Privacy Policy

Last updated: 11 July 2026

1. Who we are

DivGenie is a product of Hicks Harbour Software Ltd (“we”, “us”, “our”). We are a company registered in England and Wales under company number 16697124. Our registered office is 13 Crealock Street, London, SW18 2BS.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Hicks Harbour Software Ltd is the data controller of the personal data processed through DivGenie.

Website: hicksharbour.com

Companies House: Company number 16697124

2. What personal data we collect

We collect only the personal data we need to provide DivGenie. This includes:

  • Account data: your name and email address. Authentication credentials are processed by our authentication provider; we do not store plaintext passwords. If you sign in through a third-party provider, we receive basic profile information from that provider.
  • Accounting connection data: when you connect an accounting provider such as Xero, we receive OAuth tokens and cached snapshots of your accounting data (for example, balance sheet and profit & loss figures, chart of accounts, and liability mappings). This data may include personal data about you and other officers or shareholders of your company.
  • Scenario and settings data: dividend assumptions, reserve settings, and liability mappings that you enter or adjust.
  • Technical and usage data: IP address, browser type and version, device type, operating system, referral source, pages visited, session identifiers, and error and performance logs.
  • Communications: emails or messages you send us, including support requests and feedback.

3. How we use your personal data and our lawful bases

We use your personal data only where we have a valid legal basis under UK data protection law:

  • To provide and maintain the service — to authenticate you, calculate dividend capacity, display financial summaries, and run scenario planning. This is necessary for the performance of our contract with you.
  • To keep the service secure — to detect and prevent fraud, abuse, and unauthorised access, and to manage bot traffic. This is necessary for the performance of our contract and for our legitimate interest in keeping DivGenie secure.
  • To communicate with you — to send service messages, respond to support requests, and notify you of important changes. This is necessary for the performance of our contract and for our legitimate interest in providing support.
  • To improve DivGenie — to diagnose bugs, analyse usage patterns, and develop new features. This is based on our legitimate interest in maintaining and improving the service, and we use anonymised or aggregated data wherever possible.
  • To comply with legal obligations — for example, to respond to lawful requests from regulators or courts, or to meet tax and company law requirements.

We do not use your data for behavioural advertising and we do not sell your personal data.

4. Who we share your data with

We use carefully selected third-party service providers (data processors) to run DivGenie. They can access your personal data only to perform tasks on our behalf and are contractually bound to protect it.

  • Supabase — authentication, database hosting, and storage.
  • Cloudflare — website security, bot protection (Turnstile), and content delivery.
  • Xero — your accounting data source. Xero processes your data under its own privacy policy when you authorise the connection.
  • Hosting and infrastructure providers — used to deploy and operate the DivGenie application and backups.

We may also disclose personal data if required to do so by law or in response to a valid request from a regulatory or governmental authority.

5. International data transfers

Some of our processors may store or otherwise process personal data outside the UK, including in the European Economic Area (EEA) and the United States. Whenever we transfer personal data outside the UK, we ensure that appropriate safeguards are in place, such as an adequacy decision, the UK International Data Transfer Agreement, or Standard Contractual Clauses approved under UK GDPR.

6. Data security

We protect your personal data using appropriate technical and organisational measures. This includes encrypting OAuth tokens and sensitive data at rest, encrypting data in transit using TLS, using multi-factor authentication for administrative access, and regularly reviewing our access controls and security practices.

No method of transmission over the internet or electronic storage is completely secure, but we follow industry standards to keep your data safe.

7. How long we keep your data

We keep your personal data only for as long as necessary for the purposes described in this policy:

  • Account and service data: retained while your account is active and deleted within 30 days of account closure or disconnection of your accounting provider, unless we are legally required to keep it for longer.
  • Accounting snapshots and OAuth tokens: retained until you disconnect your accounting provider or delete your account, after which they are removed.
  • Backups: may retain copies of your data for up to 90 days after deletion for disaster-recovery purposes.
  • Server logs: retained for up to 12 months for security monitoring, debugging, and abuse prevention.
  • Support correspondence: retained for up to 3 years from the date of the last message.

8. Your rights

Under UK data protection law, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete personal data.
  • Erase your personal data in certain circumstances (“right to be forgotten”).
  • Restrict processing of your personal data in certain situations.
  • Object to processing based on legitimate interests.
  • Data portability — receive your data in a structured, commonly used, machine-readable format.
  • Withdraw consent at any time, where we rely on consent.
  • Lodge a complaint with the Information Commissioner’s Office (ICO).

To exercise any of these rights, contact us using the details below. We will respond within one month, and we may need to verify your identity before acting on your request.

9. Cookies and similar technologies

We use only essential cookies and similar technologies that are necessary for DivGenie to function. These include authentication session cookies and security tokens.

We do not use cookies for analytics, advertising, or tracking. Because our cookies are strictly necessary, we do not ask for consent to set them. You can disable cookies in your browser, but doing so may prevent you from signing in or using parts of the service.

10. Automated decision-making

DivGenie performs automated calculations based on the accounting data you provide. These calculations are for information purposes only and do not constitute legal, tax, or financial advice. We do not make solely automated decisions that produce legal or similarly significant effects about you.

11. Children

DivGenie is not directed at children under 16, and we do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us and we will delete it.

12. Changes to this privacy policy

We may update this policy from time to time to reflect changes in our service, legal requirements, or data protection practices. We will update the “Last updated” date at the top of this page, and we will notify you of significant changes by email or through the service.

13. Complaints

If you have a concern about how we handle your personal data, please contact us first. You also have the right to complain to the UK Information Commissioner’s Office (ICO):

ico.org.uk/make-a-complaint

14. Contact us

For any privacy-related questions, or to exercise your rights, please contact:

Hicks Harbour Software Ltd
Email: hello@divdash.co.uk
Website: hicksharbour.com