IQ Suite
Legal Privacy Terms GDPR

GDPR Policy

Effective Date: February 24, 2025 | Last Updated: 8 July 2026

1. Introduction

This GDPR Policy explains how The IQ Suite, including ReconcileIQ, CodeIQ, LedgerIQ, PrepIQ, IQ Books and related tools ("Service", "we", "our", or "us"), handles personal data under UK GDPR, EU GDPR and the Data Protection Act 2018. It supplements our Privacy Policy and forms part of our Data Processing Agreement with business users where we act as processor.

2. Roles and Responsibilities

  • We act as controller for our own account, billing, website analytics, security, support and service-administration data.
  • We act as processor where you upload, import, sync, analyse, post or submit business or client records through the Service.
  • You act as controller for personal data in your own or your clients' financial records, unless a separate written agreement says otherwise.
  • Third-party platforms such as accounting platforms, merchant platforms, HMRC, Stripe, Google and analytics providers may act as processors or independent controllers under their own terms.

3. GDPR Principles

  • Lawfulness, fairness and transparency: We publish clear privacy, GDPR and security information and process data only where we have a lawful basis or documented controller instruction.
  • Purpose limitation: Data is used to provide the requested accounting, bookkeeping, filing, billing, security and support workflows.
  • Data minimisation: We limit data sent to subprocessors, including AI providers, to what is needed for the feature being used.
  • Accuracy: Users can correct account data and are responsible for reviewing financial records and outputs before use.
  • Storage limitation: Data is kept only for the periods needed for the relevant workflow, legal obligation, audit trail, security or billing record.
  • Integrity and confidentiality: We encrypt all information in transit and at rest, and use access controls, monitoring and secure development practices.
  • Accountability: We maintain records of processing activities, consent records, audit trails and security controls appropriate to the Service.

4. Data Processing Agreement

This section is our standard Data Processing Agreement ("DPA") for personal data we process on behalf of a business user.

4.1 Processing Details

  • Subject matter: Accounting, native bookkeeping ledger, organisation and team access, reconciliation, transaction coding, VAT review, invoice matching, ledger analysis, working papers, platform posting, reporting, statutory accounts, Companies House, HMRC MTD, ITSA and CIS-related workflows.
  • Nature and purpose: Uploading, importing, migrating, parsing, matching, classifying, analysing, storing, reviewing, exporting, posting, submitting, filing and auditing financial records on the controller's instructions.
  • Duration: For the account, session, integration or workflow duration, plus any period needed for backups, logs, legal obligations, audit, billing, dispute handling or deletion processing.
  • Types of data: Financial transaction data, invoices, quotes, credit notes, receipts, supplier bills, attachments, bank records, ledger records, stock records, fixed assets, project tags, recurring templates, contact names, account codes, VAT codes, CIS deductions, ITSA figures, statutory accounts, iXBRL data, client records, user identifiers, platform identifiers, HMRC identifiers, Companies House identifiers and audit metadata.
  • Data subjects: Users, clients, staff, suppliers, customers, payees, payers and other persons appearing in financial records.

4.2 Processor Obligations

Where we act as processor, we will:

  • process personal data only on documented instructions from the controller, including these Terms and in-product instructions;
  • ensure authorised personnel are bound by confidentiality obligations;
  • implement appropriate technical and organisational measures;
  • assist with data subject requests, security obligations, breach notices and data protection impact assessments where reasonably possible;
  • delete or return personal data at the end of processing, unless retention is required by law or legitimate security, billing, audit or dispute obligations;
  • make reasonable information available to demonstrate compliance; and
  • impose appropriate data protection obligations on subprocessors.

4.3 Controller Obligations

Where you act as controller, you must:

  • have a lawful basis and all permissions needed to process and upload the data;
  • provide privacy information to your clients, staff and other data subjects where required;
  • ensure instructions you give us are lawful, accurate and complete;
  • review outputs before using them for accounts, VAT, tax, filing, payroll, advice or platform posting; and
  • handle data subject requests where you are the controller.

5. Subprocessors and Recipients

You give general authorisation for us to use subprocessors and integration recipients needed to provide the Service. Current categories include:

  • cloud hosting, database, backup, monitoring, logging and security providers;
  • Cloudflare for security, routing and analytics;
  • Google Gemini API for AI-assisted features and Google services for analytics where used;
  • Microsoft Clarity for website analytics where used;
  • Stripe for payment processing, billing, invoices and customer portal;
  • accounting, merchant, bank-feed and HMRC APIs that you connect or authorise.

We will not knowingly use a subprocessor in a way that materially weakens the protection of personal data.

6. AI Processing

AI-assisted features use Google Gemini via API. We limit prompts to the minimum practical context for the feature, such as invoice OCR, transaction coding review, account suggestions or report analysis. AI output is not a final accounting, tax or legal decision and must be reviewed by the user. Where RiQ chat or voice features are used, command content, transcripts and relevant ledger context may be processed to understand the request and show a confirmation preview before action.

For paid Gemini API services, Google states that prompts and responses are not used to improve Google products and are processed under Google's applicable data processing terms.

7. HMRC, Companies House and Fraud-Prevention Data

Where HMRC MTD, VAT, ITSA or Self Assessment features are used, HMRC requires certain fraud-prevention and audit metadata to be sent with API requests. This can include device, connection, user-agent and other audit fields required by HMRC specifications. We process and transmit this data to support lawful HMRC API use and production-access expectations.

Where statutory accounts or Companies House filing features are used, we process company registration numbers, statutory-account mappings, approval records, iXBRL validation data and filing responses needed to prepare, validate, approve and submit accounts.

8. Data Subject Rights

Individuals may have rights of access, rectification, erasure, restriction, objection, portability, withdrawal of consent and complaint to a supervisory authority. Where we are controller, we will respond to valid requests. Where we are processor, we will normally refer the request to the relevant controller or assist that controller where reasonably possible.

9. Records, Retention and Deletion

We maintain records of processing activities appropriate to our size, products and risk profile. Retention depends on the workflow: browser-only data may remain on the user's device; temporary uploads may be deleted after processing unless kept as an attachment or evidence record; account-backed ledgers, sessions, audit trails, platform tokens, HMRC records, Companies House records, billing records and security logs may be retained while needed for the Service, legal obligations, audit, security, billing, disputes or deletion processing.

10. Security Measures

  • All information handled by the Service is encrypted in transit and at rest.
  • HTTPS/TLS for transit, with encrypted server storage/database disks and encrypted storage appropriate to the data type for at-rest protection.
  • Password hashing, token controls, access restrictions and need-to-know internal access.
  • Input validation, file scanning/validation, secure error handling, monitoring and patching.
  • Audit trails for security, platform posting, billing, consent and HMRC-relevant workflows.
  • Secure development, dependency review and vulnerability response processes.

11. Personal Data Breaches

If we become aware of a personal data breach affecting data for which we are processor, we will notify the relevant controller without undue delay and provide information reasonably needed for the controller's Article 33 and Article 34 obligations. Where we are controller, we will notify the ICO or affected individuals where required by law.

12. International Transfers

Some providers may process personal data in the UK, EEA, United States or other jurisdictions. Where required, we use lawful transfer safeguards such as adequacy regulations, standard contractual clauses, UK addenda, data processing agreements or equivalent mechanisms.

13. Contact

For GDPR-related inquiries, contact: [email protected]

© 2026 IQ Suite
Legal Privacy Terms Support