Privacy Policy

Last updated: June 2026

1. Who we are

FramePilot is a trading name of BRCT Ltd, registered in England and Wales. We provide cloud-based management software for picture framing shops in the United Kingdom. References to "we", "us", or "our" in this policy refer to BRCT Ltd.

If you have any questions about this policy, contact us at support@framepilot.io.

2. What data we collect

We collect the following categories of data:

• Account data — your name, business name, email address, and mobile number when you sign up for a trial or subscription.
• Business data — quotes, job records, customer details, supplier information, purchase orders, and expenses that you enter into FramePilot.
• Financial data — sales figures, expense records, and P&L data generated by your use of the system.
• Xero integration data — if you connect FramePilot to your Xero account, we store OAuth access tokens and refresh tokens to maintain the connection. We also temporarily process invoice and bill data to synchronise it with your Xero organisation.
• Technical data — IP addresses, browser type, and usage logs for security and system integrity purposes.

3. How we use your data

We use your data only to provide and improve the FramePilot service:

• To create and manage your account and subscription.
• To operate the quoting, job tracking, purchasing, and financial reporting features of the platform.
• To synchronise sales and expense records with your Xero account, where you have authorised this connection.
• To send SMS notifications to your customers via Twilio (only using mobile numbers you provide).
• To send transactional emails such as account verification, password resets, and subscription notices.
• To maintain the security and integrity of the platform.

We do not sell your data. We do not use your data for advertising.

4. Xero data

When you connect FramePilot to Xero, we access your Xero organisation data solely to synchronise the financial records you have created in FramePilot. Specifically:

• We push sales invoices and expense bills from FramePilot to your Xero organisation.
• We store Xero OAuth tokens in our database in encrypted form. Tokens are never stored in plaintext.
• Xero credentials (Client ID and Client Secret) are stored outside the web root and are not accessible publicly.
• We access only the Xero scopes necessary to create and read invoices and bills. We do not access payroll, bank feeds, or any other Xero data.
• You can disconnect FramePilot from Xero at any time from within your account settings. On disconnection, all stored Xero tokens are permanently deleted.

In the event of any security breach that may expose Xero tokens or customer data, we will notify Xero immediately at api@xero.com and affected customers without undue delay.

5. Legal basis for processing (UK GDPR)

• Contract — processing your account and business data is necessary to provide the service you have subscribed to.
• Legitimate interests — we process technical and security data to maintain a safe and reliable platform.
• Consent — where we send marketing communications (which you can opt out of at any time).

6. Data storage and security

All data is stored on servers located in the United Kingdom. We use a Virtual Private Server (VPS) environment — we do not use shared hosting. Access to server infrastructure is strictly controlled and limited to authorised personnel only.

We apply the following security measures:

• All connections to FramePilot are encrypted via HTTPS/TLS.
• Sensitive data including Xero tokens and encryption keys are stored outside the publicly accessible web directory where possible, and encrypted at rest.
• Database queries use parameterised statements to prevent SQL injection.
• Access to the application is controlled by role-based permissions.
• We follow the OWASP Top 10 guidelines in our software development practices.

7. Data retention

We retain your data for as long as your account is active. If you cancel your subscription, we retain your data for 90 days to allow for reactivation, after which it is permanently deleted. You may request immediate deletion by contacting support@framepilot.io.

8. Third parties

We share data with the following third-party services, only as necessary to operate FramePilot:

• Twilio — to send SMS notifications to your customers. Only the mobile numbers you enter are transmitted.
• Xero — to synchronise financial records, where you have authorised the connection.
• TMD Hosting — our VPS hosting provider, based in the UK.

We do not share your data with any other third parties.

9. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate personal data.
• Request deletion of your personal data.
• Restrict or object to processing in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format.

To exercise any of these rights, contact us at support@framepilot.io. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies

FramePilot uses only essential session cookies required to keep you logged in. We do not use tracking or advertising cookies.

11. Changes to this policy

We may update this policy from time to time. Where changes are significant, we will notify you by email. The date at the top of this page always reflects the most recent version.