Privacy Policy
Effective Date: February 24, 2025 | Last Updated: 8 July 2026
1. Scope and Summary
This Privacy Policy explains how The IQ Suite, including ReconcileIQ, CodeIQ, LedgerIQ, PrepIQ, IQ Books and related tools
("Service", "we", "our", or "us"), collects, uses, stores and protects personal data and financial data.
We process sensitive financial workflows, so our approach is data minimisation, encryption, auditability and user control.
Some tools process files only in your browser or on a process-and-delete basis. Other account-backed workflows, such as
IQ Books ledgers, transaction coding, platform posting, VAT and ITSA review, statutory accounts, HMRC or Companies House filing
support, subscription billing and audit trails, need server-side database records so you can review, correct, post and evidence the work.
2. Our Data Protection Roles
- Controller: We act as controller for account administration, authentication, billing, product analytics, security logs, support requests and our own service operations.
- Processor: When you upload, import, sync or submit client or business records through the Service, you are normally the controller and we process that data on your instructions.
- Independent third parties: Accounting platforms, HMRC, payment providers and analytics providers may act as independent controllers or processors under their own terms when you connect or use them.
3. Information We Process
3.1 Account and Subscription Data
- Name, email address, password hash, authentication status, login events and account settings.
- Company, practice, client-account, organisation ownership, member roles, invitations and team information you add to the Service.
- Plan, subscription, credit usage, overage settings, invoices, payment status and Stripe customer or subscription identifiers.
- Support messages, feedback, referral records, product preferences and communication settings.
3.2 Financial and Client Data
- Bank statements, bank accounts, cashbooks, imported CSVs, book exports, general ledger exports, transaction drafts, journals, opening balances, invoices, quotes, credit notes, receipts, supplier bills, statements, OCR documents, attachments, VAT records, CIS records, ITSA records, chart of accounts, contacts, account codes, transaction categories and reconciliation results.
- IQ Books records such as customers, suppliers, products, stock movements and stocktakes, fixed assets and depreciation, projects, recurring templates, bank rules, audit logs, reports, statutory accounts, iXBRL tagging data and year-end close records.
- Platform data imported from or posted to services such as Xero, QuickBooks, Sage, Pandle, FreeAgent, YNAB and merchant platforms such as eBay, Amazon, PayPal, Stripe, Etsy and Square.
- OAuth tokens, platform account identifiers, sync metadata, posting results and error messages needed to provide integrations.
- HMRC-related data, where filing or MTD features are enabled, such as VAT registration numbers, National Insurance numbers, HMRC business IDs, obligations, returns, quarterly updates, final declarations, submission responses, authority tokens and required fraud-prevention/audit metadata.
- Companies House-related data, where statutory accounts or filing features are enabled, such as company registration numbers, eligibility inputs, statutory mappings, approval status, iXBRL validation output and filing responses.
3.3 Device, Usage and Security Data
- IP address, browser and device information, request timestamps, session identifiers, error logs and security events.
- Website analytics from tools such as Google Analytics, Microsoft Clarity and Cloudflare analytics, subject to applicable consent and browser controls.
- Local browser data such as authentication tokens, session state, recent reconciliation history, product preferences and cached analysis state.
- RiQ chat or voice-command content, transcripts, confirmation-card choices and interaction metadata where you use chat or voice features.
4. How We Use Data
- To provide native bookkeeping, organisation management, bank reconciliation, transaction coding, VAT review, invoice matching, merchant statement parsing, ledger analytics, working paper and reporting workflows.
- To operate IQ Books features including migrations, contacts, sales and purchase documents, online payment links, bank rules, recurring templates, stock, fixed assets, projects, audit logs, statutory accounts, iXBRL, year-end close, VAT MTD, ITSA and CIS workflows.
- To connect to accounting platforms, merchant services, payment services, HMRC and Companies House APIs when you authorise us to do so.
- To generate AI-assisted OCR, coding suggestions, review explanations, account suggestions, report commentary and RiQ chat or voice-command previews for your review.
- To maintain accounts, subscriptions, credits, overage billing, fraud prevention, support, security, audit trails and service availability.
- To improve the Service, debug errors, monitor performance and develop new features.
- To comply with legal, tax, accounting, regulatory, fraud-prevention and data protection obligations.
5. Lawful Bases
Depending on context, we rely on one or more of the following lawful bases under UK GDPR or EU GDPR:
- Contract: to provide the Service you request and manage your subscription.
- Legal obligation: to meet tax, billing, fraud-prevention, accounting and regulatory requirements.
- Legitimate interests: to secure, improve, troubleshoot and administer the Service, provided those interests are not overridden by your rights.
- Consent: for optional pattern sharing, non-essential marketing communications and cookies or analytics where consent is required.
- Processor instructions: where we handle client or business records on your behalf as processor.
6. AI Processing
The only external large-language-model provider we currently use for AI-assisted features is Google Gemini via API.
