1. Information We Collect

We collect and process the following categories of information:

1.1 Account Information

• Full name and email address
• Company name and registration details
• VAT registration number (if applicable)
• Business address and contact information
• Account credentials (passwords are encrypted and never stored in plain text)

1.2 Financial Data

• Transaction records (income and expenses)
• Invoice and payment information
• Bank account details for reconciliation purposes
• VAT submissions and tax-related data
• Integration data from connected platforms (Shopify, WooCommerce, Stripe)

1.3 Technical Data

• IP address and browser type
• Device information and operating system
• Usage patterns and feature interactions
• Login timestamps and session data

1.4 HMRC Fraud Prevention Data

When you use our HMRC Making Tax Digital (MTD) features, we are legally required to collect and transmit the following data to HMRC for fraud prevention purposes:

• Device identifier (unique ID for your device)
• Screen resolution and window size
• Browser plugins and user agent
• Timezone information
• IP address and connection timestamps
• Do Not Track browser setting

2. How We Use Your Information

Your information is used for the following purposes:

• Service Provision: To provide accounting, bookkeeping, and financial management services
• HMRC Compliance: To facilitate Making Tax Digital (MTD) submissions and VAT returns
• Account Management: To manage your account, process payments, and provide customer support
• Service Improvement: To analyse usage patterns and improve our platform
• Legal Compliance: To comply with UK accounting standards and regulatory requirements
• Communication: To send important updates about your account and the service

3. Data Retention

We retain your data as follows:

• Financial Records: Retained for 6 years to comply with HMRC requirements
• Account Information: Retained while your account is active and for 6 years after closure
• Technical Logs: Retained for 12 months for security and troubleshooting purposes
• Marketing Preferences: Retained until you withdraw consent

When you delete your account, we strongly recommend exporting all financial data first. You are legally responsible for maintaining your own records for the required retention period.

4. Data Security

We implement robust security measures to protect your data:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Strict role-based access controls and authentication
• Infrastructure: Hosted on secure, SOC 2 compliant cloud infrastructure
• Monitoring: Continuous security monitoring and regular vulnerability assessments
• Data Isolation: Each user's data is logically separated using Row Level Security
• Backups: Regular encrypted backups with secure off-site storage

5. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (subject to legal retention requirements)
• Right to Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing of your data for specific purposes
• Right to Restrict Processing: Request limitation of how we use your data

To exercise any of these rights, please contact us using the details below. We will respond to your request within one month.

6. Third-Party Services

We may share your data with the following categories of third parties:

• HMRC: For VAT submissions and Making Tax Digital compliance
• Payment Processors: To process subscription payments securely
• Cloud Providers: For secure data hosting and storage
• Integration Partners: When you connect Shopify, WooCommerce, or Stripe

We only share the minimum data necessary and ensure all third parties meet our data protection standards through appropriate contracts and due diligence.

7. Cookies and Tracking

We use essential cookies to:

• Maintain your login session
• Remember your preferences (e.g., dark mode)
• Ensure security and prevent fraud

We do not use third-party advertising or tracking cookies. Analytics data is anonymised and used solely to improve our service.

8. International Transfers

Your data is primarily stored within the United Kingdom and European Economic Area. Where data is transferred outside these regions, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).

9. Data Breach Response

In the event of a security breach affecting personal or customer data, we have established procedures to respond promptly and in compliance with UK regulations:

9.1 Our Breach Response Process

• Immediate Containment: Take immediate steps to contain the breach and prevent further data loss
• Assessment: Assess the scope, nature, and potential impact of the breach
• Regulatory Reporting: Notify HMRC and ICO within 72 hours where required
• User Notification: Inform affected users without undue delay if the breach poses a high risk to their rights and freedoms
• Documentation: Maintain detailed records of all breaches and remedial actions taken
• Review: Conduct post-incident review to prevent future occurrences

9.2 User Notification

If a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly via email, providing details of the breach, potential consequences, and measures we have taken or recommend you take to protect yourself.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by email and by posting a notice on our platform. Your continued use of the service after such changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

For data protection specific inquiries, please include "Data Protection Request" in your message subject. We will respond to your request within one month as required by UK GDPR.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated. Visit ico.org.uk for more information.