FinanceFlow UK — Privacy Policy
Website: https://financeflow.accountant
Note: This Privacy Policy is a comprehensive template. Certain fields marked with [BRACKETS] should be completed with your company details before publication. We recommend having this policy reviewed by a qualified solicitor specialising in data protection law.
1. Introduction
This Privacy Policy explains how FinanceFlow UK ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our cloud-based accounting platform at https://financeflow.accountant ("Platform"). We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Policy should be read alongside our Terms of Service, which govern your use of the Platform.
2. Data We Collect
We collect and process the following categories of personal data:
2.1 Account Information
When you register for the Platform, we collect your name, email address, and authentication credentials. If you subscribe to a paid plan, we also collect billing information including your payment card details (processed securely by our payment provider — we do not store full card numbers).
2.2 Business Information
To provide our accounting services, we collect information about your business, including your business name, registered address, company registration number, VAT registration number, financial year end date, VAT scheme, and industry sector.
2.3 Financial Data
When you upload bank statements or enter financial information, we process transaction data including dates, amounts, descriptions, payee/payer names, and account references. This data may include personal data of third parties (such as customer or supplier names appearing in transaction descriptions).
2.4 HMRC Data
If you connect your account to HMRC via Making Tax Digital, we process your VAT Registration Number, VAT obligations, and VAT return data. We also transmit fraud prevention headers to HMRC as required by their API terms, which may include your IP address, device information, and connection method.
2.5 Usage Data
We automatically collect technical data about your use of the Platform, including your IP address, browser type and version, operating system, pages visited, features used, timestamps, and referring URLs. We use this data to improve the Platform and ensure security.
2.6 Communication Data
If you contact us for support or provide feedback, we collect the content of your communications along with your name and email address.
3. How We Use Your Data
We process your personal data for the following purposes and on the following legal bases under UK GDPR:
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing the Platform and its features | Performance of contract (Article 6(1)(b)) |
| Processing financial data and generating reports | Performance of contract (Article 6(1)(b)) |
| Submitting VAT returns to HMRC on your behalf | Performance of contract (Article 6(1)(b)) |
| Processing subscription payments | Performance of contract (Article 6(1)(b)) |
| Transmitting fraud prevention headers to HMRC | Legal obligation (Article 6(1)(c)) |
| Maintaining audit trails of financial actions | Legal obligation (Article 6(1)(c)) |
| Preventing fraud and ensuring platform security | Legitimate interests (Article 6(1)(f)) |
| Improving the Platform and analysing usage | Legitimate interests (Article 6(1)(f)) |
| Sending marketing communications (with consent) | Consent (Article 6(1)(a)) |
| AI-powered transaction categorisation and analysis | Performance of contract (Article 6(1)(b)) |
4. AI Processing
The Platform uses artificial intelligence to categorise transactions, analyse financial patterns, and provide recommendations. This processing is automated but does not constitute solely automated decision-making with legal or similarly significant effects under Article 22 of UK GDPR, because all AI outputs are presented as suggestions for your review and you retain full control over whether to accept, modify, or reject them.
AI processing is performed using third-party large language model providers. When your financial data is processed by AI, transaction descriptions and amounts are sent to the AI provider in anonymised form (without your name, account numbers, or other directly identifying information). We have data processing agreements in place with all AI providers.
5. Data Sharing
We do not sell your personal data. We share your data only in the following circumstances:
HMRC. When you submit VAT returns or other filings through the Platform, your financial data and fraud prevention headers are transmitted to HMRC via their Making Tax Digital API. HMRC is an independent data controller for data they receive.
Payment processors. Subscription payments are processed by our payment provider, who acts as an independent data controller for payment data. They are PCI DSS compliant.
Cloud infrastructure providers. Your data is stored on secure cloud servers. Our infrastructure providers act as data processors under written data processing agreements.
