- Privacy policy

Plain English first.
Legal language second.

Every privacy policy you've ever read was written for the lawyers. This one puts the plain-English summary first and the legal text second, so you can actually know what we're doing with your data.

Operator: MBKR Limited (Company No. 11943274), trading as sonuswealth.
Registered office: 32 Oakfield Avenue, Birstall, Leicester LE4 3DQ, United Kingdom.
Data controller contact: privacy@sonuswealth.com - mihir@sonuswealth.com
Effective date: 12 May 2026. Last updated: 12 May 2026.
- The short version

We hold your data because you uploaded it. We use it to run sonuswealth for you. We do not sell, share, or rent it. We do not train third-party AI on it. We hold it on encrypted UK servers. You can export and delete it at any time. If we ever go bust, we send you your data and shut down - we never sell it to another company.

1 - What this policy covers

This policy explains how MBKR Limited (we / us), trading as sonuswealth, collects, uses, shares, retains, and protects personal data, in compliance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

It applies to data we hold about: visitors to the sonuswealth website; people who join the waitlist; users of the sonuswealth product once live; professional and employer customers; and people who contact us via email or social media.

2 - What personal data we hold

Information you give us directly

  • Account data: your email address, name, password (hashed), preferences.
  • Financial data you upload: account balances, transactions, asset positions, pension statements, ISA / SIPP / GIA records, mortgage detail, life-cover policies, Indian financial assets (for NRI users), business interests, property valuations.
  • Demographic data you choose to share: age, marital status, dependents, household structure, jurisdiction - only so the engine can apply the right rules to you.
  • Tax data: National Insurance number, UK Unique Taxpayer Reference (UTR), Indian PAN (for NRI users) - only where you choose to share for tax-related modelling.
  • Profession verification: for NHS / public-sector / IFA pricing, your work email address for one-time domain verification.
  • Communications: support emails, feedback, journal-comment replies.

Information we collect automatically

  • Technical data: IP address (last octet only after 30 days), browser type, referring URL, pages visited, time on page.
  • Cookies (see Section 9).
  • Crash and error reports (no payload data).

What we do NOT collect

  • Bank login credentials. Phase 1 has no live bank connection - only your uploads. Phase 2 Open Banking will use an FCA-authorised AISP that uses the bank's own consent flow; we never see your password.
  • Card details (no payment data - we use Stripe; Stripe holds the card).
  • Browsing data outside sonuswealth.
  • Location data beyond country-level.

3 - Why we hold each piece of data (lawful basis)

Under UK GDPR we must identify a lawful basis for every category of processing. Ours are:

  • Contract (Article 6(1)(b)): to provide the sonuswealth service you signed up for. Covers all account data, financial data, modelling outputs.
  • Legitimate interest (Article 6(1)(f)): security (rate-limits, anomaly detection); product analytics in aggregate; founder updates to existing users on product changes. You can object at any time.
  • Consent (Article 6(1)(a)): marketing emails (unsubscribe in one click); non-essential cookies (opt-in via banner).
  • Legal obligation (Article 6(1)(c)): tax records, anti-fraud, court orders.

4 - Who we share data with

Sub-processors (essential to running the service)

  • AWS (Amazon Web Services UK): hosting infrastructure, eu-west-2 (London) region only. UK data stays in UK.
  • Stripe: payment processing. They hold your card; we never do.
  • Mailerlite / Mailgun: email delivery. Email + name + minimal preference data.
  • Phase 2: FCA-authorised AISP partner (TrueLayer, Yapily, or Plaid UK - to be confirmed). Only activated if you opt in to Open Banking live-connect.
  • OCR vendor for statement-scan path. Document images processed via API; we delete the source image within 24 hours after extraction.
  • Posthog for product analytics. Self-hosted on our UK infrastructure; no third-party identifiers.

Things we do NOT share

  • We do not sell, rent, or barter your data.
  • We do not share your data with advertisers, data brokers, credit bureaux, or political parties.
  • No AI training, no AI retention. Where we use a third-party AI provider for Sonu / Ask, we will operate under a contractual zero-training and zero-retention agreement — your data is used only to compute the answer to your specific query, is never used to train any model, and is not retained by the provider beyond that single inference. We will name the selected provider on this page before launch. If we move to self-hosted inference at any point, we will update this section.
  • We do not share your data with your employer, even if your employer is a sonuswealth B2B Employer customer (the consumer subscription you take out is yours alone).

