Last updated: 2 May 2026 · v1.0

Privacy Policy

AccBooks AI ("we", "our", "us") provides AI-powered accounts production for accountants and small businesses. This policy explains what personal and company data we collect, how we use it, how long we keep it, and the rights you have over it under the UK GDPR and the EU GDPR.

1. Who is the controller?

For data you upload about your own business, you are the controller and AccBooks AI is the processor. For data we collect about you as an individual user (your account, login activity, support requests), AccBooks AI is the controller.

2. What we collect

• Account data — your name, email address, hashed password, role and notification preferences.
• Bookkeeping data — every transaction, journal, document and report you upload or that we generate from those uploads.
• AI reasoning records — the prompt, model, evidence ids, confidence and short explanation associated with each classification we make. These help us audit our own AI and improve it over time.
• Audit log — a per-company log of meaningful actions (postings, filings, invitations, deletions) so business owners and their accountants can trace what changed and when.
• Operational data — IP address, user agent and timestamps for security purposes.

3. Why we use it

We process your data to provide the service (Article 6(1)(b) — contract), to comply with our own legal obligations such as record-keeping (Article 6(1)(c)), and where appropriate to pursue our legitimate interests in improving the product (Article 6(1)(f)).

4. Sub-processors

We use a small set of vetted sub-processors: cloud hosting (Replit Deployments / GCP), transactional email (configurable), large-language model providers (configurable, opt-out via the Reasoning Audit page) and HMRC for VAT submissions. A current list is available on request.

5. Retention

Bookkeeping records are retained for the statutory minimums applicable to your jurisdiction (six years for UK companies). Personal data attached to a deleted user account is removed after a 30-day soft-delete grace window; AI reasoning records that referenced you are anonymised on the same tick. A scheduled job runs every night (around 03:15 UTC) to action any deletions whose grace window has just elapsed, so the 30-day deadline is honoured even when no one is signed in.

During the 30-day grace window your account remains active: you stay signed in, can continue using AccBooks AI, and every authenticated page surfaces a banner with a one-click "Cancel deletion" button so you can reverse the request at any time before the deadline. Once the deadline passes, the deletion runs automatically and is irreversible.

6. Your rights

You can, at any time:

• Export a complete ZIP of every record we hold about you (CSV + JSON + originals + a manifest) from Settings → Privacy in the app.
• Schedule deletion of your account or any company you own from the same page. We hold the data for 30 days so you can change your mind, then erase it permanently and anonymise the associated AI reasoning audit trail.
• Transfer ownership of any company before deletion so your colleagues retain access.
• Object, restrict or correct — contact us at the address below.
• Lodge a complaint with the UK ICO (ico.org.uk) or your national data protection authority.

7. International transfers

Where data is transferred outside the UK / EEA we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, plus supplementary technical measures (encryption in transit and at rest).

8. Security

Passwords are hashed with bcrypt; sessions are bound to opaque random tokens; every database table is enforced with row-level security so a tenant can never read another tenant's data. We log every meaningful state change to a per-company audit log.

9. Contact

Email [email protected] with any privacy question, subject access request or rectification request.

You can manage privacy and deletion options inside the app at Settings → Privacy.