Privacy Policy
Last updated: January 2026
ByteLogic Ltd ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
- We only collect data necessary to provide our service
- Your financial data is never sold to third parties
- Data is stored securely in UK/EU data centers
- You can export or delete your data at any time
1. Data Controller
ByteLogic Ltd is the Data Controller for all personal data processed through ByteLogic Accounting.
As the Data Controller, we are responsible for protecting your data and ensuring it is processed lawfully, fairly, and transparently.
| Data Controller | ByteLogic Ltd |
| Company Number | 15073068 |
| Registered Address | England & Wales |
| Privacy Contact | edward@bytelogic.ltd |
| Security Contact | edward@bytelogic.ltd |
2. Personal Data We Process and Why
We collect and process the following personal data to provide our accounting services:
| Data Type | Why We Process It | Lawful Basis |
|---|---|---|
| Name, Email Address | Create your account, verify your identity, communicate service updates and support | Contract performance |
| Company Details Name, address, VAT/company number |
Generate invoices, submit VAT returns and payroll to HMRC on your behalf | Contract performance |
| Bank Transactions Transaction details from connected banks |
Categorize expenses, generate financial reports, reconcile accounts | Contract performance |
| Employee Data Names, NI numbers, salaries, addresses |
Calculate and process payroll, submit RTI to HMRC, generate P60s/P45s | Contract + Legal obligation |
| Client/Customer Data Names, addresses, contact details |
Generate invoices and statements on your behalf | Contract performance |
| Payment Information Card details (handled by Stripe) |
Process your subscription payments | Contract performance |
| Usage Data Features used, pages visited |
Improve our service, fix bugs, understand user needs | Legitimate interest |
3. Lawful Basis for Processing
Under UK GDPR, we must have a valid lawful basis to process your personal data. We rely on the following:
📜 Contract Performance (Article 6(1)(b))
Processing necessary to provide the accounting services you've signed up for — including bank sync, invoicing, reporting, and HMRC submissions.
⚖️ Legal Obligation (Article 6(1)(c))
Processing required by law — such as retaining financial records for 7 years, submitting payroll data to HMRC, and responding to legal requests.
🎯 Legitimate Interest (Article 6(1)(f))
Processing in our legitimate business interest — such as analyzing usage to improve the service, fraud prevention, and security monitoring. You can object to this processing at any time.
✅ Consent (Article 6(1)(a))
Where we rely on consent (e.g., marketing emails), you can withdraw it at any time by contacting us or using the unsubscribe link.
4. How We Use Your Data
- Provide services: Bank sync, reporting, invoicing, payroll
- HMRC submissions: Submit VAT returns and payroll filings on your behalf
- Communication: Service updates, support responses
- Billing: Process subscription payments via Stripe
- Improve service: Analyze usage patterns (anonymized)
5. Special Category Data
Under UK GDPR Article 9, "special category data" includes health information and requires additional protections.
⚠️ Limited Health Data Processing
If you use our payroll features for Statutory Sick Pay (SSP), we process limited health-related data (sickness absence dates) to calculate SSP entitlement.
| Special Category Data | Purpose | Legal Condition |
|---|---|---|
| Sickness absence dates | Calculate Statutory Sick Pay | Article 9(2)(b) - Employment law obligation |
We do NOT process any other special category data (racial origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, or sexual orientation).
6. Data Sharing
We share data only with:
- HMRC: For tax submissions you authorize
- Stripe: Payment processing (PCI compliant)
- Bank APIs: To sync transactions you connect
- Cloud providers: Secure hosting (UK/EU only)
We never sell your data or share it for marketing purposes.
7. Data Security
We are responsible for protecting your data. We implement appropriate technical and organisational measures including:
- All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Bank credentials stored using industry-standard encryption
- Regular security audits and penetration testing
- Staff access limited, logged, and subject to confidentiality agreements
- Daily backups with 90-day retention
- Two-factor authentication available for all accounts
For full security details, see our Security Policy.
8. Data Retention
- Active accounts: Data retained while account is active
- Cancelled accounts: Data deleted after 30 days (with export notice)
- Financial records: Retained 7 years as required by UK law
- Backups: Fully purged within 90 days of deletion request
9. Your Rights (UK GDPR)
Under UK GDPR, you have the following rights:
- Right of Access (Article 15): Request a copy of all personal data we hold about you
- Right to Rectification (Article 16): Correct inaccurate or incomplete data
- Right to Erasure (Article 17): Request deletion of your data (subject to legal retention requirements)
- Right to Data Portability (Article 20): Export your data in machine-readable format (CSV, JSON)
- Right to Object (Article 21): Object to processing based on legitimate interest
- Right to Restrict Processing (Article 18): Limit how we use your data
- Right to Complain: Lodge a complaint with the ICO if you're not satisfied
To exercise any of these rights, email edward@bytelogic.ltd. We will respond within 30 days.
10. Cookies
We use minimal cookies:
- Session cookies: Keep you logged in (essential, no consent required)
- Preference cookies: Remember your settings (essential)
We do not use third-party tracking or advertising cookies.
11. International Transfers
Your data is stored in UK/EU data centers. If any processing occurs outside the UK, we ensure adequate protection through Standard Contractual Clauses or UK adequacy decisions.
12. Changes to This Policy
We may update this policy and will notify you of significant changes via email. The "Last updated" date at the top of this page indicates when it was last revised.
Data Protection Contact
For privacy-related questions or requests:
Email: edward@bytelogic.ltd
ICO: ico.org.uk (supervisory authority)