Privacy Policy
How we collect, use, and protect your personal data when you use CleanBooks, CleanReceipts, and LedgerLeads. Plain English, no hidden clauses.
This privacy policy ("Policy") applies to CleanBooks AI and was last updated May 2026. We may change or update this Policy at any time and we will update it here. We believe you should always know what data we collect from you, why we use it, and that you should be able to make informed choices about what you share with us.
This Policy explains (i) how and why we collect, store, and use your personal data when you interact with us or use our products, including CleanBooks, CleanReceipts, and LedgerLeads, and (ii) the rights you have regarding your personal data, including how to withdraw consent.
1.Who we are
CleanBooks AI Ltd, trading as CleanBooks and CleanBooks AI, is the controller for the processing described in this Policy.
Data Controller
CleanBooks AI Ltd
8 Park Parade, London, W3 9BD
Company number: 16802717
ICO Registration Number: ZC084108
Email: privacy@cleanbooksai.com
Note on our role: When you use our Services as a business customer to process the personal data of your clients, suppliers, or employees, CleanBooks acts as a data processor on your behalf. You remain the data controller for that data. Our Data Processing Agreement (DPA) governs that relationship. This Policy describes the data we process as a controller — primarily information about you as our direct user.
2.Scope and types of users
Your personal data relationship with CleanBooks AI depends on how you interact with us. You may be a visitor, a contact requester, or a customer.
| User type | What we collect & why |
|---|---|
| Visitor | Approximate location from IP, pages visited and time spent, device and browser info, cookie data, pseudonymous analytics identifier where applicable. Why: understand website performance, improve usability, maintain security and integrity of the site. |
| Contact Requester | Name, email, phone (if provided), company name (if provided), message content. Why: respond to your request, provide support, communicate with you. Marketing only where allowed by law and where consent is given. |
| Customer | Contact details of representatives, hashed credentials, contract and billing details, communication content, financial documents you upload (invoices, receipts, statements), Open Banking data via our AISP partner, integration data from connected platforms (Xero, QuickBooks, Companies House, HMRC). Why: deliver the Services, process documents through our AI, manage the relationship, administer agreements, handle invoicing. |
3.Legal bases for processing
We process personal data only when we have a valid legal basis under applicable data protection law, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
| Purpose | Legal basis |
|---|---|
| Responding to contact requests | Performance of a contract or steps at your request prior to entering into a contract, and where applicable legitimate interest |
| Delivering the Services to customers | Performance of a contract, and where applicable compliance with a legal obligation |
| Processing financial documents and Open Banking data through our AI | Performance of a contract (the Service you have asked us to provide), and explicit consent for Open Banking access under the Payment Services Regulations 2017 |
| Website analytics and improvement | Consent where required for analytics cookies, and where applicable legitimate interest for basic website measurement |
| Marketing communications | Consent where required, and where applicable legitimate interest in maintaining existing business relationships |
| Fraud prevention, security monitoring | Legitimate interest in keeping the Services secure and lawful |
| Tax, accounting, AML and other legal obligations | Legal obligation |
4.How our AI processes your data
Because our Services use artificial intelligence to extract, categorise, and analyse financial information, we want to be transparent about how this works.
| Topic | What we do |
|---|---|
| AI processing | Documents you upload (invoices, receipts, bank statements) are processed by our extraction and categorisation models to produce structured data such as line items, totals, dates, and transaction categories. |
| Sub-processors | We use trusted third-party large language model providers (such as Gemini) under enterprise terms that prohibit training on your data. A current list of sub-processors is available on request and on our Trust Vault. |
| Training on your data | Customer content is not used to train foundation models. Aggregated, anonymised usage signals may be used to improve our own product features. |
| Automated decision-making | Some outputs (transaction categorisation, confidence scoring) are produced by automated processing, but they are advisory and you can review, correct, or override them. We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing without human involvement. |
| Human review | You can request human review of any AI-generated output that materially affects you. |
5.Cookies and analytics
Our website uses cookies and similar technologies to improve user experience, maintain security, and understand website usage. Where required, we ask for your consent before placing non-essential cookies, in line with PECR.
| Cookie category | Examples & purpose |
|---|---|
| Necessary | Session and security cookies — to operate the website, enable core functionality, and protect against abuse. |
| Analytics | Google Analytics (or equivalent) — to measure traffic and usage patterns and improve the website. |
| Marketing | Only where used and allowed — to understand campaign effectiveness and deliver relevant communications where permitted. |
You can control cookies through your browser settings, or withdraw cookie consent at any time through the cookie preferences on our website.
6.Sharing personal data with third parties
We do not sell your personal data. We share personal data only when needed to run our website, provide our Services, or when required by law. We share data with service providers acting on our instructions, and we put appropriate agreements in place to protect your data, including Data Processing Agreements under Art. 28 UK GDPR.
| Recipient type | Why we share |
|---|---|
| Cloud hosting & infrastructure (Google Cloud Platform, europe-west2) | To host the Services and ensure reliable, secure delivery. |
| AI model providers (Gemini) | To process documents and transactions through our AI features under enterprise terms that prohibit training on your data. |
| Open Banking AISP partner (MoneyHub Financial Technology Limited, FCA-regulated) | To access account information you have authorised under the Payment Services Regulations 2017. |
| Integration partners (Xero, QuickBooks, Companies House, HMRC MTD) | To deliver functionality you have explicitly connected and authorised. |
| Analytics providers | To measure and analyse website and product usage and improve performance. |
| Communication & productivity tools | To manage inquiries, customer communication, and service delivery. |
| Payment processors | To process subscription billing. |
| Professional advisers & authorities | To comply with legal obligations and protect our rights and safety where required. |
7.International transfers
Some of our service providers may process data outside the United Kingdom and the European Economic Area. Where this happens, we take steps required by law to ensure adequate safeguards are in place, including reliance on:
- UK adequacy regulations (for transfers to countries the UK Government has deemed adequate)
- UK International Data Transfer Agreement (IDTA) or the Addendum to the EU Standard Contractual Clauses
- Additional technical and organisational measures, including encryption and access controls, where appropriate
8.Data retention
We keep personal data only for as long as needed for the purposes described in this Policy, unless a longer retention period is required or permitted by law (including UK accounting and AML record-keeping obligations).
