About

Knowledge Base

Help centre

Pricing

Log in

Sign up

Sign up

Log in

Sign up

Privacy Policy

Shareflo Ltd - www.shareflo.co.uk

Last updated: 4 April 2026

1. Introduction

Welcome to Shareflo's privacy policy.

Shareflo Ltd (company number 17005740), whose registered office is at 124 City Road, London, EC1V 2NX, UK ("Shareflo", "we", "us", or "our"), respects your privacy and is committed to protecting your personal data.

This privacy policy explains how we collect, use, store and share your personal data when you visit our website at www.shareflo.co.uk (the "Website"), use the Shareflo platform (the "Platform"), or otherwise interact with us. It also tells you about your privacy rights and how the law protects you.

This privacy policy applies to all users of the Website and Platform, including company administrators, stakeholders (such as shareholders and option holders) who access the Platform through a stakeholder portal, and visitors to the Website who do not have an account.

Please read this privacy policy carefully. By using the Website or Platform, you acknowledge that you have read and understood this policy. If you have any questions, please contact us using the details in section 2 below.

2. Who we are and how to contact us

Shareflo is the data controller responsible for your personal data. This means we determine the purposes and means of processing your personal data.

If you have any questions about this privacy policy, including any requests to exercise your data protection rights, please contact us:

You have the right to make a complaint at any time to the Information Commissioner's Office (the "ICO"), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

3. Changes to this privacy policy

We keep this privacy policy under regular review. We will notify you of any material changes by email or by posting a prominent notice on the Website or Platform. We encourage you to review this policy periodically.

4. The personal data we collect

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer the following categories of personal data:

Identity Data — your first name, last name, job title, and any other identifying information you provide when creating or managing an account.

Contact Data — your email address, telephone number, and postal address.

Account Data — your username, password (stored in hashed form only), account preferences, and your role and permission level within the Platform (for example, Admin, Manager, Finance, HR, or Read-only).

Company Data — the name, registered number, registered address, and other details of the company whose cap table is managed through the Platform. While company data is not personal data in itself, it may be associated with personal data (for example, a sole director's details).

Equity Data — information about share instruments, holdings, transactions, vesting schedules, option grants, exercise prices, and other cap table records entered into the Platform by you or your company's administrators. This may include personal data about stakeholders such as their names, contact details, and the nature and extent of their holdings.

Financial Data — payment card details (processed by our payment provider Stripe — we do not store full card numbers), billing address, and subscription information.

Transaction Data — details of payments made to us, including amounts, dates, and invoice records.

Technical Data — your internet protocol (IP) address, browser type and version, time zone setting, operating system, and other technology on the devices you use to access the Website or Platform.

Usage Data — information about how you use the Website and Platform, including pages visited, features used, session duration, and actions taken.

Communications Data — records of correspondence between you and us, including support requests and feedback.

AI Interaction Data — when you use our AI-powered cap table assistant ("Flo") or connect the Platform to third-party AI tools, we process the prompts you submit and the responses generated. See section 7 for more detail on AI features.

We do not collect any Special Categories of personal data (such as information about your race, ethnicity, religious beliefs, health, or sexual orientation). We do not knowingly collect personal data from children under the age of 18. The Website and Platform are not intended for use by children.

5. How we collect your personal data

We collect personal data through the following methods:

Directly from you — when you create an account, subscribe to a plan, enter data into the Platform, contact us for support, sign up for marketing communications, or otherwise correspond with us.

From your company's administrators — if you are a stakeholder, your company's cap table administrators may enter your personal data (such as your name, contact details, and holdings) into the Platform on behalf of the company.

Automatically — as you interact with the Website and Platform, we automatically collect Technical Data and Usage Data. We collect this through session cookies and server logs. See section 11 for more information on cookies.

From third parties — we may receive personal data from the following sources:

  • Stripe (our payment processor) — Financial and Transaction Data when you subscribe to or pay for the Platform.

  • Companies House — publicly available Identity and Contact Data about company directors and persons with significant control, used to support the accuracy of cap table records.

