your data, looked after.

Effective date: 2 May 2026 · Last updated: 2 May 2026

Steward is not regulated by the Financial Conduct Authority (FCA). we are a money-companion app, not a regulated financial adviser. nothing in the app or on this website is financial advice, and we don't make decisions for you about your money. for regulated financial advice please speak to an FCA-authorised firm.

who we are.

In this policy "Steward", "we", "us", and "our" refer to Steward Money Ltd (a company in the process of being incorporated in England and Wales — registration number to be added once issued by Companies House). we are the data controller for the personal data we collect about you under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

How to reach us: for any privacy-related question, subject access request, or data complaint, email hello@stewardapp.co.uk.

ICO registration: Steward Money Ltd's registration with the UK Information Commissioner's Office is in progress. once issued, the reference number will appear here.

what data we collect.

we collect the minimum data we need to do the job you've asked us to do. nothing extra.

Identity & contact data — your first name, email address, phone number, and postcode. all four are required to use Steward — we use email for sign-in and service messages, phone number for one-time-passcode (OTP) verification and account recovery, and postcode to enrich your monthly wrap-up with publicly-published Office for National Statistics (ONS) data for your area (e.g., average household spend in your region). we never share your individual postcode or postcode-linked data with anyone. if you'd rather not share these, the service isn't a fit and we won't be able to create an account for you.

Financial data you give us — income, regular outgoings, debts, savings goals, and free-text answers like "what are you hoping Steward will do for you?". you type this in directly.

Open Banking data (optional) — if you connect a bank account through our open banking provider, we receive read-only access to transaction history and balances for that account. you can disconnect at any time. we never see or hold your banking login credentials.

Usage data — interactions with the app and website (which screens you view, which buttons you tap), so we can fix bugs and improve the product. limited to what's needed; not used to build advertising profiles.

Technical data — IP address, browser type, device type, operating system, language. captured automatically when you use the website or app for security and abuse-prevention purposes.

Special category data — we do not knowingly collect special category data (such as health information, racial or ethnic origin, political opinions). if you type any of this into a free-text field by accident, please email us and we'll remove it.

why we use it (and on what legal basis).

every piece of data we process has a legal basis under UK GDPR Article 6.

To provide the service you signed up for (legal basis: performance of a contract) — running the app, building your plan, sending service emails, processing payments. we can't deliver Steward without this data.

To send marketing or product-update emails (legal basis: consent) — only if you opt in. you can withdraw consent at any time using the unsubscribe link in any marketing email or by emailing us.

To process Open Banking data (legal basis: consent under UK GDPR Article 9 + the Payment Services Regulations 2017) — only after you give explicit consent through the bank's authorisation flow.

To improve and secure the product (legal basis: legitimate interest) — debugging, abuse prevention, fraud monitoring, aggregated analytics. we balance this against your privacy interests on every use; you can object at any time.

To meet our legal obligations (legal basis: legal obligation) — for example, retaining accounting records under UK tax law or responding to lawful requests from authorities.

who we share data with.

we don't sell your personal data. ever. we work with trusted processors who help us run the service. each is bound by a written data processing agreement and uses your data only on our instructions.

Our database and authentication provider — holds your account data securely.

Our website and admin hosting provider — serves the website and admin tools you interact with.

Our transactional email provider — sends magic-link sign-in emails, welcome emails, and any service notifications.

An FCA-authorised payment processor — handles card payments. they process card numbers directly; we never see or store full card details.

An FCA-authorised Open Banking provider — only relevant if you choose to connect a bank account. this provider fetches your transaction data on our behalf, with your explicit consent, under the Payment Services Regulations 2017.

we may also share your data with regulators, law enforcement, or our professional advisers (e.g., accountants, solicitors) where we are legally required or have a legitimate need to do so. if you'd like the specific named processor we use for any of the above categories at the time you ask, email hello@stewardapp.co.uk and we'll tell you.

international transfers.

some of our processors host data in countries outside the UK, including the United States. when your personal data is transferred outside the UK, we put appropriate safeguards in place — typically the UK International Data Transfer Addendum to the EU Standard Contractual Clauses — so your data continues to receive UK GDPR-equivalent protection.

how long we keep it.

