Privacy Policy
How we handle your data. Short version: it's yours, it stays in the UK, we don't sell it.
Last updated: 5 February 2026
The short version
- ✓ Your data is stored in the UK (Google Cloud, London)
- ✓ We don't sell your data or use it for advertising
- ✓ You can export or delete your data at any time
- ✓ We use essential cookies only — no tracking cookies
1. Who We Are
SpeyBooks is operated by William Murray trading as SpeyTech, based in Scotland. We're the "data controller" for your personal data under UK GDPR.
SpeyTech
Email: support@speybooks.com
2. Data We Collect
Account Data
When you sign up:
- • Email address
- • Name
- • Password (stored hashed with Argon2id — we can't see it)
Organisation Data
About your business:
- • Business name and address
- • VAT registration number (if applicable)
- • Company registration number (optional)
Financial Data
The accounting data you enter:
- • Transactions and journal entries
- • Invoices and quotes
- • Contacts (your customers and suppliers)
- • Chart of accounts
Technical Data
Automatically collected:
- • IP address (processed transiently for security, abuse prevention, and rate limiting)
- • Browser type and version
- • Actions taken in the app (for audit logs and security, not behavioural tracking)
Payment Data
Billing is handled by Stripe. We don't see or store your full card number. Stripe provides us with the last 4 digits and expiry date for your reference only.
3. Why We Process Your Data
Under UK GDPR, we need a legal basis to process your data. Here's what we use:
Contract
Processing necessary to provide SpeyBooks to you: storing your financial data, generating reports, sending invoices, authenticating you.
Legal Obligation
Processing required by law: keeping records for tax purposes, responding to lawful requests from authorities, fraud prevention.
Legitimate Interest
Processing that benefits you and us where there's minimal privacy impact: security monitoring, abuse prevention, bug fixing, responding to support requests, improving the service.
We don't process your data based on consent (except for optional marketing emails, which you can opt out of anytime). This means we don't need to ask permission for the core service, and you don't need to manage consent settings.
4. Who We Share Data With
We don't sell your data. Ever.
We share data with:
Sub-processors
Third-party services that help us run SpeyBooks. See our full Sub-processors list. We'll notify you before adding any that materially affect how your data is processed.
- • Google Cloud Platform — Infrastructure (London, UK)
- • AWS SES — Email delivery (EU)
- • Stripe — Payment processing (EU/UK)
HMRC
If you use our MTD (Making Tax Digital) integration to submit VAT returns, we transmit the required data directly to HMRC on your behalf. You initiate this explicitly — we don't share data with HMRC automatically.
Legal Requirements
We may disclose data if required by law, court order, or to protect our legal rights. We'll notify you if legally permitted to do so.
5. Where Your Data Lives
UK Data Residency
Your financial data is stored in Google Cloud's London region (europe-west2). It doesn't leave the UK. Backups are also stored in the UK.
Some supporting services (email delivery, payment processing) process limited personal data using EU-based infrastructure. The EU has a UK adequacy decision, meaning data transfers comply with UK GDPR.
6. How We Protect Your Data
- • In transit: TLS 1.3 encryption on all connections
- • At rest: AES-256 encryption on all stored data
- • Passwords: Hashed with Argon2id (we can't see them)
- • Access: Role-based controls, audit logging on all actions
- • Backups: Daily automated backups, encrypted, UK-only
For full details, see our Security page.
7. How Long We Keep Data
| Data Type | Retention |
|---|---|
| Account & financial data | While active, then 7 years after closure |
| Audit logs | 7 years (legal requirement) |
| Support conversations | 3 years |
| Server logs (IP addresses) | 90 days |
| Backups | 30 days rolling |
The 7-year retention for financial data aligns with HMRC requirements. We can't delete financial records earlier without potentially causing you legal issues.
8. Your Rights
Under UK GDPR, you have the right to:
Access
Request a copy of your personal data
Rectification
Correct inaccurate data (you can do this directly in the app)
Erasure
Request deletion (subject to legal retention requirements)
Portability
Export your data in standard formats (CSV, JSON via API)
Object
Object to processing based on legitimate interest
Complain
Lodge a complaint with the ICO (see below)
To exercise these rights, email support@speybooks.com. We may need to verify your identity before fulfilling certain requests. We'll respond within 30 days.
9. Cookies & Analytics
We use essential cookies only. No tracking. No advertising. No third-party cookies watching what you do.
For analytics, we use Umami — a privacy-focused tool that doesn't use cookies, doesn't store IP addresses, and doesn't track you across sites.
Full details in our Cookies Policy, including why you don't see a cookie banner on SpeyBooks.
10. Children's Data
SpeyBooks is accounting software for businesses. It's not intended for children under 18. We don't knowingly collect data from children. If you believe we have, contact us and we'll delete it promptly.
11. Changes to This Policy
We may update this policy. When we do:
- • We'll update the "Last updated" date
- • For material changes, we'll email you
- • We'll give at least 30 days' notice before significant changes take effect
12. Complaints
If you're unhappy with how we handle your data, please contact us first at support@speybooks.com. We'll try to resolve it.
If you're still not satisfied, you can complain to the UK's data protection regulator:
13. Contact Us
Questions about this policy or your data?
SpeyTech
Email: support@speybooks.com
Last updated: 5 February 2026