MroSightSign in

Privacy Policy

Last updated: 2026-05-01

MroSight is operated by Plinth & Co Ltd, a company registered in England and Wales. We process your data as a controller under UK GDPR and the Data Protection Act 2018. We are registered with the Information Commissioner's Office (ICO).

1. What we collect

To provide MRO spend visibility, we process:

  • Account data — your work email and a session token. We do not collect passwords; sign-in is via magic link.
  • Invoice files — PDF supplier invoices you upload or forward. These are stored encrypted at rest in the United Kingdom and European Union.
  • Extracted invoice data — vendor names, dates, amounts, and line-item descriptions parsed from your invoices.
  • Service data — error logs and basic page-view metrics to operate and improve the product. No third-party advertising trackers.

2. How we use it

  • To extract, categorise, and aggregate your MRO spend.
  • To produce your spend visibility dashboard and reports.
  • To respond when you contact us for support.
  • To meet legal obligations (tax records, fraud prevention, regulator requests).

We do not sell your data. We do not use your invoice contents to train third-party models. We do not share invoice contents with anyone outside the data processors listed below.

3. Sub-processors

We rely on the following providers to operate MroSight:

  • Supabase Inc. — Postgres database, authentication, file storage. Region: London (eu-west-2).
  • Vercel Inc. — application hosting and CDN.
  • Cloudflare Inc. — long-term object storage (R2), domain DNS, edge caching.
  • MiniMax / Anthropic / Google — large language model APIs used for invoice text extraction. Invoice text is sent to one provider per invoice; providers are contractually prohibited from retaining or training on the content. We periodically rotate providers based on cost and accuracy.
  • Mailgun Technologies Inc. — outbound and inbound email.

4. International transfers

Some sub-processors operate outside the UK. Where this is the case, we rely on UK International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses.

5. Retention

  • Invoice files and extracted data: retained while your account is active. You can delete an invoice or your entire account at any time from Settings.
  • Account record: retained for up to 30 days after account deletion to honour billing reversals and audit obligations, then permanently erased.
  • Backups: retained for up to 30 days. Deletion requests are reflected in active systems immediately and in backups on the next rotation.

6. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have it corrected if inaccurate.
  • Have it erased (right to be forgotten).
  • Receive a portable copy of your data.
  • Restrict or object to processing.
  • Lodge a complaint with the ICO (ico.org.uk).

Exercise any of these rights by emailing privacy@mrosight.com. We aim to respond within 30 days.

7. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to production systems is limited to the founders and is logged. We do not store payment card data; payment processing (when introduced) will be handled by a PCI-DSS-compliant provider.

8. Cookies

See our Cookie Policy. We use only the cookies strictly necessary to keep you signed in. We do not use advertising or analytics cookies.

9. Children

MroSight is for businesses. We do not knowingly collect data from anyone under 18.

10. Changes

We may update this policy as the product evolves. Material changes will be notified by email at least 14 days before they take effect.

Questions? Email hello@mrosight.com.