Privacy Policy
Last updated: 17 March 2026
1. Who We Are
kosts is operated by Bird Feed Limited, a company registered in England and Wales. We are the data controller for the personal data processed through the kosts platform.
Email: hello@kosts.app
2. What Data We Collect
We collect and process the following categories of personal data:
| Category | Data | Purpose |
|---|---|---|
| Account information | Name, email, phone number, password (hashed) | Account creation and authentication |
| Business information | Business name, role, city, number of sites | Service customisation and support |
| Invoice data | Supplier names, amounts, dates, line items, uploaded images/PDFs | Core service delivery (cost tracking) |
| Financial data | Revenue figures, food/drink costs, GP percentages | Dashboard reporting and analysis |
| Integration data | Square POS orders, Xero accounting data (when connected) | Automated data sync |
| Usage data | Pages visited, features used, referral source | Product improvement |
| Payment data | Processed by Stripe — we do not store card details | Subscription billing |
3. Legal Basis for Processing
We process your personal data on the following legal bases under the UK GDPR:
- Contract performance — processing necessary to provide the kosts service you have signed up for (account management, invoice processing, dashboard reporting)
- Legitimate interests — improving the Service, preventing fraud, ensuring security, and communicating service updates
- Consent — where you have opted in to marketing communications (e.g. newsletter signup). You may withdraw consent at any time
4. How We Use Your Data
- Providing the kosts platform and its features
- Processing uploaded invoices using AI text extraction
- Syncing data with connected third-party services (Square, Xero)
- Sending transactional emails (welcome, password reset, invoice notifications)
- Processing subscription payments via Stripe
- Responding to support requests and feature suggestions
- Improving the Service based on usage patterns
5. Third-Party Processors
We share data with the following third-party processors, each of which has their own privacy policies:
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe (US) | Payment processing | Email, subscription details (no card numbers stored by us) |
| Postmark (US) | Email delivery & inbound processing | Email addresses, invoice attachments (forwarded emails) |
| Anthropic (US) | AI invoice scanning (Claude) | Invoice images/PDFs for text extraction |
| Square (US) | POS data sync (when connected) | Revenue and order data (read-only access) |
| Xero (NZ/AU) | Accounting sync (when connected) | Invoice data pushed as purchase bills |
| Railway (US) | Application hosting | All application data (hosted on their infrastructure) |
Some processors are based outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses where required.
6. Aggregated & Anonymised Data
We may collect, aggregate, and anonymise data derived from your use of kosts to create datasets that cannot identify you or your business. This Aggregated Data may be used for:
- Industry benchmarking and trend reports (e.g. average food cost percentages by region)
- Improving the Service and developing new features
- Commercial data products, analytics, or research shared with or sold to third parties
- Training machine-learning models for better invoice processing
Aggregated Data is processed under our legitimate interests legal basis (improving the Service and generating industry insights). It contains no personally identifiable information and cannot be traced back to any individual or business.
Your identifiable data (invoices, supplier names, financial records) is never sold or shared with third parties without your explicit consent. See our Terms & Conditions (Section 5A) for full details.
7. Data Retention
- Active accounts: Data is retained for as long as your account is active
- Cancelled accounts: Data is retained for 90 days after cancellation, then permanently deleted
- Invoice images: Stored securely for as long as your account is active; deleted with your account
- Payment records: Retained as required by financial regulations (typically 6 years)
- You may request earlier deletion by contacting us
8. Cookies & Local Storage
kosts uses minimal cookies and storage:
- Session cookie: Essential for keeping you logged in. This is a strictly necessary cookie and does not require consent
- Session storage: Used by the chat widget to remember your session. Cleared when you close your browser tab
We do not use any analytics cookies, tracking pixels, advertising cookies, or third-party tracking scripts. No cookie consent banner is required as we only use strictly necessary cookies.
9. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of all personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data ("right to be forgotten")
- Right to data portability — receive your data in a structured, machine-readable format
- Right to restrict processing — request that we limit how we use your data
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email us at hello@kosts.app. We will respond within 30 days.
10. Children's Privacy
kosts is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us immediately.
11. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption of sensitive data (integration tokens encrypted with Fernet symmetric encryption)
- Password hashing using industry-standard algorithms
- HTTPS encryption for all data in transit
- Access controls limiting data access to authorised personnel
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice within the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.
13. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Phone: 0303 123 1113
14. Contact
For any privacy-related questions or requests:
Bird Feed Limited (trading as kosts)
Email: hello@kosts.app