Privacy Policy — Siensi Software

Last updated: 18 May 2026

This Privacy Policy explains how Siensi Software ("we", "us", "our") collects, uses, and protects personal data. It applies to the Siensi Software practice management product accessible at app.siensi.co.uk and related services (the "Service").

Siensi Software is a trading name of Siensi Financial Solutions Limited, a company registered in England and Wales (registered office: 167-169 Great Portland Street, London, England, W1W 5PF). We are registered with the UK Information Commissioner's Office (ICO).

1. Who we are and what we do

Siensi Software is a software-as-a-service (SaaS) product that helps accountants manage their practice — including their clients, deadlines, workflows, document storage, and client communications.

For the purpose of UK GDPR, our role depends on the type of personal data:

• Account holders (accountants who subscribe): We are the data controller of your account information.
• Your end clients' data (the clients of the accountants who use our software): We are the data processor, and the subscribing accountant is the controller. We process this data only as instructed by them, under our Data Processing Agreement.

2. What information we collect

2.1 Account information you give us

• Your name, practice name, and email address (used to log in)
• A hashed password (we never see or store the plain-text password)
• Any settings you provide such as your SMTP email credentials, practice logo, or contact preferences
• Billing information (when applicable) — handled by our payment processor; we do not store full card details

2.2 Information you enter about your clients

When you use Siensi Software to manage your practice, you enter data about your clients. This may include:

• Client names, addresses, and contact details
• National Insurance numbers, UTRs, dates of birth
• Identity documents (passports, driving licences) and AML check records
• Engagement letters and other client documents
• Company numbers, year ends, and Companies House data

This data belongs to you (or your client) — we hold it on your behalf as a data processor.

2.3 Automatically collected technical data

• IP address, browser type, and basic technical session info (for security and abuse prevention)
• Login timestamps and access logs (for audit and security)
• Error logs (so we can fix bugs)

We do not use cookies for advertising, tracking, or analytics. We use only the minimum cookies/local storage needed for the app to function (e.g., to keep you logged in).

3. How we use your data

We use the data we collect:

• To provide and operate the Service (storing your practice data, generating deadlines, sending reminders via your SMTP)
• To send you essential service emails (password resets, security alerts, occasional product updates relevant to your account)
• To process payments and provide support when you ask for it
• To improve and develop the Service (in aggregate or anonymised form only)
• To comply with our legal obligations (e.g., tax records, anti-fraud)

We do not sell your data or your clients' data to anyone, ever. We do not share it with advertisers. We do not use it to train AI models or for any other purpose beyond running the Service.

4. Legal bases for processing

Under UK GDPR, we rely on:

• Contract: Most of our processing is necessary to provide the Service you've signed up for.
• Legitimate interest: Security logs, abuse prevention, and limited service improvement.
• Legal obligation: Where required by law (e.g., tax records).
• Consent: For any marketing communications you opt into (we don't currently send marketing emails by default).

5. How long we keep data

• While your account is active: indefinitely, as long as you remain a subscriber.
• When your account ends: we keep your data for 90 days after cancellation to allow reactivation, then delete it permanently — unless you've requested earlier deletion or asked us to retain it longer.
• Billing and tax records: 7 years, as required by UK law.
• Backups: deleted records may persist in backups for up to 30 days before being purged.

6. Who we share data with

We use a small number of trusted service providers to operate the Service. Each is contractually required to protect your data:

• Supabase — our database and authentication provider (hosted in the EU)
• Netlify — hosts the application and assets
• Email delivery providers — for sending password resets and service emails (your own SMTP is used for client emails)
• Payment processor — for handling subscription billing (when applicable)

We do not transfer personal data outside the UK or EU without appropriate safeguards.

7. Security

We use industry-standard security measures including:

• HTTPS encryption in transit
• Encryption at rest on our database
• Row-level security: each practice's data is isolated from every other practice
• Authentication via Supabase Auth (JWT tokens, hashed passwords)
• Regular automated backups

No system is completely secure, but we follow current best practice. If we ever become aware of a personal data breach affecting you, we will notify you and the ICO within 72 hours, as required by law.

8. Your rights under UK GDPR

You have the right to:

• Access your personal data — we provide a built-in backup/export feature, or contact us.
• Correct inaccurate data — you can edit most data directly in the Service, or contact us.
• Delete your data ("right to be forgotten") — contact us and we'll delete your account and data within 30 days.
• Object to processing or withdraw consent at any time.
• Portability — receive your data in a machine-readable format (we provide JSON export).
• Complain to the UK ICO at ico.org.uk or call 0303 123 1113.

9. Admin access for support

Siensi Software employees with admin role may access your account data when necessary to provide support, investigate a problem, or comply with legal obligations. All such access is logged. We will not access your data for any other reason and will not view client data unless absolutely necessary to resolve a specific issue you've raised.

10. Children

The Service is intended for use by accountancy professionals. It is not directed at children, and we do not knowingly collect personal data from anyone under 18.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will reflect the most recent change. We'll notify you of material changes via the Service or by email.

12. Contact us

For any privacy-related questions, requests, or to exercise your rights:

• Email: support@siensi.co.uk
• Post: Siensi Software, c/o Siensi Financial Solutions Limited, 167-169 Great Portland Street, London, England, W1W 5PF