Data Protection

Back to app

Last updated: 21 January 2026

This page explains how personal data is handled when you use CreditDesk, and how we support compliance with the UK GDPR and the Data Protection Act 2018.

At a glance
  • Your business is the data controller
  • CreditDesk acts as a data processor
  • Data is used only for trade credit decision support

Controller and processor roles

  • You (the merchant) are the data controller for personal data you enter into CreditDesk or import from Xero.
  • CreditDesk is the data processor, processing that data on your instructions to provide the service.

Types of data processed

  • Account data: user email address, authentication identifiers, organisation membership and roles.
  • Customer and contact data: business names, contact names, email addresses, phone numbers, addresses and internal notes.
  • Credit decision data: credit limits, manual credit overrides (amount, reason, expiry), risk indicators and activity logs.
  • Accounts receivable data: open invoice information imported from Xero, including invoice references, due dates, amounts due and ageing.
  • Technical data: logs and metadata required to operate and secure the service.

Purpose of processing

  • Display credit limits, exposure and available headroom
  • Summarise open invoice exposure and ageing
  • Record controlled manual credit overrides with audit trails
  • Support internal review and accountability
  • Operate and secure the platform

Lawful basis

  • CreditDesk processes data as a processor to perform the service contract.
  • As controller, your lawful basis will typically include contract and/or legitimate interests.

Data sources

  • Information entered directly into CreditDesk
  • Information imported from Xero via an OAuth connection you control

Subprocessors

  • Supabase – database and authentication
  • Vercel – application hosting
  • Xero – data source (customer-managed connection)

International data transfers

Some subprocessors may process data outside the UK. Where this occurs, appropriate safeguards are used, such as adequacy regulations or standard contractual clauses.

Security measures

  • Row-level security and organisation isolation
  • Access controls and role-based permissions
  • Audit logging for sensitive actions

Data retention

Data is retained for as long as your organisation maintains an account, and for a limited period afterwards where required for legal, security or operational reasons.

Data subject rights

Individuals have rights under UK GDPR. As controller, you are responsible for responding to requests. CreditDesk will assist where required as a processor.

Contact

For data protection queries, contact hi@jamescleworth.com.

CreditDesk · Decision support for trade credit