Aurelia · UK GDPR
Privacy Policy
1. Who we are
Aurelia is a UK-based financial technology company providing software for autonomous financial operations and accounting automation for small and medium-sized enterprises. For UK data protection law, we act as the data controller for personal data processed in connection with our website, marketing, and the operation of our SaaS platform, except where we act as a processor strictly on your documented instructions (for example, under a data processing agreement for your organisation’s end-user data).
If you use Aurelia on behalf of a business, your organisation may also be a controller for employee and customer data you upload. In that case, both your organisation’s privacy notices and this policy may apply to different elements of processing.
| Topic | Detail |
|---|---|
| Legal entity | Aurelia Ltd (United Kingdom) |
| Privacy inbox | [email protected] |
| Data protection | [email protected] (or privacy inbox where no DPO is appointed) |
| Postal | As published on our website or provided on request for formal notices |
2. Data we collect
We collect and process categories of personal data proportionate to delivering the service and meeting our legal obligations. The table below is illustrative and may vary depending on your subscription, integrations, and configuration.
| Category | Examples | Typical source |
|---|---|---|
| Identity & contact | Name, work email, phone (if provided) | Registration, support tickets |
| Account & company | Company name, role, tenant identifiers | Signup, workspace settings |
| Financial & transaction | Invoices, receipts, ledger lines, VAT attributes, bank transaction metadata | Uploads, feeds, platform use |
| Bank connection | Tokens/consents, account identifiers (not passwords), transaction descriptions | Authorised open banking / aggregator APIs |
| Technical | IP address, device, browser, session logs | Infrastructure, security monitoring |
| Usage & analytics | Feature usage events, crash diagnostics (where enabled) | Product analytics (see Cookies) |
3. Legal basis
Under UK GDPR we rely on one or more of the following legal bases, depending on the processing activity:
- Contract (Art. 6(1)(b)) — providing the Aurelia service, authentication, automation outputs you request, and customer support.
- Legitimate interests (Art. 6(1)(f)) — securing the platform, preventing abuse, improving reliability, aggregated analytics, and internal reporting, where not overridden by your rights.
- Legal obligation (Art. 6(1)(c)) — compliance with applicable law, regulatory requests, and tax/accounting record-keeping where it applies to us directly.
- Consent (Art. 6(1)(a)) — optional marketing, non-essential cookies, or specific integrations where consent is the appropriate basis. You may withdraw consent at any time.
Where we process special category data only because it appears incidentally in documents you upload, we rely on applicable lawful bases and safeguards (including your explicit instructions as controller where relevant).
| Activity | Typical basis | Notes |
|---|---|---|
| Running your workspace | Contract | Core SaaS performance |
| Fraud & abuse prevention | Legitimate interests | Balanced against user rights |
| Responding to court orders | Legal obligation | Where valid in UK |
| Optional newsletter | Consent | Unsubscribe anytime |
When we act as processor for your organisation, your organisation determines the legal basis for end-user and customer data; we process solely on documented instructions unless required otherwise by EU/UK law.
4. How we use data
We use personal data to deliver and improve the platform, including:
- Provisioning and securing user accounts and organisational workspaces.
- Running ingestion pipelines, reconciliation workflows, and AI-assisted classification with human oversight where configured.
- Generating audit trails, compliance checks, and management information you configure.
- Communicating service messages, security alerts, and (where permitted) product updates.
- Training and evaluating models only as described in our agreements and privacy documentation — we minimise use of personal data for model development and apply contractual and technical controls.
Automated processing may suggest categories, flags, or draft filings. You or your authorised users remain responsible for reviewing outputs before reliance, particularly where submissions have legal or financial consequences. We design workflows to surface confidence indicators and escalation paths where CPA review is enabled.
We do not use your confidential accounting data to market third-party financial products to you without clear disclosure and, where required, consent. Product improvement analytics are aggregated or pseudonymised where feasible.
5. Financial data & HMRC
Where you connect financial sources or upload accounting documents, we process that data to perform bookkeeping automation, VAT calculations, and — if you enable it — submissions via HMRC’s Making Tax Digital (MTD) APIs.
HMRC processing is performed as your filing agent only where you authorise the submission. You remain responsible for reviewing returns and ensuring underlying records are accurate. We log technical events associated with API calls as part of service operation and auditability.
| Activity | Data involved | Notes |
|---|---|---|
| MTD VAT (example) | VRN, return payloads, obligation references | Transmitted per HMRC API specifications |
| Authentication to HMRC | OAuth tokens where applicable | Stored and rotated under security standards |
| Evidence & logs | Submission IDs, timestamps, error codes | Support troubleshooting and audit |
6. Third parties
We share personal data with categories of recipients where necessary:
- Infrastructure & SaaS subprocessors — cloud hosting, databases, logging, email delivery, observability.
- HMRC — when you instruct filings through official APIs.
- Banks and open banking providers — to maintain authorised connections.
- CPA / professional partners — where you enable escalation or review workflows.
- Professional advisers — lawyers, insurers, auditors under confidentiality.
We require subprocessors to meet appropriate security and data protection terms. A current list may be provided on request or published on our website.
7. International transfers
Your data may be processed in the UK and the European Economic Area. If we transfer personal data outside the UK, we implement safeguards such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or reliance on adequacy regulations, as applicable.
Where subprocessors store encrypted backups in multiple regions for resilience, we assess transfer risk, document transfer mechanisms, and require subprocessors to notify us of legally binding requests for access that may affect personal data. You may request a summary of material subprocessor locations relevant to your workspace by contacting the privacy inbox.
Transfers to the United States or other jurisdictions without an adequacy decision are not undertaken without appropriate safeguards and, where required, supplementary measures assessed in line with ICO guidance. We periodically review our transfer register when vendors or product architecture change.
8. Retention
We retain personal data only as long as necessary for the purposes above and to meet legal, regulatory, and contractual requirements. Indicative periods:
| Data type | Indicative retention | Rationale |
|---|---|---|
| Active account profile | Duration of contract + short wind-down | Service delivery |
| Accounting / tax records in workspace | Up to 7 years (or as required) | UK tax / company law norms |
| Security & access logs | 12–24 months | Incident response, forensics |
| Marketing consents & lists | Until withdrawn + minimal residual | Consent lifecycle |
| Backups | Overlapping backup cycles | Disaster recovery |
9. Your rights
Subject to exemptions, you have the following rights under UK GDPR in relation to personal data for which we are controller:
| Right | What it means | How to exercise |
|---|---|---|
| Access | Obtain confirmation and a copy of your personal data | Email [email protected] |
| Rectification | Correct inaccurate or incomplete data | Account settings or privacy inbox |
| Erasure | Request deletion where applicable | Privacy inbox (subject to legal holds) |
| Restriction | Limit processing in certain cases | Privacy inbox |
| Portability | Receive structured, machine-readable data you provided (where applicable) | Privacy inbox / export tools |
| Objection | Object to processing based on legitimate interests or direct marketing | Privacy inbox / unsubscribe |
| Withdraw consent | Where processing is consent-based | Consent controls / privacy inbox |
| Automated decisions | Information about solely automated decisions with legal/similar effects (if any) | Privacy inbox |
We will respond within one calendar month in most cases (extensions may apply for complex requests). We may need to verify your identity before disclosing data.
10. Security
We implement appropriate technical and organisational measures including encryption in transit, access control, least-privilege administration, vulnerability management, and staff training. No system is perfectly secure; if we become aware of a personal data breach that must be notified, we will follow applicable legal requirements.
Organisational measures include role-based access to production systems, background checks for roles with elevated access where permitted by law, and confidentiality commitments in employment and contractor agreements. Technical measures include network segmentation, secrets management, and monitoring for anomalous access patterns.
Customers are responsible for safeguarding their own credentials, configuring strong authentication where offered, and promptly revoking access for departed staff. We recommend periodic review of integration permissions and API keys associated with your workspace.
| Control area | Examples |
|---|---|
| Encryption | TLS for data in transit; encrypted storage at rest for primary databases (as configured) |
| Access | Multi-factor options for administrators; audit logs for privileged actions |
| Availability | Backups and disaster recovery procedures tested on a schedule |
| Assurance | Third-party assessments and penetration tests as appropriate to roadmap |
12. Children
Aurelia is intended for businesses and adults with authority to bind an organisation. We do not knowingly collect personal data from children under 16. If you believe we have done so, contact us and we will take steps to delete the information.
13. Changes to this policy
We may update this Privacy Policy to reflect legal, regulatory, or product changes. We will publish the revised version with an updated “Last updated” date. Where changes are material, we will provide additional notice (for example by email or in-product banner).
14. Contact & complaints
For any privacy question or request, contact [email protected]. If you are not satisfied with our response, you may complain to the Information Commissioner’s Office (ICO), the UK supervisory authority:
Helpline: 0303 123 1113
© 2026 Aurelia Ltd. This policy is for information and does not constitute legal advice.