Disclosure under legal obligation

We will disclose data only if compelled by a UK court order, valid request from HMRC, the police, or another competent authority. We will notify you of the request where lawful to do so. We will resist over-broad requests through proper legal channels.

5 - International data transfers

UK user data stays in the UK (AWS eu-west-2 London). The only exception is email delivery infrastructure, which may transit briefly through EU / US regions for SMTP routing - covered by Standard Contractual Clauses (SCCs) with the relevant providers.

For NRI users who upload Indian financial data: this data is held in the UK, not in India. India is currently not an "adequate" jurisdiction under UK GDPR for personal-data export, so we don't export there. Phase 2 changes to this will be flagged at least 90 days in advance.

6 - How long we keep data

  • Active account data: as long as your account is active, plus 30 days after closure (in case of restore request).
  • Financial uploads: as above. We do not retain copies after you've deleted them from your account.
  • Backups: encrypted, retained 30 days, then cryptographically destroyed.
  • Email correspondence: 3 years (legitimate-interest basis for service continuity).
  • Marketing-list emails: until you unsubscribe, plus 30 days for suppression-list integrity.
  • Financial transaction records (Stripe): 7 years (UK HMRC tax-record requirements).

7 - Your rights under UK GDPR

You have the following rights, exercisable at any time by emailing privacy@sonuswealth.com:

  • Right of access: ask for a copy of all your personal data we hold. We respond within 30 days, usually within 5.
  • Right to rectification: correct anything wrong.
  • Right to erasure ("right to be forgotten"): delete your data. Available in-app under Settings - Delete Account. Confirmed in writing within 24 hours, completed within 30 days.
  • Right to restriction: ask us to pause processing of your data while you raise a concern.
  • Right to data portability: export your data in a machine-readable format (JSON + CSV). Available in-app under Settings - Export Data.
  • Right to object: object to legitimate-interest processing (e.g. analytics).
  • Right to withdraw consent: for anything we do under consent basis.
  • Right to complain: to the UK Information Commissioner's Office (ICO) at ico.org.uk/concerns.

8 - Security

  • All data encrypted at rest (AES-256).
  • All data encrypted in transit (TLS 1.3).
  • Per-user keys for highly sensitive fields.
  • UK-only datacentres (AWS eu-west-2 London).
  • Multi-factor authentication on all employee accounts.
  • Quarterly external penetration testing (planned from 2026 H2).
  • ISO 27001 audit target: 2026 H2.
  • Incident response: any data breach affecting your personal data will be reported to the ICO within 72 hours of discovery and to you without undue delay.

9 - Cookies

We use a minimal set of cookies. The site shows a cookie banner on first visit; you can change your preference at any time via the cookie settings link in the footer.

  • Strictly necessary: session, CSRF protection, theme preference. No opt-out (the site doesn't work without them).
  • Analytics (consent): Posthog (self-hosted in UK). Opt-in only.
  • Marketing (consent): we don't currently use any. If we add any, we'll list them here and update the banner.

10 - Children

Sonuswealth is not directed at, and we do not knowingly collect data from, children under 18. UK financial planning is an adult activity; the product is designed for adult households. If we discover a sub-18 account, we close it and delete the data.

11 - Changes to this policy

We update this policy when our practices change. Material changes (anything that affects what data we collect, how we use it, or who we share it with) will be emailed to all active users at least 30 days in advance. The full version history is available on request.

12 - Contact

Questions, concerns, or data-rights requests: privacy@sonuswealth.com. Founder direct: mihir@sonuswealth.com.

UK postal: MBKR Limited, 32 Oakfield Avenue, Birstall, Leicester LE4 3DQ.

Legal review pending. This policy is drafted in plain English by the founder and is subject to review by a UK-qualified privacy lawyer before paid users are onboarded. If you spot something off, please email - we'd rather know than not.
v0.5 site - privacy policy