6. How and why we use your personal data

We will only use your personal data where we have a lawful basis to do so. The purposes for which we process your personal data and the legal basis we rely on in each case are:

  • To register you as a user and create your account Data used: Identity, Contact, Account Lawful basis: Performance of our contract with you

  • To provide and operate the Platform, including cap table management, stakeholder portals, vesting tracking, and governance features Data used: Identity, Contact, Account, Company, Equity Lawful basis: Performance of our contract with you (or with the company on whose behalf you use the Platform)

  • To process your subscription payments and manage billing Data used: Identity, Contact, Financial, Transaction Lawful basis: Performance of our contract with you

  • To provide AI-powered features (Flo and third-party AI integrations) Data used: Identity, Account, Equity, AI Interaction Lawful basis: Performance of our contract with you; Legitimate interest (to improve the Platform and user experience)

  • To communicate with you about your account, including service updates, security alerts, and changes to our terms Data used: Identity, Contact, Account Lawful basis: Performance of our contract with you; Legal obligation

  • To send you marketing communications about Shareflo's products, features, and content Data used: Identity, Contact Lawful basis: Consent (you can withdraw this at any time — see section 9)

  • To respond to your support requests and feedback Data used: Identity, Contact, Communications Lawful basis: Performance of our contract with you; Legitimate interest (to improve our services)

  • To administer and protect our business, the Website, and the Platform, including troubleshooting, security monitoring, and fraud prevention Data used: Identity, Contact, Technical, Usage Lawful basis: Legitimate interest (to keep the Platform secure and operational); Legal obligation

  • To analyse how users interact with the Website and Platform in order to improve them Data used: Technical, Usage Lawful basis: Legitimate interest (to improve our products and understand usage patterns)

  • To comply with legal obligations, including responding to lawful requests from regulators, law enforcement, or courts Data used: Any category, as required Lawful basis: Legal obligation

Marketing communications. We will only send you marketing emails where you have opted in to receive them. You can opt out at any time by clicking the "unsubscribe" link in any marketing email, or by contacting us at privacy@shareflo.co.uk. Opting out of marketing will not affect service-related communications (such as billing notifications or security alerts).

Legitimate interests. Where we rely on legitimate interest as the lawful basis, we have carried out a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You can contact us to obtain further information about these balancing tests.

7. AI features and your data

Shareflo includes AI-powered features to help you manage your cap table:

Flo (in-platform assistant). Flo is an AI assistant built into the Platform. When you interact with Flo, your prompts and relevant cap table data may be sent to third-party AI service providers to generate responses. These providers process data on our behalf under contractual terms that prohibit them from using your data for their own purposes, including training their AI models on your data.

Third-party AI integrations. The Platform supports integrations that allow you to connect your own third-party AI tools (such as through our MCP server) to interact with your cap table using natural language. When you use these integrations, data necessary to fulfil your request — such as instrument names, stakeholder names, and holding details — is transmitted to the AI provider you have connected. This data is processed under your own subscription and agreement with that AI provider, not under any contract between Shareflo and that provider. You are responsible for reviewing the privacy policy and terms of service of any AI tool you choose to connect. Shareflo does not control how those providers process your data once it leaves the Platform.

What we do not do. We do not use your Equity Data or any personal data to train AI models. We do not sell your data to AI providers or any other third party.

8. Who we share your personal data with

We may share your personal data with the following categories of recipients:

Service providers who assist us in operating the Platform and running our business. These include:

  • Bubble (our application hosting platform) — hosts the Platform and stores application data on Amazon Web Services (AWS) infrastructure.

  • Stripe — processes subscription payments and stores payment method details.

  • Third-party AI providers — process data on our behalf when you use Flo or other AI features (see section 7).

  • Railway — hosting our MCP server

  • Google — hosting our emails and Workspace

  • Email service providers — deliver transactional and marketing communications on our behalf.

All service providers are bound by contractual obligations to keep your data secure and to process it only in accordance with our instructions.

Your company's other authorised users. If you are a stakeholder, your personal data and holding information may be visible to your company's cap table administrators in accordance with the Platform's role-based access controls. If you are an administrator, your name and actions may be visible to other administrators and recorded in the Platform's audit trail.

Professional advisers such as lawyers, accountants, and insurers, where necessary for the provision of professional services to us.

Regulators, law enforcement, and government authorities where we are required to do so by law, regulation, or court order, or where necessary to protect our rights, property, or safety or the rights, property, or safety of others.

In connection with a business transfer. If Shareflo is involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such transfer and of any changes to the applicable privacy policy.

We do not sell your personal data to any third party.

9. Your data protection rights

Under UK data protection law, you have the following rights in relation to your personal data:

Right of access — you can request a copy of the personal data we hold about you.

Right to rectification — you can ask us to correct any personal data that is inaccurate or incomplete.

Right to erasure — you can ask us to delete your personal data in certain circumstances (for example, where it is no longer necessary for the purpose for which it was collected).

