Overview
AccountantPortal is a trading name of IT BOFFINS LTD, a company registered in England and Wales with company number 12408554. This Privacy Policy explains how AccountantPortal handles personal data when you visit the website, create or use a business account, access a client portal, complete forms, upload files, accept agreements, connect Xero or manage billing.
- We use clear privacy information because UK GDPR requires personal data to be handled lawfully, fairly and transparently.
- The exact data processed depends on how a business configures its portal and which features are enabled.
- A practice using AccountantPortal may also need to give its own clients a privacy notice explaining how that practice uses personal data inside its portal.
- This policy should be read with our Terms of Service and any data processing agreement that applies to a practice workspace.
Who is responsible for your data
Data protection law distinguishes between a controller, which decides why and how personal data is used, and a processor, which processes personal data on behalf of a controller.
- IT BOFFINS LTD, trading as AccountantPortal, is usually the controller for website enquiries, demo requests, business account administration, billing, service security, product analytics, support messages and our own legal compliance.
- The accountancy practice that creates a AccountantPortal workspace is usually the controller for client records, client contacts, uploaded files, form answers, agreement documents, agreement acceptances and portal instructions that it manages through AccountantPortal.
- AccountantPortal is usually the processor for that client portal data, acting on the practice's instructions to host, secure, display, transmit and support it.
- Where a practice connects Xero or another third-party integration, the practice remains responsible for deciding what data should be connected and shown to its client portal users.
- If you are an invited client portal user and your request relates to data controlled by the business that invited you, we may direct you to that business or help them respond.
Registered office: 20 Tanners Drive, Blakelands, Milton Keynes, England, MK14 5BN.
Personal data we may collect
We collect or receive personal data directly from you, from the business that invited you, from team members using a workspace, from connected integrations and from technical systems that keep the service running.
- Identity and contact data, such as name, email address, phone number, practice name, role, client organisation and portal invitation details.
- Account data, such as login credentials, authentication events, password reset records, tenant memberships, user roles, workspace settings and support preferences.
- Practice and portal data, such as client records, contact records, portal branding, support email addresses, custom domains, forms, files, agreement templates, assignment records and acceptance history.
- Uploaded content, such as documents, images, proofs of address, IDs, job photos, financial documents, completed forms and other files a business or client portal user chooses to upload.
- Xero integration data, such as OAuth connection details, linked contacts, invoice references, invoice status, amounts, dates and simplified finance views where a business connects Xero.
- Technical data, such as IP address, device and browser details, user agent, page views, session events, audit logs, security logs, error logs and cookie or similar technology identifiers.
- Communications data, such as demo requests, support messages, feedback, email delivery records and administrative correspondence.
How we use personal data
We use personal data only where we have a lawful reason. The lawful basis may differ depending on whether we are acting as controller or processor.
- To provide the service, including account creation, sign-in, client invitations, tenant routing, portal access, file delivery, form completion, agreement acceptance, workspace settings and support.
- To manage subscriptions, payments, billing, plan limits, support, onboarding and service communications.
- To keep AccountantPortal secure, including authentication, access control, tenant isolation, audit logging, abuse prevention, malware or file validation signals, troubleshooting and incident response.
- To operate integrations, including Xero-connected invoice views and any email, hosting, storage, file-scanning, analytics or monitoring provider needed for enabled features.
- To improve AccountantPortal, including product diagnostics, aggregated usage insights, testing, debugging and service reliability work.
- To meet legal, tax, accounting, regulatory, dispute resolution and record-keeping obligations.
- To send marketing or product updates where permitted by law and your choices. You can opt out of marketing messages at any time.
Common lawful bases include contract, legitimate interests, consent, legal obligation and, where a business controls portal data, the business's own lawful basis under UK GDPR.
Client portal data
A client portal is controlled by the business that invited the client. AccountantPortal provides the software infrastructure and access controls that allow that business to operate the portal.
- The inviting practice decides which clients are added, which contacts are invited, what forms and agreements are assigned, which files are shared, and which Xero information or custom report data is visible.
- Client portal users should contact the inviting practice first for questions about why data is requested, how long it is kept, or whether a file, form answer or agreement record should be corrected or deleted.
- AccountantPortal may process portal activity records, IP addresses and user agents to provide security, audit history and evidence of actions such as agreement acceptance.
