ReqVault logoReqVault
Start free trial

Privacy Policy

Last updated: 5 May 2026

1. Who we are

ReqVault is a document collection tool for accounting firms, operated by Felix Moldenhauer. Contact: hello@reqvault.app. For the purposes of UK and EU GDPR, ReqVault acts as a data processor when handling documents uploaded by your clients on your behalf, and as a data controller for your own firm's account data. A Data Processing Agreement is available on request.

2. What data we collect

Firm name and email address, client names and email addresses, uploaded documents and their metadata, AI verification results, usage data and logs.

3. How we use your data

To provide the document collection service, to send email notifications about uploaded documents, to verify documents using AI, and to improve the service.

4. Legal basis for processing

We process data under UK and EU GDPR on the following legal bases: contract (to deliver the ReqVault service you've signed up for), legitimate interest (security, fraud prevention, and service improvement), and legal obligation (where required by law).

5. Data security

All client documents and data are stored encrypted at rest using AES-256 encryption via our storage infrastructure (Supabase). All data transmission occurs over encrypted TLS connections. Each document is scoped to a single firm and client — cross-tenant access is not technically possible.

Magic links used for client document uploads are time-limited (configurable by the accountant, default 30 days), single-purpose (granting access only to the specific submission), and can be revoked or reissued by the accountant at any time. Each link is uniquely tokenised and cannot access any other client's data.

Authentication uses Supabase Auth with industry-standard practices including session tokens and secure cookies. We do not store passwords in plaintext.

We are working towards SOC 2 Type II certification to formalise these protections.

6. AI and document verification

ReqVault uses Anthropic's Claude API to verify documents at the point of upload. The AI checks whether an uploaded document matches the requirement, extracts the tax year, identifies issues, and provides a confidence score.

Document content is sent to Claude only for this verification step. Under Anthropic's commercial terms, your data and your clients' data are never used to train Anthropic's AI models, and document content is processed in transit and is not retained by Anthropic for training purposes.

The accountant remains in full control. AI verification is a tool to assist review, not a replacement for professional judgement. All accept, reject, and review decisions are made by the accountant.

7. Third-party services

ReqVault relies on the following third-party services to operate. Each processes data only as needed for their specific role:

  • Supabase — database hosting, file storage, and authentication. All client documents and account data are stored on Supabase infrastructure.
  • Resend — transactional email delivery (upload notifications, magic link emails, expiry warnings). Email content is processed for delivery and not retained beyond standard logging.
  • Anthropic (Claude API)— AI document verification at upload. Document content is processed under Anthropic's commercial terms with no training use.
  • Vercel — hosting and content delivery for the ReqVault web application.
  • Stripe — payment processing (when paid plans are introduced). Payment card details are never stored on ReqVault servers.

8. Data retention and deletion

When an accountant deletes a client, all associated submissions, magic links, and uploaded documents are permanently removed from our systems via cascade deletion. Deletion is irreversible.

9. Data residency

Our infrastructure is currently hosted on Supabase, with data primarily stored in regions specified in their data processing terms. If your firm has specific data residency or compliance requirements, please reach out to discuss your needs.

Some of our third-party processors operate outside the UK and EU (for example, Anthropic is based in the US). Where data is transferred internationally we rely on appropriate legal safeguards such as Standard Contractual Clauses, in line with UK and EU data protection requirements.

10. Your rights

Under UK and EU GDPR you have the right to access, correct, or delete your data, to object to or restrict processing, to receive your data in a portable format, and to withdraw consent where processing is based on it. You can also lodge a complaint with the UK Information Commissioner's Office (ICO) or your local data protection authority.

To exercise any of these rights email hello@reqvault.app. We respond within one month as required by GDPR.

11. Cookies

ReqVault uses only essential cookies required for authentication. No tracking or advertising cookies are used.

12. Changes to this policy

We may update this policy occasionally. We will notify accountants by email of significant changes.

13. Contact

Questions about this Privacy Policy or how we handle your data? Email hello@reqvault.app and we'll respond within five business days.