Privacy

Privacy Policy

Last updated: 25 May 2026

Who we are

Sigillum Books is operated by Legion Crafts GB (“we”, “us”, “our”), a small business based in the United Kingdom. We provide a tax-aware bookkeeping app for solo sellers, indie makers, and small shops. You can reach us any time at support@legioncraftsgb.com.

We are the data controllerfor the personal data described in this policy. We don’t have a dedicated Data Protection Officer (DPO) because we don’t meet the UK GDPR thresholds for one, but the same email address reaches the person responsible for privacy decisions.

What data we collect

We try to collect the minimum needed to provide the service. Concretely:

  • Account data — your email address and a hashed password (we never see the plain password). If you sign in with a third-party provider, we receive your email + a provider identifier.
  • Business profile — your business name, address, phone number, tax identifier, default currency, and tax year start. Optional fields you can fill or leave blank.
  • Financial records you create — income, expenses, invoices, quotes, bills, customers, products, drawings entries, and rules you write. This is the core of what Sigillum stores about you.
  • OAuth tokensfor connected seller platforms (Etsy, eBay, Gumroad, LemonSqueezy, TikTok Shop, and similar). These let us pull your sales data on your behalf. We store the tokens encrypted at rest and only ever use them to read sales data — we never write to your seller account.
  • Receipt photos you upload, stored in a private bucket scoped to your user ID. Other users cannot access them.
  • Subscription data— if you upgrade to a paid tier, Stripe handles the payment. We receive your subscription status, tier, and renewal date from Stripe via webhook. We neversee your full card number — only the last four digits and the brand (e.g. “Visa ending 4242”), as Stripe shows them to us.
  • Support correspondence— if you email us or file a ticket inside the app, we keep that thread so we can answer follow-ups.
  • Basic logs— our hosting provider automatically records server logs (IP, user agent, request URLs) for security + debugging. We retain these for 30 days.

We do not use third-party analytics, ad networks, tracking pixels, social-media share buttons that fetch from third parties, or session replay tools. There is no Google Analytics, no Facebook Pixel, no Hotjar.

Why we collect it (lawful basis)

Under UK GDPR every piece of processing needs a lawful basis. Ours are:

  • Performance of a contract— we can’t provide the bookkeeping service without storing the records you create. Account data, business profile, financial records, OAuth tokens, and subscription data all fall under this.
  • Legitimate interests— basic server logs for security, fraud prevention, and debugging. The interest is keeping the service stable and the data safe; we’ve weighed it against your privacy and consider it proportionate.
  • Legal obligation— we keep invoice + payment records for the minimum period required by UK tax law (currently six years for businesses).
  • Consent— if we ever send you a non-essential email (e.g. a product update newsletter), we’ll ask for it first and you can withdraw it any time. We don’t do this today.

Who else processes your data

Sigillum is built on top of a small set of trusted sub-processors. Each one has a Data Processing Agreement (DPA) in place with us, and each has its own GDPR-compliant privacy practices.

ProcessorPurposeLocation
SupabaseDatabase, authentication, file storageEU (Frankfurt)
VercelApplication hosting, edge cacheUS + global edge
CloudflareDNS for legioncraftsgb.comGlobal
StripeSubscription billing, payment processingUS + EU
ResendTransactional + invoice emailsUS
EtsyRead your sales when you connect an Etsy accountUS (when connected)
eBayRead your sales when you connect an eBay accountUS + UK (when connected)
GumroadRead your sales when you connect a Gumroad accountUS (when connected)
LemonSqueezyRead your sales when you connect a LemonSqueezy storeUS (when connected)

We add new sub-processors only when we add a new feature that needs one. This list will grow as we add platforms (TikTok Shop, Shopify, Square, etc.). We’ll update this page before activating a new processor.

International data transfers

Some sub-processors above are based in the United States. Where your data leaves the UK / EEA, we rely on the UK’s International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with UK addendum, both of which our processors include in their DPAs. We also rely on the UK’s adequacy decision for the EU and on the EU-US Data Privacy Framework where applicable.

How long we keep it

Retention varies by data type:

  • Account + financial records— for as long as your account is active. If you close your account, we keep the records for six more years to satisfy UK tax-law retention requirements, then we delete them. You can ask us to delete sooner subject to those legal obligations (see Your Rights below).
  • OAuth tokens— until you disconnect the platform or close your account. Disconnecting immediately deletes the tokens; we keep the imported sales records (they are your data, not the platform’s).
  • Receipt photos— until you delete the associated expense, or close your account.
  • Server logs— 30 days, then deleted automatically.
  • Support tickets— for two years after the ticket is closed, in case you raise a follow-up.

How we protect it

Our technical + organisational measures include:

  • Database encryption at rest (AES-256 via Supabase / AWS RDS), TLS 1.2+ in transit for all client and server-to-server traffic.
  • Row-level security (RLS) on every database table containing personal data — one user’s records are inaccessible to another user, enforced at the database layer.
  • Passwords hashed using industry-standard salted bcrypt by our auth provider. We never see your plaintext password.
  • OAuth tokens stored in a row-level-secured table; access requires both a valid Sigillum session and the matching user ID.
  • Two-layer auth gate on the admin console; admin actions are logged to an audit trail.
  • Production deployment via Vercel with automatic HTTPS, managed SSL certificates, and HSTS preload.
  • Regular dependency updates and automated builds on every commit so we catch issues before they hit production.

No system is unbreakable. If we discover a personal data breach, we’ll notify the ICO within 72 hours where required and notify affected users without undue delay if the breach is likely to result in a high risk to their rights.

Cookies

We use the minimum cookies needed to run the service:

  • Session cookies— set when you log in so we know who you are. Strictly necessary.
  • OAuth state cookies— short-lived (10-minute TTL), set during platform-connect flows to prevent CSRF attacks. Strictly necessary.
  • Preference cookies— we may set a cookie to remember your dark-mode preference. Functional.

We do notset marketing, analytics, or cross-site tracking cookies. There is therefore no cookie consent banner — under UK GDPR, strictly-necessary cookies don’t require consent.

Your rights

You have the following rights under UK GDPR:

  • Access— ask for a copy of the data we hold about you. We’ll respond within one month.
  • Rectification— ask us to correct inaccurate or incomplete data. Most fields you can edit yourself inside the app.
  • Erasure(“right to be forgotten”) — ask us to delete your data. We’ll honour this except where we’re required to keep it for legal reasons (e.g. tax records, six-year retention).
  • Restriction— ask us to stop processing your data while a query is resolved.
  • Portability— export your data in a machine-readable format. CSV export is built into Sigillum for income, expenses, invoices, and Tax Pack data; ask us for anything else.
  • Object— object to processing based on legitimate interests (the server-log processing described above).
  • Withdraw consent— where we’re processing on the basis of consent (we don’t do this today), you can withdraw it at any time.

To exercise any of these rights, email support@legioncraftsgb.com. If you’re unhappy with how we’ve handled your request, you have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint.

Children

Sigillum is for adults running a business. We don’t knowingly accept signups from anyone under 16. If you believe a child has created an account, please email us at support@legioncraftsgb.com and we’ll delete it.

Changes to this policy

We may update this Privacy Policy when we add new features or sub-processors. We’ll bump the “Last updated” date at the top of this page. For material changes (new processing purposes, changes to lawful basis) we’ll email signed-in users at least 14 days before the change takes effect.

Contact

Email support@legioncraftsgb.com for anything privacy-related. We aim to respond within two working days; statutory requests are answered within one month.