- Client passwords are scoped to the relevant practice portal. The same email address may have different credentials for different practice portals.
- We do not sell client portal content or use it for unrelated advertising.
Files, forms and agreements
AccountantPortal may store and process sensitive operational documents because practices use the service for real client work.
- Files may include business records, onboarding documents, identity documents, financial records, receipts, certificates, statements or other material chosen by a practice or portal user.
- Form answers may include contact details, business information, supporting files, free-text answers and other information requested by the practice.
- Agreement records may include agreement text, version snapshots, assignment details, acceptance timestamps, user details, IP addresses and user agents.
- Practices should request only the information they need, explain why they need it, and avoid collecting special category or high-risk information unless appropriate safeguards are in place.
- AccountantPortal may use validation, security checks, storage controls and audit logs to protect these records and manage access.
Xero and integrations
Some businesses use AccountantPortal with third-party integrations. These features may involve additional processing.
- When a practice connects Xero, AccountantPortal uses the authorised connection to retrieve and display relevant invoice, receipt, balance, contact or report information for that practice and its permitted client portal users.
- Xero remains a third-party service with its own terms, privacy notices, permissions and security model.
- File-scanning providers may process uploaded file metadata or content where a business has configured scanning for production use.
International transfers
Some providers may process personal data outside the UK. When this happens, we use safeguards required by data protection law.
- Safeguards may include UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, contractual controls and provider due diligence.
- Where a practice requires data residency or additional transfer controls, that must be agreed in writing before the relevant data is processed.
- Third-party integrations may transfer data according to their own terms and privacy arrangements.
How long data is kept
We keep personal data only for as long as needed for the purpose it was collected, including service delivery, security, legal, accounting, dispute and backup purposes.
- Business account and billing records are kept while the account is active and for a reasonable period afterwards for tax, contract and dispute purposes.
- Client portal content is kept according to the practice workspace settings, the practice's instructions, any data processing agreement and practical backup deletion cycles.
- Security logs, audit logs and agreement acceptance evidence may be kept for longer where needed to protect accounts, evidence important actions or resolve disputes.
- Demo enquiries and marketing records are kept until they are no longer needed or you opt out, subject to any lawful suppression list we need to keep.
- Backups are deleted or overwritten on a rolling basis according to our backup procedures.
Your data protection rights
Depending on the context and legal basis, you may have rights over your personal data under UK GDPR.
- You may have the right to ask for access to your data, correction of inaccurate data, deletion of data, restriction of processing, objection to processing, data portability and withdrawal of consent.
- Some rights are not absolute. For example, data may need to be retained for legal claims, security, tax, audit or contractual reasons.
- If your request relates to a client portal controlled by a practice, we may need to pass the request to that practice or ask you to contact them directly.
- To make a request to AccountantPortal, contact hello@accountantportal.co.uk.
- You also have the right to complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.
Security
We use technical and organisational measures designed to protect personal data. Security also depends on how each business configures and manages its workspace.
- AccountantPortal uses account authentication, tenant-scoped access controls, portal membership checks, audit logs and server-side permission checks.
- Practices should use strong passwords, limit team access, remove users who no longer need access, keep client contact details accurate and review connected integrations.
- No online system can be guaranteed to be completely secure. If you believe an account, portal, file or integration has been accessed without permission, contact us promptly.
- We may notify affected clients, users, regulators or practices where required by law or where notice is needed to reduce harm.
Children and regulated data
AccountantPortal is intended for business use and is not designed for children.
- Users must not create accounts for children or knowingly invite children into portals unless this has been expressly agreed and the required safeguards are in place.
- Businesses must not use AccountantPortal for special category, criminal offence, medical, financial-regulated or other high-risk data unless their plan and written agreement permit it.
- If you believe a child has provided personal data to AccountantPortal without appropriate authority, contact us so the issue can be reviewed.
Changes and contact
We may update this Privacy Policy as AccountantPortal develops, legal requirements change or new features are added.
- The latest version will be posted on this page with a new update date.
- Where changes are material, we will take reasonable steps to bring them to the attention of affected users or businesses.
- Questions about this policy can be sent to hello@accountantportal.co.uk.
- You can also read our Terms of Service.