Privacy Policy

1. Introduction

This Privacy Policy explains how INFO Consultants ("we", "us", "our"), operating the ICBAS (Info Consultants Bespoke Accounting Software) platform, collects, uses, stores, and protects your personal data. We are committed to safeguarding your privacy in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable UK data protection legislation.

INFO Consultants is the data controller for the personal data processed through this platform. If you have any questions about this policy or our data practices, please contact us using the details provided in Section 14.

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account Information

• Full name, email address, telephone number
• Business name and registered address
• User credentials (passwords are stored in hashed form only)
• Role and permission settings within your practice

2.2 Client Data

• Client names, addresses, contact details, and business information
• Tax reference numbers: UTR (Unique Taxpayer Reference), VAT Registration Number, PAYE references, National Insurance numbers
• Financial records: invoices, bank transactions, payroll data, tax returns
• Director and officer information, including dates of birth and residential addresses
• AML (Anti-Money Laundering) compliance records: identity verification documents, risk assessments, PEP screening results

2.3 Financial Data

• Bank account details and transaction history (via Open Banking)
• Payment card information (processed by third-party payment providers; we do not store card numbers)
• Invoice and billing records

2.4 HMRC Data

• VAT obligations, returns, liabilities, and payment records
• Self Assessment data including income sources, quarterly updates, and final declarations
• PAYE submissions (FPS, EPS, EYU) and employer payment summaries
• OAuth tokens for HMRC API access (encrypted at rest)

2.5 Technical Data

• IP address, browser type, operating system
• Usage data and activity logs within the platform
• Session data and authentication tokens

3. Lawful Basis for Processing

We process personal data under the following lawful bases as defined by Article 6 of the UK GDPR:

• Contract (Art. 6(1)(b)): Processing necessary to perform our contract with you, including providing accounting software services, managing your account, and processing payments.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with UK law, including Making Tax Digital (MTD) requirements, Anti-Money Laundering Regulations 2017 (MLR 2017), Proceeds of Crime Act 2002 (POCA 2002), Companies Act 2006, and HMRC record-keeping obligations.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including platform security, fraud prevention, service improvement, and analytics, where such interests are not overridden by your rights.
• Consent (Art. 6(1)(a)): Where we rely on consent (e.g., optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

4. Special Category Data

In the course of providing accounting and compliance services, we may process special category data where strictly necessary. This includes data relating to criminal convictions or offences in the context of AML compliance (Suspicious Activity Reports, PEP screening). Such processing is carried out under Schedule 1, Part 2 of the Data Protection Act 2018 for reasons of substantial public interest (prevention of fraud and money laundering).

5. How We Use Your Data

We use your personal data to:

• Provide and maintain the ICBAS platform and your account
• Process accounting transactions, payroll, and tax submissions on your behalf
• Submit VAT returns, Self Assessment, PAYE, and other statutory filings to HMRC via the Making Tax Digital API
• Connect to your bank accounts via Open Banking (Nordigen/GoCardless) to retrieve transaction data
• Perform AML due diligence, identity verification, risk assessments, and ongoing monitoring as required by MLR 2017
• Generate invoices, estimates, payslips, and other financial documents
• Facilitate the Client Portal for document sharing, messaging, and invoice viewing
• Send transactional emails (e.g., invoice notifications, document requests, booking confirmations)
• Monitor platform security, prevent fraud, and maintain audit trails
• Comply with legal and regulatory obligations

6. Data Sharing and Third Parties

We share personal data only where necessary and with appropriate safeguards:

• HMRC: Tax returns, payroll submissions, and VAT data are transmitted directly to HMRC via their secure API as required by law.
• Companies House: Company filing and officer data is retrieved from and submitted to Companies House as required.
• Open Banking Providers: We use authorised Account Information Service Providers (AISPs) regulated by the FCA to securely retrieve bank transaction data with your explicit consent.
• Payment Processors: Payment transactions are processed by PCI DSS-compliant third-party payment providers. We do not store or have access to full payment card details.
• Cloud Infrastructure: Data is stored on secure servers. File storage may use AWS S3 with encryption at rest and in transit.
• Law Enforcement: We may disclose data where required by law, court order, or regulatory requirement, including Suspicious Activity Reports to the National Crime Agency (NCA) under POCA 2002.

We do not sell your personal data to third parties. We do not share data with third parties for their marketing purposes.

7. International Transfers

We primarily process and store data within the United Kingdom and European Economic Area. Where data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with Chapter V of the UK GDPR, including UK adequacy regulations, Standard Contractual Clauses (SCCs), or binding corporate rules.

8. Data Retention

We retain personal data in accordance with the following retention periods, as required by UK law and professional standards:

• Tax records and returns: Minimum 6 years from the end of the relevant tax year (VATA 1994, TMA 1970)
• AML compliance records: Minimum 5 years from the end of the business relationship (MLR 2017, Reg. 40)
• Accounting and client notes: Minimum 7 years (ACCA/ICAEW professional requirements)
• Invoices and billing records: Minimum 6 years (Limitation Act 1980, VATA 1994)
• Payroll records: Minimum 3 years after the end of the tax year to which they relate (PAYE Regulations 2003)
• Working papers and work journal entries: Minimum 7 years (ISQM 1 quality management standards)
• Activity logs and audit trails: Minimum 7 years for regulatory compliance
• Account data: Retained for the duration of your account plus 7 years after closure

We use soft deletion where appropriate within retention periods. Data is permanently deleted after the applicable retention period expires, unless a longer period is required by law or ongoing legal proceedings.

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Encryption of sensitive identifiers (UTR, VRN, National Insurance numbers) at the database level
• Masking of sensitive data in the user interface (e.g., UTR displayed as ****XXXX)
• Secure password hashing using bcrypt
• Role-based access control with practice-level data isolation (multi-tenancy)
• Separate authentication systems for practice users and portal clients
• OAuth 2.0 for HMRC API authentication with encrypted token storage
• Comprehensive audit logging of all data access and modifications
• Regular security monitoring and access reviews

10. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): You may request deletion of your data, subject to our legal retention obligations. We cannot delete data required for tax, AML, or other statutory compliance.
• Right to Restriction (Art. 18): You may request that we limit processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): You may object to processing based on legitimate interests.
• Rights Related to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, please contact us using the details in Section 14. We will respond within one month of receiving your request, as required by law. We may extend this by up to two months for complex requests, in which case we will notify you.

11. Cookies and Tracking

The ICBAS platform uses essential cookies that are strictly necessary for the operation of the service, including session management and CSRF protection. These cookies do not require consent under the Privacy and Electronic Communications Regulations 2003 (PECR) as they are essential for the service you have requested.

We do not use third-party advertising cookies or cross-site tracking technologies.

12. Children's Data

The ICBAS platform is designed for use by accounting professionals and businesses. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by email or through a prominent notice on the platform. The "Last updated" date at the top of this policy indicates when it was last revised.

14. Contact and Complaints

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):