theo — home← Home

Privacy Policy

Last updated 24 April 2026

In plain English: We collect what we need to give you useful guidance, we don't sell it, and you can delete everything whenever you want. The detailed version is below — but that's the gist.

  • We collect what we need.
  • We don't sell it.
  • You can delete everything.

Here's how we handle your data. We've tried to keep it human-readable — if anything's unclear, just ask us at ciaran@usetheo.co.

This Privacy Policy explains how Theo (“we”, “us”, “our”) collects, uses, and protects your personal data when you use our service at usetheo.co.

Who we are

Theo is operated by Use Theo Limited (registered in England & Wales, Company Number 17104555), with its registered office at Flat 3 Transenna Works, 1 Laycock Street, London, N1 1SJ. We are the data controller for personal data processed through usetheo.co. If you have any questions about how we use your data, contact us at ciaran@usetheo.co.

What we collect

We collect information you provide directly — including your name, email address, financial profile details (income, goals, employment type, housing status), and the details you share in conversations with Theo. We also collect standard usage data (browser type, pages visited, time on site) to improve the product.

When you connect a bank account (coming soon), we will collect transaction history and account balances via regulated Open Banking infrastructure, in read-only mode only.

Why we process your data (lawful basis)

Under Article 6 of UK GDPR, we rely on the following lawful bases for each category of processing:

  • Account and profile data (name, email, financial profile) — contract: processing is necessary to provide the Theo service you've signed up for.
  • Conversation historycontract: Theo uses your conversation history to personalise its guidance to your situation. This is core to the service.
  • Open Banking data (when live) — explicit consent: we will ask for your explicit consent before connecting any bank account, and you can withdraw it at any time.
  • Analytics and usage datalegitimate interests: we use anonymised analytics to understand how the product is used and where we can improve it. This doesn't override your rights — you can opt out at any time.

Special-category data

Financial information is not special-category data under Article 9 of UK GDPR. However, in the course of conversations with Theo, you may share information about your health, disability, or other sensitive circumstances that could constitute special-category data. We do not ask for such information, and we do not use it for any purpose beyond providing you with relevant guidance in that conversation. If you share it, we treat it with the same level of care as all other data.

Automated decision-making (Article 22)

Theo uses AI to generate personalised financial information and education. This processing is automated, but it does not produce legal effects or decisions that significantly affect you in the way Article 22 of UK GDPR is concerned with — Theo provides guidance and education, not regulated financial advice, and it does not make credit decisions, insurance assessments, or any other legally binding determinations about you.

If you have questions about how Theo's AI generates its responses, contact us at ciaran@usetheo.co.

Data Protection Impact Assessment (DPIA)

We have conducted a Data Protection Impact Assessment for the processing activities that carry higher privacy risk — in particular the use of AI to process financial profile data. Our assessment concluded that the processing is necessary for the service, proportionate to the benefits provided, and accompanied by appropriate safeguards (including data minimisation, EU data residency for primary storage, contractual commitments from sub-processors, and user control over their data). We review this assessment whenever we introduce material new processing activities.

Data Protection Officer

We are not currently required to appoint a Data Protection Officer under Article 37 of UK GDPR (we do not engage in large-scale systematic monitoring or large-scale processing of special-category data). All data protection queries are handled by the founder and data controller directly. Contact: ciaran@usetheo.co.

How we use it

Your data is used solely to provide and improve Theo's guidance. We use conversation history to personalise responses to your financial situation. We do not sell your data, use it to market third-party products to you, or share it with financial providers.