Active accounts — we keep your data for as long as your account is active.

If you delete your account — your personal data is removed from our live systems within 30 days. some data (transaction logs, security audit trails) may be retained for up to 6 years to meet legal and accounting obligations under UK tax law, and for the limitation period for any potential legal claims.

If you only signed up to the waitlist and never created an account — we keep your email and free-text answer for as long as the waitlist is open, then delete or anonymise within 12 months of the waitlist closing.

Aggregated, anonymised analytics (e.g., "X% of users save toward a house deposit") may be retained indefinitely because they cannot be linked back to you.

your rights.

UK GDPR gives you eight rights over the personal data we hold about you. exercise any of them by emailing hello@stewardapp.co.uk.

Right of access (Article 15) — get a copy of the data we hold about you. we'll respond within one calendar month.

Right to rectification (Article 16) — correct inaccurate or incomplete data.

Right to erasure (Article 17) — delete your data ("right to be forgotten"). available in-app via account settings, or by emailing us.

Right to restrict processing (Article 18) — pause our processing while we investigate a request or correction.

Right to data portability (Article 20) — receive your data in a structured, machine-readable format. we'll export to JSON.

Right to object (Article 21) — object to processing based on legitimate interest, including direct marketing.

Rights regarding automated decision-making (Article 22) — Steward doesnot use solely automated decisions to produce legal or similarly significant effects on you. our AI features draft suggestions; humans (you) remain in control of every financial decision.

Right to withdraw consent — where we rely on consent (e.g., marketing emails, Open Banking), you can withdraw at any time without affecting processing we did before withdrawal.

Right to complain to the ICO — if you think we've mishandled your data, you can complain to the UK Information Commissioner's Office at ico.org.uk or 0303 123 1113. we'd appreciate the chance to put things right first — please email us.

cookies & similar technologies.

our website currently uses only strictly necessary cookies — for sign-in sessions and security tokens. under UK PECR these don't require your consent. we don't run analytics or advertising cookies on the site today.

the cookie banner shows on your first visit. you can accept all, essential only, or customise per category (essential / analytics / marketing). your choice is stored on your device and recorded in our audit log with a randomly-generated visitor identifier, a hashed approximation of your IP address, and the date — so we can demonstrate consent if asked, in line with UK GDPR Article 7. we never link this audit record to your account unless you sign in. if and when we add analytics or marketing cookies in future, the matching toggles will gate them — nothing fires unless you opt in.

children.

Steward is for adults aged 18 and over. we do not knowingly collect personal data from anyone under 18. if you believe a child has provided us with their data, contact us and we will remove it immediately.

how we keep your data safe.

In transit — all connections to our website and app use TLS 1.2+ encryption.

At rest — your account data is encrypted at rest by our database provider. Open Banking access tokens are additionally encrypted at the application layer using AES-256-GCM, with the encryption key held only in our server environment.

Access controls — only authorised Steward staff can access production data, and only when needed for support or operations. all admin accounts require two-factor authentication. database access is gated by row-level security and service-role separation.

If something goes wrong — in the unlikely event of a personal data breach that's likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected users without undue delay.

changes to this policy.

we may update this policy from time to time as Steward evolves or as the law changes. the "last updated" date at the top will reflect the most recent change. material changes (anything that meaningfully affects how we use your data) will be notified to you by email or in-app message before they take effect.

contact.

for any privacy question, subject access request, or complaint, email hello@stewardapp.co.uk. we aim to reply within five working days, and to fulfil formal subject rights requests within one calendar month as required by UK GDPR.

this policy is written in plain english to be read. if any part of it is unclear, email us and we'll explain — and we'll consider rewriting the section so it's clearer for everyone next time.