AccLedger
Back to Home

Privacy Policy for AccLedger

Last Updated: March 1, 2026

AccLedger, a product owned and operated by ITSAP PORT LTD ("we", "us", "our"), acts as the data controller for your personal information. We are committed to protecting your privacy and being transparent about how we handle your data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our software-as-a-service platform.

1. What Personal Data We Process and Why

We collect and process information that you provide to us directly in order to provide our accounting services. This includes:

  • Account Information: Your name, email address, password, company name, and role. We use this to create and manage your account, and to provide you with customer support.
  • Financial Data: Any financial information you upload or create, including invoices, expenses, transactions, and payroll data. This is processed to provide the core functionality of the accounting software.
  • Contact Information: If you contact us for support, we collect your email and the content of your message to assist you.

We also collect some information automatically, such as usage data and device information, to monitor and improve our services.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain our Services.
  • Process your transactions and manage your account.
  • Improve, personalize, and expand our Services.
  • Communicate with you, including for customer service and support.
  • Comply with legal obligations, including tax and accountancy laws.

3. Our Lawful Basis for Processing under UK GDPR

Under the UK General Data Protection Regulation (UK GDPR), our lawful basis for collecting and using the personal information described in this Privacy Policy depends on the data we collect and the specific context in which we collect it. We process your data based on the following:

  • Contract: Most of our processing is necessary for the performance of our contract with you (our Terms of Service) to provide you with the AccLedger software and its features.
  • Legal Obligation: We process certain data to comply with our legal obligations, such as financial and tax reporting requirements.
  • Legitimate Interests: We process some data for our legitimate interests, such as for improving our services and for security purposes, provided these interests are not overridden by your data protection rights.
  • Consent: Where we ask for your consent, for example to send you marketing communications, we will process your data based on that consent.

4. Your Data Protection Rights

Under UK GDPR, you have certain data protection rights, including the right to access, update, or delete the information we have on you. You also have the right to object to processing, the right of rectification, and the right to data portability. You can export your data at any time from the 'Data Export' section in your settings. For other requests, please contact us.

5. Data Storage and International Transfers

To provide a secure and performant service, we utilize Google Cloud Platform infrastructure in specific regions:

  • Core Data and Processing: Your primary data, including financial records and user information, is stored and processed on servers located in the United Kingdom (London, europe-west2). This includes our databases and backend functions.
  • Application Hosting: Our application's frontend is delivered globally via Firebase App Hosting, which may serve content from servers located outside the UK/EEA, including the United States.

All data transfers between regions, such as from our UK-based database to your browser via our globally-hosted application, are handled in compliance with the UK General Data Protection Regulation (UK GDPR). For transfers to the United States, we rely on the UK-U.S. Data Privacy Framework (the UK Extension to the EU-U.S. DPF), which ensures that an adequate level of protection is provided for your personal data.

6. Data Segregation and Access Control

To ensure that each customer’s data can only be accessed by authorised users, we have implemented a robust, multi-layered access control model built on Google Firestore's security capabilities:

  • Data Partitioning: All of your company's data (such as invoices, expenses, and customers) is logically partitioned in our database and explicitly linked to your unique Company ID.
  • Server-Side Enforcement: We use Firestore Security Rules, which are rules enforced on the server, not in the browser. These rules are the primary mechanism for preventing unauthorised access.
  • Ownership-Based Access: Our security rules verify the identity of every user making a request. A user can only read or write data for a company if their unique User ID is listed as a member of that company. This fundamentally prevents one customer from accessing another customer's data.
  • Role-Based Access Control (RBAC): Access to company data is strictly controlled by a user's role and their relationship to a specific company. A user's access is limited to only the companies they have been explicitly invited to or have created. For example, an individual business owner can invite their accountant, granting them access to that specific company's data. Accountants, in turn, can manage multiple client companies but cannot see the data of clients managed by other accountancy firms. This principle of explicit permission, enforced by our server-side security rules, ensures strict data isolation and that users can only access the information essential for their duties.

This server-enforced, ownership-based security model ensures strict data isolation between all customers on the platform.

7. Data Security Measures

We are committed to protecting your data and have implemented a comprehensive set of security controls to safeguard your information, adhering to UK GDPR guidelines.

Encryption

  • In Transit: All data transferred between your browser and our servers is encrypted using industry-standard Transport Layer Security (TLS/SSL).
  • At Rest: All customer data, including personally identifiable information and sensitive tokens, is automatically encrypted by our database provider (Google Cloud) before it is written to disk.

Password Security

We utilize Google Cloud Identity Platform for user authentication. User passwords are not stored in our systems. Instead, they are securely hashed and managed by Google's robust and battle-tested identity infrastructure, which includes protection against brute-force attacks.

Infrastructure Security

  • Our application is built and hosted on Google Cloud Platform, which provides a secure, managed environment. This includes, but is not limited to, network firewalls, automatic security patching of the underlying infrastructure, and protection against common malware and network-based attacks.
  • Physical Security: The physical security of the data centers where your information is stored, including access controls, environmental protections, and secure hardware disposal, is managed by Google and complies with leading international standards such as ISO 27001, SOC 2, and SOC 3.

Data Resiliency

Our database (Google Firestore) has built-in redundancy and backup capabilities. Data is replicated across multiple geographic locations to protect against data loss in the event of a disaster.

Monitoring

We utilize platform-level logging and monitoring to track system activity, helping us to detect and respond to suspicious or anomalous behavior and prevent potential data breaches.

8. HMRC Authentication (OAuth 2.0)

For services that interact with HM Revenue & Customs (HMRC), such as Making Tax Digital (MTD), our application uses the industry-standard OAuth 2.0 protocol as mandated by HMRC.

We never ask for, see, handle, or store your Government Gateway user ID or password. Our software is developed and maintained in accordance with the HMRC Standard for Security, ensuring that all data exchange with HMRC systems is encrypted and authenticated via OAuth 2.0.

The authentication process works as follows:

  1. You are redirected from our application to HMRC's secure, official website to sign in.
  2. You enter your credentials directly on HMRC's platform. We have no visibility or access to this information.
  3. After you successfully sign in and grant permission, HMRC sends a temporary authorization code back to our application.
  4. Our secure backend server exchanges this code for an access token and a refresh token.

Only these secure tokens—which do not contain your sign-in details—are stored. They are encrypted at rest and protected by our strict server-side security rules, as detailed in the sections above. This process ensures your HMRC credentials remain secure and are never exposed to our application.

9. Security Audits and Testing

We are committed to the security of our platform. Our application and infrastructure are subject to regular security assessments, and we utilize automated security scanning tools to identify and mitigate vulnerabilities. Furthermore, we periodically audit our security controls and practices to ensure ongoing compliance with data protection laws and industry best practices.

10. Security Incident Reporting

If you are a customer or third-party and wish to report a security risk or incident, please contact us immediately at security@accledger.com.

In the case of a security breach involving personal or customer data, we have a process to notify the appropriate authorities. We will report the breach to HMRC by contacting SDSTeam@hmrc.gov.uk within 72 hours, providing a breach contact name and telephone number. We will also notify the Information Commissioner’s Office (ICO) about personal data breaches within 72 hours of becoming aware of it, as required by law.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at support@accledger.com.

ITSAP PORT LTD, Registered in the United Kingdom, Company Number: 09791906