Third-party processors

We use a small number of trusted third-party services to operate Theo. Each has signed data processing agreements and is contractually bound to protect your data:

  • Anthropic — powers Theo's AI. Your conversation messages are sent to Anthropic's API to generate responses. Under our commercial agreement, Anthropic does not use your data to train its models and does not retain prompts beyond the period necessary to provide the API response.
  • Supabase — our database and authentication provider. Stores your account, profile, and conversation data. Data is hosted in the EU (AWS eu-west-1).
  • Vercel — hosts and serves the Theo web application. Processes request logs and edge network data. Servers are located in the EU and US.
  • PostHog — product analytics (page views, feature usage). We use PostHog EU cloud (eu.i.posthog.com). We only collect product analytics once you've signed in. If you're just browsing the public site, we don't track you.
  • Resend — transactional email delivery. Used to send your waitlist confirmation and product update emails. Resend processes your email address on our behalf.
  • TrueLayer — regulated Open Banking infrastructure. TrueLayer acts as the FCA-authorised Account Information Service Provider (AISP) and processes your bank data on our behalf, in read-only mode only. Your bank authorisation lasts 90 days, after which you'll be asked to re-consent.

How long we keep your data

  • Conversation history — retained for the lifetime of your account. You can request deletion at any time.
  • Profile and account data — retained for the lifetime of your account, plus up to 90 days after deletion (to allow for account recovery).
  • Open Banking transaction data — retained only while your bank connection is active. On disconnection or account deletion, transaction data is purged within 30 days.
  • Analytics data — aggregated usage data is retained for up to 24 months. PostHog event data is retained for 12 months.

International data transfers

Some of our processors (including Anthropic and Vercel) may transfer or process data outside the UK and EEA — primarily in the United States. Where this happens, we ensure adequate safeguards are in place, typically through the UK's International Data Transfer Agreement (IDTA) or equivalent UK adequacy decisions. Anthropic and Vercel are certified under relevant data protection frameworks. You can ask us for more detail on the specific safeguards at ciaran@usetheo.co.

Data storage and security

Your data is stored securely in the EU using encrypted databases. All data in transit is encrypted via TLS. We follow industry-standard security practices and review them regularly.

Open Banking data (coming soon)

When bank connections are available, Theo will use regulated Open Banking infrastructure to access your transaction history and balances. The connection will be made via TrueLayer, an FCA-authorised Account Information Service Provider (AISP) operating under PSD2/PSR 2017.

Crucially: read-only access only. Theo cannot initiate payments, move money, or make any changes to your accounts. You'll be asked for explicit consent before any connection is made, and you can disconnect at any time from within the app. On disconnection, all imported transaction data will be deleted within 30 days.

Cookies

We use two categories of cookies:

  • Essential cookies — required for authentication and keeping you logged in (via Supabase Auth). These cannot be disabled without breaking the service.
  • Analytics cookies — set by PostHog to track anonymous usage patterns (pages visited, features used). These help us improve the product. PostHog is configured to only create profiles for identified users (not anonymous visitors), and data is processed on PostHog's EU servers.

You can opt out of analytics cookies at any time. Opting out won't affect your ability to use Theo.

Analytics: off

Your rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data (“right to be forgotten”)
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests (including analytics)
  • Withdraw consent — where processing is based on consent (e.g. Open Banking), you can withdraw it at any time

To exercise any of these rights, email us at ciaran@usetheo.co. We'll respond within one month.

Right to complain to the ICO

If you're unhappy with how we've handled your data, you have the right to lodge a complaint with the UK's supervisory authority — the Information Commissioner's Office (ICO). We'd always prefer you come to us first so we can try to resolve things, but you're under no obligation to do so.

Information Commissioner's Office: ico.org.uk · 0303 123 1113

Affiliate relationships

Theo may receive referral fees from financial product providers whose products are surfaced in guidance or recommendations. These fees do not influence Theo's guidance — responses are generated by AI without regard to commercial incentives, and we do not rank or favour products based on affiliate relationships. Where a referral relationship exists, we will disclose it clearly at the point of any product link.

Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware. Where the breach poses a high risk to you, we will also notify you directly without undue delay, with clear information about what happened, the data involved, and the steps we are taking. To report a suspected breach, contact us immediately at ciaran@usetheo.co.

Contact

Questions about this policy? Email us at ciaran@usetheo.co. We're a small team and we genuinely read these.