Thistle
Growing your workspace...
Growing your workspace...
We built Thistle to respect your business, which means respecting your data. No selling, no snooping, just security.
We clear about exactly what data we collect (mostly just your email and financial records) and why we need it to make the app work.
We do not sell, rent, or trade your personal or financial information to third parties. Period. We make money from your subscription, not your data.
Your business is your business. At Thistle, we believe your financial privacy is sacred. We collect your business name and email address to manage your account, but your raw financial data is strictly for your eyes only. We do not 'look' at your individual invoices, your client names, or your specific expense descriptions. No one at Thistle has a 'back door' into your private ledgers.
When you connect Thistle to HMRC, you grant us permission to act as your digital agent. We securely transmit your VAT returns and fetch your tax obligations using OAuth 2.0—meaning we never see or store your Government Gateway password. We only share the precise financial data required for your legally mandated tax returns, and nothing else.
To show the scale and reliability of the platform on our landing page (e.g., the total volume of all invoices processed), we look only at anonymized, high-level aggregate totals. We do not track who sent them or who received them, and our system is architected to separate these totals from individual user profiles.
When you use Stripe, your financial details are encrypted and handled entirely by their bank-grade infrastructure. Thistle never sees or stores your full credit card or bank account details. We make money from your subscription, not your data.
We use bank-level encryption (AES-256) to protect your data both during transmission (TLS 1.3) and while it's stored on our servers (AES-256 at rest). Our infrastructure is hosted on Google Cloud, leveraging some of the world's most advanced physical and digital security protocols to ensure your financial sensitive records are never compromised.
As a UK-based company, we are fully committed to the UK GDPR. You have the right to access your data, correct it, or ask us to delete it entirely ('The Right to be Forgotten'). Simply email our support team and we will process your request within 48 hours.
We process your data under several lawful bases defined by GDPR: (1) Contractual Necessity: to provide the service you've signed up for; (2) Legal Obligation: to facilitate your mandatory tax filings with HMRC via MTD; and (3) Consent: for optional integrations like bank feeds.
In accordance with UK tax laws, we retain your digital business records for a minimum of 6 years. If you choose to delete your account, we will purge all personal identifiers after the mandatory retention period, or provide you with a full export to maintain your own legal compliance.
Want to take your records elsewhere? We make it easy to export every single entry.