We send only the information needed for the feature being used, such as invoice text or images for OCR, transaction
context for coding review, chart-of-accounts context for account suggestions, selected analysis context for RiQ, or chat/voice-command context needed to preview an action.
- We use Gemini API as a developer API, not the consumer Gemini chat product.
- For paid Gemini API services, Google states that prompts and responses are not used to improve Google products, and processing is covered by Google's applicable data processing terms.
- We do not knowingly opt in to sharing customer financial prompts, responses or logs with Google for model training.
- AI output is advisory. Users must review accounting, tax, VAT, posting, filing and RiQ action previews before relying on them.
7. Pattern Learning and Anonymisation
CodeIQ can learn from transaction coding patterns. Personal pattern learning for your own account may be used to improve
future suggestions for you. Separate network pattern contribution is optional and controlled by your consent.
- Where you opt in, we extract limited merchant-to-account patterns and remove personal identifiers, account numbers, dates, amounts, balances, document contents and client-specific details before any wider use.
- Patterns are reviewed and aggregated before they are used to improve suggestions for other users.
- You can opt out of pattern contribution at any time. Opting out does not remove access to the Service.
8. Sharing and Subprocessors
We share data only where needed to provide, secure, bill or legally operate the Service. Categories include:
- Infrastructure and security: cloud hosting, database, storage, monitoring, logging and Cloudflare security services.
- AI processing: Google Gemini API and related Google data processing terms for AI-assisted features.
- Payments: Stripe for subscriptions, invoices, billing portal, card handling, online invoice payments, saved payment methods, credit purchases and overage payments. We do not store full card numbers.
- Analytics: Google Analytics, Microsoft Clarity and Cloudflare analytics for website and product performance, subject to applicable controls.
- Integrations: accounting platforms, merchant platforms, HMRC and Companies House when you connect accounts, import data, post transactions or submit filings.
- Legal and safety: regulators, law enforcement, professional advisers or dispute-resolution bodies where required or appropriate.
9. Retention
Retention depends on the workflow:
- Browser-only workflows: data may remain on your device until you clear browser storage or delete in-app history.
- Temporary uploads: raw uploaded files used only for conversion or reconciliation are deleted after processing unless the relevant feature explicitly saves them for your session or evidence trail.
- Account-backed sessions: transaction rows, ledger entries, review decisions, posting results, invoices, bills, attachments, VAT checks, statutory accounts, tax records, client records and audit trails may be stored while your account or session remains active so you can review, correct, post, export and evidence the work.
- Platform tokens: OAuth tokens are retained until you disconnect the integration, the token expires, your account is deleted or retention is otherwise no longer needed.
- Billing and compliance records: subscription, invoice, payment, tax and fraud-prevention records may be retained as required for legal, accounting, dispute, tax or security purposes.
- Backups and logs: encrypted backups and operational logs are retained for limited operational and security periods, then overwritten or deleted according to our internal retention schedules.
You may request deletion of account data. Some records may need to be retained where required by law, security, billing, audit or dispute obligations.
10. Security
- All information handled by the Service is encrypted in transit and at rest, using HTTPS/TLS for transit and encrypted server storage/database disks for at-rest protection.
- Sensitive records are protected using access controls and encryption appropriate to the risk.
- Passwords are hashed, and platform credentials or tokens are restricted to authorised service use.
- We use role-based and need-to-know access controls, server hardening, monitoring, patching, file validation and secure error handling.
- Where HMRC APIs are used, the Service is designed to support required fraud-prevention headers, audit data and production-access expectations.
- We maintain incident response procedures and will notify affected users and regulators where required by applicable law.
11. International Transfers
We are UK-focused, but some providers may process or access data from the UK, EEA, United States or other locations.
Where personal data is transferred internationally, we rely on recognised safeguards such as adequacy regulations,
standard contractual clauses, UK addenda, data processing agreements or equivalent lawful transfer mechanisms.
12. Your Rights
Subject to applicable law and our role as controller or processor, you may have rights to:
- Access personal data we hold about you.
- Correct inaccurate data.
- Request deletion or restriction of processing.
- Object to processing based on legitimate interests.
- Withdraw consent where processing is based on consent.
- Request portability of personal data you provided to us.
- Lodge a complaint with the UK Information Commissioner's Office or another relevant supervisory authority.
If we process data on behalf of your accountant, practice, employer or client, we may need to direct your request to that controller.
13. Cookies, Local Storage and Analytics
We use cookies, localStorage, sessionStorage and similar browser technologies for login, security, preferences, product state,
reconciliation history, analytics and fraud prevention. You can clear local browser data through your browser settings, but doing
so may remove saved history or sign you out.
14. Children
The Service is intended for businesses, accountants, bookkeepers and adult users. It is not directed to children or users under 18.
15. Changes to This Policy
We may update this Privacy Policy as the Service, law or our subprocessors change. Material updates will be indicated by the
"Last Updated" date and, where appropriate, in-product notice or email.