Privacy Policy
Effective Date: 1st March 2026
1. Controller Identity
Matters2 Ltd (trading as xontax), registered in England and Wales (Company Registration Number: 10274860), is the data controller for the personal and corporate data collected through our platform, operating in strict compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data We Collect
We collect and process the following categories of data:
- Identity & Authentication Data: Name, email address, and authentication tokens via our provider, Clerk.
- Corporate Data: Company Registration Number (CRN), registered address, and director details fetched directly from the Companies House API.
- Financial & Transactional Data: Live bank statement lines, balances, and account metadata via TrueLayer (Open Banking). We do not see or store your banking login credentials.
- Tax & Compliance Data: VAT registration numbers, company tax identifiers where applicable, National Insurance numbers where you provide them, Government Gateway tokens, and historical tax obligations fetched via HMRC APIs.
- Document Data: Images or PDFs of invoices and receipts uploaded by you.
- Conversational & AI Accountant data: Information you provide in the AI Accountant chat, such as your profession, employment status, and personal tax circumstances. We collect, store, and use this to personalise your xontax experience.
3. How We Process Data with AI
To provide autonomous bookkeeping, your transactional data and uploaded documents are processed by our sub-processor, Anthropic (Claude AI models) as well as custom proprietary models that are changed and updated from time to time.
Strict Limitation
Data sent to Anthropic includes your transactional data and uploaded documents, and AI Accountant chat messages together with profile or contextual facts you give us or that we infer in conversation. It is used exclusively to run the Service, for example, extracting line items, matching receipts to transactions, suggesting tax categorisations, and generating AI Accountant replies, and is not used to train any public or foundational AI models. We also keep this conversational information in xontax's own database so we can personalise your experience when you return.
No Training
Your financial data and receipts are strictly excluded from being used to train any public or foundational AI models.
4. Table of Sub-Processors
We rely on the following vetted third parties to deliver the Service:
- Supabase (AWS EU): Primary database and ledger hosting.
- TrueLayer: Open banking connectivity.
- Clerk: Identity and authentication management.
- Anthropic: AI processing and Vision OCR.
- Scaleway: AI model cloud ecosystem.
- Vercel (UK): Application hosting and routing.
5. Data Retention and the Immutable Ledger
Because xontax provides a statutory audit trail for HMRC, your ledger data (bank lines, categorisations, and audit logs tracking who made what change) is retained for as long as your organisation account exists on the platform. If you request account deletion, we remove your operational data and stored files from our active systems without undue delay. Where UK tax and anti-money-laundering rules require evidence of filings or customer due diligence, we may retain a minimal set of pseudonymous filing or submission metadata for up to seven years; this is not a full copy of your ledger. You remain responsible for a final data export before you delete your account if you need your complete records.
6. Your Data Rights
Under UK GDPR, you have the right to access, rectify, port, and erase your data. You can trigger a comprehensive export of your entire ledger and receipt history at any time from the Settings panel.
For erasure, rectification, or portability requests not available in-product, contact our privacy team at privacy@mail.xontax.com. We will respond within one calendar month as required by UK GDPR.