| Data category | Typical retention |
|---|---|
| Contact requests & prospect data | Up to 24 months after last contact, unless a customer relationship follows or legal obligations require longer retention |
| Customer account & contract data | For the duration of the agreement and thereafter as required for legal, tax, and accounting obligations (typically up to 7 years under UK law) |
| Uploaded financial documents & Open Banking data | For the duration of your subscription, then deleted in accordance with our data deletion procedures, subject to any legal hold |
| Analytics data | As configured in the analytics settings and in line with our legitimate interests and legal requirements |
| Support & communication records | Up to 36 months after the interaction, unless a longer retention period is justified |
| Backups | Cycled out within 30–90 days of deletion from primary systems |
9.Security
We take appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Our information security practices are aligned with the controls of ISO/IEC 27001:2022 (Information Security Management Systems).
| Measure | Description |
|---|---|
| Access control | Access to personal data is limited to authorised personnel on a need-to-know basis, with role-based access controls and multi-factor authentication. |
| Encryption | We use TLS for data in transit and AES-256 (or equivalent) for data at rest, and apply appropriate key management practices. |
| Monitoring & incident response | We maintain processes to detect, respond to, and manage security incidents, including notification of the ICO and affected individuals where legally required (within 72 hours for personal data breaches under UK GDPR Art. 33). |
| Vendor management | We work with vendors that provide appropriate safeguards and contractually require the protection of personal data, with formal Data Processing Agreements in place. |
| Secure development | We follow secure software development practices, including code review, dependency scanning, and regular vulnerability assessment. |
| Business continuity | We maintain documented business continuity and disaster recovery plans, with regular testing. |
10.Your rights under the UK GDPR
Subject to applicable law, you have the following rights regarding your personal data.
| Right | What it means |
|---|---|
| Right to be informed | You have the right to know how and why we use your personal data. |
| Right of access | You can request a copy of the personal data we hold about you. |
| Right to rectification | You can ask us to correct inaccurate or incomplete personal data. |
| Right to erasure | You can ask us to delete your personal data in certain situations. |
| Right to restrict processing | You can ask us to limit how we use your personal data in certain situations. |
| Right to object | You can object to processing based on legitimate interests and you can always object to direct marketing. |
| Right to data portability | You can request your personal data in a structured, commonly used, machine-readable format where applicable. |
| Right to withdraw consent | Where we rely on consent, you can withdraw it at any time (see §11 below). |
| Right related to automated decision-making | You have rights related to decisions based solely on automated processing, where applicable. |
To exercise your rights, contact us at privacy@cleanbooksai.com. We may ask you to verify your identity before responding. We will respond within one month, as required by UK GDPR Art. 12(3).
If you believe your rights have been infringed, you can lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
ICO
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk
11.Withdrawing your consent
Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time under UK GDPR Art. 7(3). Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
| Consent type | How to withdraw |
|---|---|
| Marketing emails | Click the unsubscribe link in any marketing email, or email privacy@cleanbooksai.com. |
| Analytics & marketing cookies | Update your preferences via the cookie preferences link on our website, or clear cookies via your browser settings. |
| Open Banking account access | Revoke access at any time within the Services (Settings → Connected Accounts → Disconnect), or directly with your bank. Under the Payment Services Regulations 2017, your bank is obliged to honour the revocation. |
| Third-party integrations (Xero, QuickBooks, etc.) | Disconnect the integration within the Services or revoke access in the third-party platform. |
| Any other consent-based processing | Email privacy@cleanbooksai.com at any time. |
Withdrawing certain consents (e.g. Open Banking access) may mean we can no longer provide some features of the Services to you.
12.Compelled disclosure
We may disclose personal data if required by law or legal process, or if needed to protect our rights, safety, and property, or those of others. Where legally permitted, we will notify you of such a request before disclosure.
13.Changes to this Policy
We may update this Policy from time to time. The latest version will always be published on this page with an updated revision date. Material changes will be communicated to Customers via email or in-product notification.
14.Data Protection Officer
For questions regarding this Policy, UK GDPR compliance, or our ISO 27001 information security management, you may contact our Data Protection Officer.
▸Make a data rights request
Under the UK General Data Protection Regulation, you have the right to access, rectify, port, delete, restrict, or object to the processing of your personal data, and to withdraw consent.
To submit a request, choose your preferred channel:
privacy@cleanbooksai.com
Subject: "Data Subject Request"
In-product
Settings → Privacy
→ Data Rights
Post
8 Park Parade
London W3 9BD
Mark "Data Protection"
Please include:
- Your full name
- The email address registered with your CleanBooks AI account (if applicable)
- The right you wish to exercise (access / rectification / erasure / portability / restriction / objection / consent withdrawal)
- Any details that help us locate the relevant data
What happens next:
- We acknowledge your request within 72 hours
- We process your request within 30 days (extendable by up to two further months for complex requests, with reasons given)
- You receive written confirmation when your request is complete
- Where you ask for erasure, all personal data within scope will be permanently deleted, subject to any overriding legal obligations (e.g. AML or tax record-keeping)
UK GDPR & ISO 27001:2022 aligned
CleanBooks AI is committed to UK GDPR compliance and operates an information security programme aligned with international standards.
