Mintstone Ltd ("we", "us", "our") is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller:
Mintstone Ltd
Company No. 17105543
ICO Registration: ZC119192
Registered office: 128 City Road, London, EC1V 2NX, United Kingdom
Email: contact@mintstone.co.uk
Work Records: Photos uploaded via Telegram, activity logs
Monitoring Records: Telegram group membership, message processing logs
3. Lawful Basis for Processing
We process personal data under the following lawful bases:
Contractual Necessity: To provide our SaaS platform services to lender customers
Legitimate Interest: To improve our platform, prevent fraud, and provide customer support
Legitimate Interest: For monitoring contractor communications in project Telegram groups for construction progress tracking and variation detection (Art. 6(1)(f). See our Legitimate Interests Assessment)
Legal Obligation: To comply with financial services regulations and audit requirements
4. How We Use Your Data
Provide project monitoring and risk management services to lenders
Enable real-time communication between lenders, developers, and contractors
Process and classify financial transactions via Open Banking integration
Analyse invoices, valuations, and contracts using AI/OCR (data processed in UK/EU regions only)
Send notifications about project updates, alerts, and platform features
Improve platform performance and develop new features
5. Third-Party Services & Data Processors
We use the following sub-processors, all with UK GDPR-compliant Data Processing Agreements:
Vercel: Application hosting and analytics (EU region)
OpenAI (GPT-4o): Document analysis, text extraction, and OCR (zero-retention API, DPA in place)
Anthropic (Claude): Invoice OCR and document analysis (zero-retention API, DPA in place)
TrueLayer: Open Banking integration (FCA-authorised, UK-based)
Telegram: Construction project group monitoring (Mintstone bot reads messages in project supergroups as a group administrator)
6. International Data Transfers
All personal data is processed and stored within the UK and EU. Where third-party services are located outside the UK/EU, we ensure:
Adequacy decisions are in place (e.g., EU-US Data Privacy Framework)
Standard Contractual Clauses (SCCs) are executed
Appropriate technical and organisational measures protect data in transit
7. Data Retention
Active Projects: Data retained for duration of lender contract + 7 years (financial records retention requirement)
Inactive Accounts: Anonymised after 12 months of inactivity (unless legal hold applies)
Contractor Communication Data: 3 years from message date; erasure requests assessed subject to regulatory retention obligations
Audit Logs: Retained for 7 years for regulatory compliance
8. Your Rights Under UK GDPR
You have the following rights:
Right of Access: Request a copy of your personal data
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion (subject to legal retention requirements)
Right to Restrict Processing: Limit how we use your data
Right to Data Portability: Receive your data in machine-readable format
Right to Object: Object to processing based on legitimate interests
Right to Object: For Telegram monitoring, you may exercise your right to object under Art. 21 UK GDPR. We will assess your objection against our legitimate interest and arrange alternative reporting if appropriate.
To exercise your rights, contact:
Data Protection Officer: dpo@mintstone.co.uk
Or write to: Mintstone Ltd, 128 City Road, London, EC1V 2NX
9. Security Measures
We implement industry-standard security controls:
End-to-end encryption for data in transit (TLS 1.3)
Encryption at rest for all stored data (AES-256)
Multi-factor authentication (MFA) for lender accounts
Role-based access control (RBAC) and audit logging
Regular security audits and penetration testing
API keys and credentials stored in secure vaults (never in code)
10. Cookies & Analytics
We use minimal cookies:
Essential Cookies: Session authentication (required for platform function)
Analytics Cookies: Vercel Analytics (anonymised page views, no personal identifiers)
No third-party advertising or tracking cookies are used. You can disable analytics in browser settings.
11. Contractor-Specific Rights
If you are a contractor working on a project monitored via Telegram:
Your messages in the project Telegram group are read by the Mintstone bot (a group administrator) for construction progress tracking and variation detection under Art. 6(1)(f) UK GDPR (legitimate interests)
A monitoring notice is pinned in every forum topic explaining this processing
You have the right to object to this processing under Art. 21 UK GDPR by contacting privacy@mintstone.co.uk or the project developer
If you object, we will assess your request against our legitimate interest and arrange alternative progress reporting methods where appropriate
You can request access to or erasure of your message data at any time, subject to regulatory retention obligations
Objecting to monitoring does not affect your ability to work on the project. Progress reporting can continue via alternative methods
12. Children's Privacy
Our platform is not intended for individuals under 18. We do not knowingly collect data from minors.
13. Changes to This Policy
We may update this policy to reflect legal or operational changes. Material changes will be notified via email (for registered users) and prominently displayed on our website.
14. Complaints
If you believe we have mishandled your data, you have the right to lodge a complaint with: