Privacy Policy

Effective Date: 1st March 2026

1. Controller Identity xontax is the data controller for the personal and corporate data collected through our platform, operating in strict compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect We collect and process the following categories of data:

• Identity & Authentication Data: Name, email address, and authentication tokens via our provider, Clerk.
• Corporate Data: Company Registration Number (CRN), registered address, and director details fetched directly from the Companies House API.
• Financial & Transactional Data: Live bank statement lines, balances, and account metadata via TrueLayer (Open Banking). We do not see or store your banking login credentials.
• Tax & Compliance Data: VAT Registration Numbers, UTRs, Government Gateway tokens, and historical tax obligations fetched via HMRC APIs.
• Document Data: Images or PDFs of invoices and receipts uploaded by you.

3. How We Process Data with AI To provide autonomous bookkeeping, your transactional data and uploaded documents are processed by our sub-processor, Anthropic (Claude 3 models) as well as custom proprietary models that are changed and updated from time to time.

Strict Limitation: Data sent to Anthropic is used exclusively for extracting line items, matching receipts to transactions, and suggesting tax categorizations.

No Training: Your financial data and receipts are strictly excluded from being used to train any public or foundational AI models.

4. Table of Sub-Processors We rely on the following vetted third parties to deliver the Service:

• Supabase (AWS EU): Primary database and ledger hosting.
• TrueLayer: Open banking connectivity.
• Clerk: Identity and authentication management.
• Anthropic: AI processing and Vision OCR.
• Scaleway: AI model cloud ecosystem.
• Vercel (UK): Application hosting and routing.

5. Data Retention and the Immutable Ledger Because xontax provides a statutory audit trail for HMRC, your ledger data (bank lines, categorizations, and audit logs tracking who made what change) is retained for as long as your organization account exists on the platform. If you request account deletion, we will immediately destroy your data from our active databases, you remain responsible for a final data export before erasure.

6. Your Data Rights Under UK GDPR, you have the right to access, rectify, port, and erase your data. You can trigger a comprehensive export of your entire ledger and receipt history at any time from the Settings panel.