Privacy Policy

It would be helpful to explain some key terms used in this policy:

We want to know if you have questions or concerns about this privacy policy, your personal information, how we're using it or to whom we're disclosing it. Feel free to contact us at any of the following:

We collect most of the personal data listed above directly from you—in person, by telephone, email and/or via our website, however, we may also collect information:

• from publicly accessible sources, e.g. websites and social media
• from a third party with your consent, e.g. your bank or building society
• from cookies on our website
• via our IT systems.

Under data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR and EU GDPR. You can find out more about lawful bases on the ICO’s website, but these may include:

• where you have given consent;
• to comply with our legal and regulatory obligations;
• for the performance of a contract with you or to take steps at your request before entering into a contract; or
• for our legitimate interests or those of a third party

A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.

Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

• Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
• Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here. You can read more about this right here.
• Your right to erasure - You have the right to ask us to delete your personal information. You can read more about this right here.
• Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. You can read more about this right here.
• Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right here.
• Your right to withdraw consent - When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy policy

Our lawful bases for collecting or using personal information to provide software and associated services and to develop and improve those services, operate customer accounts, deal with queries, complaints and claims and to conduct testing or research with respect to our services and analyse trends in how our services are used are:

• Contractual necessity – where we need personal information to perform our contract with you or to take steps at your request before entering into a contract. All of your data protection rights may apply except the right to object.
• Legitimate interests – where we are collecting or using your information because it benefits you, us or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
  • facilitating the contract between us and you, detecting and correcting errors, improving our services, safeguarding our property, preventing fraud or other crimes, and performing risk assessments. When we use your personal information, we always balance our business interests against your rights and freedoms and will not proceed if doing so would pose a threat to those rights and freedoms.

Our lawful bases for collecting or using personal information for service updates or marketing purposes are:

• Consent – where we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
• Legitimate interests - where we are collecting or using your information because it benefits you, us or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are: making sure that we can keep in touch with customers about existing services and promoting our business.

Our lawful bases for collecting or using personal information for legal requirements are:

• Legal obligation – where we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

For information on how long we keep your personal information please contact us using the details set out above.

We only retain personal information for reasonable amounts of time and only for as long as necessary to provide our services, or as required by law. We delete your information when you delete your account, unless we have to keep it to comply with applicable laws, there is an outstanding issue or claim that requires us to keep it until resolved, or the information must be retained for legitimate business purposes.

We may share your personal data with the following third parties:

• Professional or legal advisors
• Organisations we’re legally obliged to share personal information with
• Suppliers and service providers acting as processors who are used to provide and manage our cloud environment
• Other relevant third parties where we have your consent to do so.

Where necessary, we may transfer personal information outside of the UK / EEA. For example, our client databases are stored in Microsoft Azure’s Canada Central cloud region. When transferring personal information outside of the UK/EEA, we comply with the UK GDPR or the EU GDPR, making sure appropriate safeguards are in place.

For further information, please contact us using the contact information provided above.

We have appropriate security measures to prevent personal data from being lost accidentally, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality

We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the Information Commissioner (the UK data protection regulator) and/or the relevant supervisory authority in your jurisdiction. The ICO can be contacted at the following address:

For a list of EEA data protection supervisory authorities and their contact details see here.

This privacy policy was published on February 12, 2025 and last updated on February 12, 2025.

We may change this privacy policy from time to time – when we do, we will inform you via our website.