Privacy Policy

Last updated: 19 March 2026

1. Data Controller

Cledo is operated by SGAA Limited, a company registered in England and Wales. We are the data controller for the personal data processed through this service.

ICO Registration Number: [To be added after registration]

Contact: privacy@cledo.tax

2. What Data We Collect

  • Account data: name, email address, hashed password
  • Company data: company name, registration number, registered address, SIC codes, officer details (from Companies House)
  • Tax identifiers: VAT Registration Number (VRN), Unique Taxpayer Reference (UTR)
  • Financial data: bank transactions (via Finexer Open Banking), invoices, journal entries, tax calculations
  • HMRC tokens: OAuth 2.0 access and refresh tokens for MTD API access (encrypted at rest)
  • Device data: browser fingerprint, IP address, device identifiers (required by HMRC Fraud Prevention Headers)
  • Usage data: pages visited, features used, error logs

3. Why We Collect It

  • Contract performance: to provide tax filing, accounting, and bookkeeping services as described in our Terms of Service
  • Legal obligation: HMRC requires us to transmit Fraud Prevention Headers with every API call; financial records must be retained for 6 years
  • Legitimate interest: to improve the service, detect errors, and prevent fraud

4. Data Retention

  • Financial records: 6 years from the end of the relevant tax year (HMRC legal requirement)
  • Account data: retained while the account is active, deleted or anonymised 2 years after account closure
  • HMRC tokens: deleted immediately upon user disconnection or account closure
  • Bank transaction data: retained for 6 years for tax compliance, then anonymised

5. Third-Party Processors

We share data with the following processors under Data Processing Agreements:

  • MongoDB Atlas (database hosting) — EU region
  • Google Cloud Platform (application hosting, document storage) — europe-west2 (London)
  • Finexer (Open Banking data access) — UK, FCA-regulated
  • OpenAI / self-hosted AI (transaction categorisation) — data minimised, no PII sent
  • Stripe (payment processing) — PCI DSS Level 1 compliant
  • HMRC (tax filing submissions) — UK Government

6. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the right to:

  • Access — request a copy of all personal data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of your data (subject to legal retention requirements)
  • Portability — receive your data in a machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interest

To exercise any right, email privacy@cledo.tax. We will respond within 30 days.

7. Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256-GCM for sensitive fields). HMRC tokens are encrypted using application-level encryption before database storage. Access to production systems is restricted to authorised personnel only.

8. Cookies

Cledo uses essential cookies only: a session authentication cookie (httpOnly, secure, SameSite=Lax). We do not use tracking or advertising cookies.

9. Complaints

If you are unsatisfied with how we handle your data, you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/concerns.