AI service providers. Transaction data is processed by AI providers for categorisation and analysis purposes. These providers act as data processors and are contractually prohibited from using your data for any other purpose.
Legal requirements. We may disclose your data if required by law, regulation, legal process, or governmental request.
Business transfers. In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections.
6. Data Retention
We retain your data for the following periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account + 90 days | Service provision and post-cancellation retrieval |
| Financial transaction data | 7 years from end of tax year | HMRC requires 6+ years of records |
| VAT return records | 7 years from submission | HMRC record-keeping (VAT Regulations 1995) |
| Audit trail logs | 7 years from creation | HMRC compliance requirements |
| Generated reports and accounts | 7 years from generation | Companies Act 2006 (6 years for private cos) |
| Usage and technical data | 2 years | Platform improvement and security |
| Support communications | 3 years | Service quality and dispute resolution |
| Consent records | Duration of consent + 3 years | Evidence of lawful processing |
After the applicable retention period, data is securely deleted or anonymised. Where you exercise your right to erasure, we will delete your data except where we are legally required to retain it (for example, HMRC record-keeping obligations).
7. Data Security
Technical measures: All data is encrypted in transit using TLS 1.2 or higher. Access to production systems is restricted to authorised personnel using multi-factor authentication. We conduct regular security assessments and vulnerability testing. Database access is logged and monitored.
Organisational measures: Access to personal data is limited to personnel who require it for their role. All personnel with access to personal data are bound by confidentiality obligations. We maintain an incident response plan for data breaches.
Third-party security: All third-party processors are selected based on their security practices and are bound by data processing agreements that require them to implement appropriate security measures.
While we take all reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
8. International Data Transfers
Your data is primarily stored and processed within the United Kingdom and the European Economic Area. Where data is transferred outside the UK (for example, to AI service providers), we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs) or transfers to countries with UK adequacy decisions.
9. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
Right of access (Article 15). You may request a copy of the personal data we hold about you. We will respond within one month.
Right to rectification (Article 16). You may request that we correct inaccurate personal data or complete incomplete data.
Right to erasure (Article 17). You may request that we delete your personal data, subject to our legal obligations to retain certain records. Where we cannot delete data due to legal requirements, we will inform you of the specific reason and the applicable retention period.
Right to restriction of processing (Article 18). You may request that we restrict the processing of your data in certain circumstances.
Right to data portability (Article 20). You may request a copy of your data in a structured, commonly used, machine-readable format (JSON or CSV). The Platform includes a data export feature.
Right to object (Article 21). You may object to processing based on legitimate interests.
Right to withdraw consent (Article 7(3)). Where processing is based on consent, you may withdraw consent at any time.
Right to lodge a complaint. You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk/make-a-complaint/ or by calling 0303 123 1113.
To exercise any of these rights, use the Data Protection settings within the Platform. We will respond to all requests within one month.
10. Cookies
The Platform uses essential cookies required for authentication and session management. These cookies are strictly necessary for the Platform to function and do not require consent under the Privacy and Electronic Communications Regulations 2003 (PECR).
We do not use advertising cookies or tracking cookies from third-party advertising networks.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Session cookie | Maintains your login session | Strictly necessary | Session |
| Preference cookies | Stores display preferences | Strictly necessary | 1 year |
11. Children's Data
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.
12. Third-Party Links
The Platform may contain links to third-party websites, including HMRC and Companies House. We are not responsible for the privacy practices of these websites.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, as required by Article 33 of UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Platform at least 30 days before they take effect.
15. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
FinanceFlow UK
Email: [email protected]
Website: https://financeflow.accountant
Contact Form: financeflow.accountant/contact
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: https://ico.org.uk
This Privacy Policy is provided as a template and should be reviewed by a qualified solicitor specialising in data protection law before publication. FinanceFlow UK recommends obtaining independent legal advice to ensure this policy is appropriate for your specific business circumstances and fully compliant with UK GDPR.