Right to restrict processing — you can ask us to suspend the processing of your personal data in certain circumstances.

Right to data portability — you can request that we provide your personal data in a structured, commonly used, machine-readable format, or that we transmit it directly to another controller.

Right to object — you can object to our processing of your personal data where we are relying on legitimate interest as the lawful basis, or where we are processing your data for direct marketing purposes.

Right to withdraw consent — where we rely on your consent to process your personal data (for example, for marketing communications), you can withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before you withdrew consent.

To exercise any of these rights, please contact us at privacy@shareflo.co.uk. We will respond to your request within one month. In some cases, we may need to verify your identity before acting on your request. We will not charge a fee for handling a reasonable request, but we may charge a reasonable fee or refuse to comply if a request is clearly unfounded or excessive.

A note on Equity Data. Where your personal data has been entered into the Platform by your company's administrators (for example, as part of the company's cap table records), any request for erasure or rectification of that data should in the first instance be directed to the relevant company, as they control what data is entered into the Platform. We will cooperate with the company to give effect to your rights.

10. International transfers

Shareflo is a UK-based company. However, some of the third parties we work with are based outside the United Kingdom, and as a result your personal data may be transferred to, stored in, or processed in countries outside the UK.

In particular, the Platform is hosted on infrastructure provided by Bubble, which uses Amazon Web Services (AWS) servers located in the United States. Our payment processor, Stripe, and our AI service providers also process data in the United States.

Whenever we transfer your personal data outside the UK, we ensure that it is protected by appropriate safeguards, including:

  • Transfers to countries that the UK government has determined provide an adequate level of data protection.

  • The use of standard contractual clauses approved by the UK Information Commissioner, or the International Data Transfer Agreement (IDTA), which contractually require the recipient to protect your data to UK standards.

  • Where applicable, reliance on the UK Extension to the EU-US Data Privacy Framework.

You can contact us at privacy@shareflo.co.uk for further information about the specific safeguards we have in place for any particular transfer.

11. Cookies

A cookie is a small text file placed on your device when you visit a website or use an application. The Platform uses cookies as follows:

Strictly necessary cookies. The Platform uses session cookies to keep you logged in and to maintain your session as you navigate between pages. These cookies are essential for the Platform to function and cannot be switched off. They do not store any personally identifiable information beyond your session identifier, and they expire when you close your browser or after a period of inactivity.

The Website. Our marketing website at www.shareflo.co.uk is hosted on Framer and uses Framer Analytics, which does not use cookies and does not generate persistent identifiers. No cookie consent banner is required for the Website.

We do not use any analytics, advertising, or tracking cookies on the Platform. We do not use any third-party cookies on the Platform.

You can set your browser to refuse all or some cookies, or to alert you when websites set or access cookies. If you disable or refuse session cookies on the Platform, some parts of the Platform may become inaccessible or not function properly.

12. Data security

We have put in place appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or destruction. These measures include:

  • Encryption of data in transit using TLS/SSL.

  • Encryption of data at rest using AES-256 encryption (provided by AWS).

  • Password hashing — we never store passwords in plain text.

  • Role-based access controls within the Platform, ensuring users can only access data appropriate to their role.

  • Privacy rules applied at the database level, ensuring that users can only query records belonging to their own company.

  • Regular review of our security practices.

While we take reasonable steps to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data.

13. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

The following retention periods apply:

Active accounts. We retain your personal data for as long as your account remains active and you continue to use the Platform.

After account deletion. When you (or your company's administrator) delete an account or request deletion of your data:

  • Equity Data (cap table records, holdings, transactions, and stakeholder information) will be deleted within 90 days (and in some cases 30 days). We will offer you the opportunity to export your data before deletion.

  • Financial and billing records (invoices, payment history, and subscription records) will be retained for 6 years from the date of the relevant transaction, in accordance with HMRC requirements and applicable UK tax and accounting legislation.

  • Technical and security logs (such as server logs and audit trails) will be retained for up to 12 months for security, troubleshooting, and fraud prevention purposes.

  • Marketing consent records will be retained for up to 3 years after your last interaction with our marketing communications, to demonstrate compliance with applicable regulations.

In some cases, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

14. Third-party links

The Website and Platform may include links to third-party websites, services, or applications (for example, Companies House, HMRC, or Stripe). Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party services and are not responsible for their privacy practices. We encourage you to read the privacy policy of every third-party service you use.

15. Contact us

If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact us: