This Privacy Policy is effective from the 1st day of October 2025.

Issued by:
EazyCapture Limited

For the benefit of:
All users of the EazyCapture platform including practice owners, their staff members and their clients and their accounting teams.

Data Controller Information

Data Controller: EazyCapture Limited, a company incorporated in England and Wales with registered number 16768952 and having its registered office at Shaw Mews, 1 Shaw Street, Worcester, England, WR1 3QQ.

Data Subjects: This Privacy Policy applies to all individuals whose personal data is processed by the Data Controller, including:

  • (a) Practice owners who use the EazyCapture platform;
  • (b) Clients of practice owners whose financial and business data is processed through the platform;
  • (c) Any other individuals whose personal data may be collected or processed in connection with the EazyCapture services.

Introduction and Overview

EazyCapture Limited ("we", "us", or "our") operates EazyCapture, an intelligent automation tool designed for bookkeepers and accountants that captures, extracts, and validates key data from invoices and receipts.
The EazyCapture platform processes financial documents including invoices, receipts, bank statements, and other business records to extract supplier information, VAT details, totals, line items, and applies business context categorisation.
Our services include integrations with accounting software platforms including QuickBooks, Xero, Sage, and FreeAgent, supporting VAT/MTD compliance, multi-currency processing, asset classification, prepayments, and deferred revenue management.
In providing these services, we process personal data of practice owners who use our platform and their clients whose financial information is processed through the system.
This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018.
This Privacy Policy applies to all users of the EazyCapture platform and covers all personal data processing activities conducted by us in connection with our services.
We are committed to protecting the privacy and security of personal data and ensuring transparency in our data processing practices.

Types of Data We Collect

Client Data means financial and business information of practice owners' clients processed through the EazyCapture platform, including charts of accounts, tax rates, contacts, invoices, receipts, credit notes, bank statements, employee records, VAT registration numbers, CIS registration details, and other compliance-related identifiers.
Data Controller means EazyCapture Limited as the entity that determines the purposes and means of processing personal data.
Data Subject means any identified or identifiable natural person whose personal data is processed by us.
EazyCapture Platform means our intelligent automation tool and associated services that capture, extract, and validate data from financial documents.
Integration Partners means third-party accounting software providers including QuickBooks, Xero, Sage, and FreeAgent with whom we integrate our services.
Personal Data has the meaning given in the UK GDPR and includes any information relating to an identified or identifiable natural person.
Practice Owner means bookkeepers, accountants, and other professional users who use the EazyCapture platform to process their clients' financial data.
Practice Owner Data means personal data relating to practice owners including practice name, email address, and information about clients associated with their practice.
Processing has the meaning given in the UK GDPR and includes any operation performed on personal data.
Services means all services provided by us through the EazyCapture platform including document processing, data extraction, validation, and integration services.
UK GDPR means the UK General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018.

Legal Basis for Processing

We process Personal Data only where we have a valid legal basis under the UK GDPR.
Contract Performance - We process Practice Owner Data and Client Data where necessary for the performance of our contract with Practice Owners to provide the Services, including:

  • Setting up and managing Practice Owner accounts on the EazyCapture Platform;
  • Processing financial documents including invoices, receipts, and bank statements;
  • Extracting and categorising financial data from uploaded documents;
  • Facilitating integrations with accounting software platforms including QuickBooks, Xero, Sage, and FreeAgent;
  • Providing customer support and technical assistance.

Legal Obligation - We process Personal Data where necessary to comply with legal obligations, including:

  • Supporting VAT/MTD compliance requirements;
  • Maintaining records for tax and regulatory purposes;
  • Complying with financial services regulations applicable to our Services.

Legitimate Interests - We process Personal Data where necessary for our legitimate interests or those of third parties, provided such interests are not overridden by the Data Subject's fundamental rights and freedoms, including:

  • Fraud prevention and security monitoring;
  • Improving and developing our Services and the EazyCapture Platform;
  • System administration and technical maintenance;
  • Business analytics to understand usage patterns and service performance.

Consent - We process Personal Data based on consent where:

  • Practice Owners opt-in to receive marketing communications;
  • Non-essential cookies are used for website personalisation;
  • Personal Data is shared with third parties for marketing purposes.

Consent may be withdrawn at any time without affecting the lawfulness of Processing based on consent before its withdrawal.

How We Collect Your Data

We collect Personal Data through various methods depending on how you interact with the EazyCapture Platform and our Services.

Direct Collection from Practice Owners
We collect Practice Owner Data when you create an account, update your profile, or configure your practice settings on the EazyCapture Platform.
You provide information directly through registration forms, account management interfaces, and communication with our support team.

Document Upload and Processing
We collect Personal Data when you manually upload financial documents including invoices, receipts, credit notes, and bank statements to the EazyCapture Platform.
Our automated Processing systems extract Personal Data from uploaded documents including supplier information, customer details, and transaction data.

Integration with Accounting Software
We collect Personal Data through authorised connections with Integration Partners including QuickBooks, Xero, Sage, and FreeAgent.
This includes importing structured data such as charts of accounts, tax rates, contact lists, and existing transaction histories from your connected accounting software.

Automatic Data Collection
We automatically collect technical information including IP addresses, device identifiers, browser information, and usage patterns when you access the EazyCapture Platform.
System logs and performance data are collected to maintain service functionality and security.

Third Party Sources
We may collect Personal Data from publicly available sources or third-party service providers where necessary for VAT validation, company verification, or compliance purposes.
All data collection activities are conducted in accordance with the UK GDPR and are limited to what is necessary for providing our Services.

Purposes of Data Processing

Service Provision: We process Personal Data to provide the core functionality of the EazyCapture Platform, including:

  • Capturing, extracting, and validating data from invoices, receipts, bank statements, and other financial documents;
  • Applying business context categorisation to extracted data;
  • Processing supplier information, VAT details, totals, line items, and other financial data;
  • Supporting multi-currency processing, asset classification, prepayments, and deferred revenue management.

Integration Services: We process Personal Data to facilitate integrations with Integration Partners including QuickBooks, Xero, Sage, and FreeAgent to synchronise financial data and support automated bookkeeping workflows.

Compliance and Legal Obligations: We process Personal Data to:

  • Support VAT/MTD compliance requirements;
  • Maintain records as required by applicable accounting standards and tax regulations;
  • Comply with our legal obligations under UK GDPR and other applicable laws.

Account Management and Customer Support: We process Practice Owner Data to manage user accounts, provide technical support, respond to enquiries, and deliver customer service.

Security and Fraud Prevention: We process Personal Data to maintain the security of the EazyCapture Platform, prevent unauthorised access, detect and prevent fraud, and protect against other security threats.

Service Improvement: We process aggregated and anonymised data to analyse usage patterns, improve our Services, develop new features, and enhance the user experience.

Marketing Communications: With your consent, we process Personal Data to:

  • Send service updates, information about new features, and relevant offers;
  • Understand your preferences to provide more relevant communications;
  • Share data with third parties for marketing purposes where you have provided explicit consent.

Quality Assurance: We process Personal Data to flag errors, validate data accuracy, and ensure the quality of our data extraction and processing services.

Data Sharing and Disclosure

We may share Personal Data with Integration Partners including QuickBooks, Xero, Sage, and FreeAgent to facilitate data synchronisation and accounting software integration as part of our Services.
We share Personal Data with our service providers and contractors who assist in delivering the EazyCapture Platform, including:

  • Cloud hosting providers including Amazon Web Services for data storage and processing infrastructure;
  • Technical support and maintenance providers;
  • Payment processing providers for subscription and billing purposes;
  • Customer support and communication platforms.

We may disclose Personal Data where required or permitted by law, including:

  • To comply with legal obligations, court orders, or regulatory requirements;
  • To respond to lawful requests from public authorities or law enforcement agencies;
  • To comply with tax reporting obligations including VAT and Making Tax Digital requirements.

We may share Personal Data with professional advisors including lawyers, accountants, auditors, and consultants who provide services to us and are bound by confidentiality obligations.
Personal Data may be disclosed to third parties in connection with a merger, acquisition, reorganisation, or sale of all or part of our business, provided the recipient agrees to protect the Personal Data in accordance with this Privacy Policy.
We may share Personal Data with fraud prevention agencies and security service providers to protect against fraudulent activity and maintain platform security.
With your explicit consent, we may share your contact details and marketing preferences with selected third parties for their independent marketing purposes.
All third parties with whom we share Personal Data are required to implement appropriate technical and organisational measures to protect the Personal Data and use it only for the specified purposes.
We do not sell Personal Data to third parties for monetary consideration.

International Data Transfers

We do not save or store any data outside the United Kingdom. All of our data is saved in the UK on Amazon Web Services (AWS) servers.

Some operational activities or processing may be carried out by sub-processors located in other countries. These transfers are strictly for processing purposes only and do not involve storing personal data outside the UK.

a) When providing technical support or maintenance services that require processing by sub-processors located outside the UK.
b) When required by law or legal process, including court orders or regulatory investigations.

Data Subjects have the right to obtain information about international transfers of their Personal Data, including details of the safeguards implemented and the countries involved.

We will notify Data Subjects of any material changes to our international transfer arrangements through updates to this Privacy Policy.

Data Retention

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.
Practice Owner Data is retained for the duration of your account with us and for a period of seven (7) years following account closure, unless you request earlier deletion or we are required to retain it for longer under applicable law.
Client Data is retained in accordance with the following periods:

  • Financial records, invoices, receipts, and accounting data are retained for a minimum of six (6) years from the end of the relevant accounting period to comply with UK tax and accounting record-keeping requirements.
  • VAT records and related documentation are retained for a minimum of six (6) years in accordance with HM Revenue & Customs requirements.
  • Employee records and payroll data are retained for a minimum of three (3) years following termination of employment.
  • Technical data including IP addresses, system logs, and usage analytics are retained for a maximum of twelve (12) months unless required for security investigations or legal proceedings.
  • Marketing communication preferences and consent records are retained until you withdraw consent or for seven (7) years following the last interaction, whichever is sooner.

We may retain Personal Data for longer periods where required by law, regulation, or court order, or where necessary for the establishment, exercise, or defence of legal claims.
Upon expiry of the applicable retention period, we will securely delete or anonymise Personal Data unless its continued retention is required for legitimate business purposes or legal obligations.
You may request the deletion of your Personal Data at any time, subject to our legal obligations and legitimate business interests, by contacting us using the details provided in this Privacy Policy.
Where we process Personal Data on behalf of Practice Owners as a processor, we will follow their instructions regarding data retention and deletion, provided such instructions comply with applicable law.

Data Security Measures

We implement appropriate technical and organisational measures to protect Personal Data against unauthorised access, alteration, disclosure, or destruction in accordance with UK GDPR requirements.
Technical Security Measures include:

  • Encryption of Personal Data both in transit and at rest using industry-standard encryption protocols.
  • Secure hosting infrastructure provided by Amazon Web Services (AWS) with servers and databases located in the United Kingdom.
  • Multi-factor authentication for access to the EazyCapture Platform and administrative systems.
  • Regular security monitoring and intrusion detection systems to identify and prevent unauthorised access attempts.
  • Secure API connections for Integration Partners including QuickBooks, Xero, Sage, and FreeAgent.

Organisational Security Measures include:

  • Access controls ensuring that only authorised personnel can access Personal Data on a need-to-know basis.
  • Regular security training for all staff members who handle Personal Data.
  • Confidentiality agreements for all employees and contractors with access to Personal Data.
  • Regular security audits and vulnerability assessments of our systems and processes.

We maintain regular automated backups of all data stored on our systems with secure off-site storage to ensure data recovery in case of system failure.
We have established incident response procedures to address any suspected or actual data security breaches, including notification protocols in accordance with UK GDPR requirements.
Third-party service providers, including AWS and Integration Partners, are required to maintain appropriate security standards and comply with data protection obligations through contractual arrangements.
We regularly review and update our security measures to address evolving threats and maintain compliance with applicable data protection laws.
Access logs are maintained for all systems Processing Personal Data to enable monitoring and auditing of data access activities.

Your Rights Under UK GDPR

As a Data Subject, you have the following rights under the UK GDPR in relation to your Personal Data processed by us in connection with the Services.
Right of Access: You have the right to request confirmation of whether we are Processing your Personal Data and, where we are, to obtain a copy of your Personal Data together with information about how it is being processed.
We will provide this information free of charge unless your request is manifestly unfounded or excessive.
We will respond to access requests within one month of receipt, which may be extended by a further two months where necessary.

Right to Rectification: You have the right to request that we correct any inaccurate Personal Data concerning you and to have incomplete Personal Data completed.
Practice Owners may update their Practice Owner Data directly through the EazyCapture Platform.
Corrections to Client Data must be requested through the relevant Practice Owner or by contacting us directly.

Right to Erasure: You have the right to request that we delete your Personal Data where one of the following grounds applies:

  • The Personal Data is no longer necessary for the purposes for which it was collected.
  • You withdraw consent where Processing is based on consent and there is no other legal ground for Processing.
  • You object to Processing based on legitimate interests and there are no overriding legitimate grounds for Processing.
  • The Personal Data has been unlawfully processed.

Right to Restrict Processing: You have the right to request restriction of Processing of your Personal Data where:

  • You contest the accuracy of the Personal Data pending verification of its accuracy.
  • The Processing is unlawful but you oppose erasure and request restriction instead.
  • We no longer need the Personal Data but you require it for legal claims.
  • You have objected to Processing pending verification of whether our legitimate grounds override your interests.

Right to Data Portability: Where Processing is based on consent or contract performance and is carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format.
You may request that we transmit this data directly to another data controller where technically feasible.
This right applies to Practice Owner Data and may be subject to technical limitations regarding Client Data processed through Integration Partners.

Right to Object: You have the right to object to Processing of your Personal Data where it is based on legitimate interests, including profiling based on those provisions.
We will cease Processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
You have an absolute right to object to Processing for direct marketing purposes at any time.

Rights Related to Automated Decision Making: You have the right not to be subject to decisions based solely on automated Processing, including profiling, which produce legal effects or similarly significantly affect you.
This right does not apply where the decision is necessary for contract performance, authorised by law, or based on your explicit consent.

Right to Withdraw Consent: Where Processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of Processing based on consent before its withdrawal.
You may withdraw consent for marketing communications by clicking "unsubscribe" in our emails or contacting us directly.
You may withdraw consent for cookies through your browser settings or our cookie preference centre.

Right to Complain: You have the right to lodge a complaint with the Information Commissioner's Office if you believe we have not handled your Personal Data in accordance with the UK GDPR.

Exercising Your Rights: To exercise any of these rights, please contact us using the details provided in this Privacy Policy, providing sufficient information to enable us to identify you and process your request.
We may request additional information to verify your identity before responding to requests.
For requests relating to Client Data, we may need to coordinate with the relevant Practice Owner to fulfil your request.

Cookies and Tracking Technologies

Cookies are small text files that are stored on your device when you visit our website or use the EazyCapture Platform to help us provide and improve our Services.
We use the following types of cookies:

  • Essential cookies that are necessary for the operation of the EazyCapture Platform, including authentication, security, and core functionality.
  • Performance cookies that collect information about how you use our Services to help us improve functionality and user experience.
  • Functional cookies that remember your preferences and settings to enhance your experience when using the EazyCapture Platform.
  • Marketing cookies that track your activity across websites to deliver targeted advertising, but only with your explicit consent.

We obtain your consent before placing non-essential cookies on your device through our cookie banner displayed when you first visit our website or access the EazyCapture Platform.
You can manage your cookie preferences at any time by:

  • Adjusting your browser settings to refuse or delete cookies.
  • Using our cookie preference centre accessible through our website.
  • Contacting us directly using the details provided in this Privacy Policy.

Third-party cookies may be placed by our Integration Partners or service providers, including analytics providers and payment processors, subject to their own privacy policies.
Disabling essential cookies may prevent you from accessing certain features of the EazyCapture Platform or may cause the Services to function improperly.
We will retain cookie data for the periods specified in our cookie notice, which vary depending on the type and purpose of each cookie.

Marketing Communications

We may use your Personal Data, including identity, contact details, and profile data, to understand your preferences and interests, which helps us determine relevant products and Services that may be beneficial to you.
We will only send you marketing communications where:
you have provided your explicit opt-in consent to receive such communications; or
you are an existing customer and have not opted out of receiving similar communications about our Services.
With your explicit opt-in consent, we may occasionally contact you about:
service updates and new features designed to enhance our Services;
relevant information, offers, or Integration Partners that we believe would provide value to you; and
other products and services related to the EazyCapture Platform.
We may share your Personal Data with third parties for marketing purposes only with your explicit opt-in consent.
We will not share your contact details with third parties for their independent marketing purposes without your explicit consent.
You may change your marketing preferences or withdraw your consent at any time by:
clicking "unsubscribe" in any marketing email we send to you;
contacting us directly using the contact information provided in this Privacy Policy; or
updating your preferences through your account settings on the EazyCapture Platform where available.
Withdrawal of consent will not affect the lawfulness of any Processing carried out before you withdrew your consent.

Data Breach Procedures

We have established procedures to detect, report, and investigate any personal data breach that may occur in connection with our Processing of Personal Data.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
Upon becoming aware of a personal data breach, we will:

  • immediately contain and assess the breach to prevent further unauthorised access or disclosure;
  • investigate the nature, cause, and scope of the breach;
  • assess the likely consequences and risks to the rights and freedoms of affected Data Subjects;
  • document all relevant facts relating to the breach, its effects, and remedial action taken.

Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Information Commissioner's Office without undue delay and, where feasible, not later than 72 hours after having become aware of it.
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the breach to affected Data Subjects without undue delay.
Communications to Data Subjects under clause 12.5 will include:

  • a description of the nature of the personal data breach;
  • the likely consequences of the breach;
  • measures taken or proposed to address the breach and mitigate its possible adverse effects.

We will maintain a record of all personal data breaches, including the facts surrounding the breach, its effects, and remedial action taken, which will be made available to the Information Commissioner's Office upon request.
Following any personal data breach, we will review and, where necessary, update our security measures and procedures to prevent similar incidents occurring in the future.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, or our data processing practices.
We will notify you of any material changes to this Privacy Policy by:

  • posting the updated Privacy Policy on the EazyCapture Platform;
  • sending an email notification to Practice Owners at the email address associated with their account; and
  • displaying a prominent notice on the EazyCapture Platform for a period of thirty (30) days following the update.

For changes that materially expand our use of Personal Data or affect your rights under UK GDPR, we will seek your explicit consent where required by applicable law.
Any updated Privacy Policy will take effect thirty (30) days after we provide notice of the changes, unless:

  • a shorter period is required by law; or
  • the changes are made to comply with legal or regulatory requirements, in which case they will take effect immediately.

Your continued use of the EazyCapture Platform after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms.
If you do not agree to any changes, you must discontinue use of the Services and may request deletion of your Personal Data in accordance with section 11 of this Privacy Policy.
The current version of this Privacy Policy will always be available on the EazyCapture Platform and will include the date of the last update. This Privacy Policy is adopted and implemented by EazyCapture Limited as of 01 October 2025.

Children’s Privacy

Age Restriction
The EazyCapture Platform and Services are not directed to or intended for individuals under the age of 18.
No Collection of Children’s Data
We do not knowingly collect, use, or store any Personal Data from children under 18 years of age.
Unintended Collection
If we discover that Personal Data has been collected from a child under 18 without verified parental consent, we will take immediate steps to delete such information from our records.
Reporting Concerns
If you believe that we may have collected Personal Data from a child, please contact us immediately using the contact details provided in this Privacy Policy.