation of the Service and cannot be disabled without impairing functionality. They include:
We may use analytics cookies to understand aggregate usage patterns and to improve the Service. Analytics data is collected in aggregate form and does not identify individual users. Analytics cookies that are not strictly necessary are only set where you have provided consent, in accordance with applicable law.
You can manage or block cookies through your browser settings. Most browsers allow you to view, delete, and block cookies on a site-by-site basis. Please note that disabling essential cookies will impair the functionality of the Service and may prevent you from accessing certain features.
The Service is a business software platform designed exclusively for use by individuals aged 18 and over. We do not knowingly collect or process personal data from anyone under the age of 18.
If we become aware that personal data from a person under 18 has been collected, we will take steps to delete that data as soon as reasonably practicable. If you believe a minor has provided data to us, please contact us immediately at support@filssi.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of an updated policy constitutes your acknowledgement of and agreement to the changes.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us using the details below. We will always try to resolve your concern directly before you feel the need to escalate to a supervisory authority.
Our Data Protection Officer is responsible for overseeing our data protection compliance and can be contacted for any data protection queries or to exercise your rights under UK GDPR:
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office: