Effective Date: 10 June 2024
Last Updated: 25 September 2024
1. Introduction
At Briefcase Tech Ltd (”Briefcase,” “we,” “us,” or “our”), we are committed to protecting the privacy and security of your personal data. This Privacy Policy outlines how we collect, use, disclose, transfer, and store information about you when you use our website https://www.briefcase.so (the “Site”) and our Software as a Service platform and related services (collectively, the “Services”).
By accessing or using our Services, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy.
2. Definitions
• “Personal Data” means any information relating to an identified or identifiable natural person as defined under the UK General Data Protection Regulation (”UK GDPR”) and the Data Protection Act 2018.
• “Client” refers to the accounting firms that subscribe to and use our Services.
• “End User” refers to the clients of the Client, whose data (e.g., invoices, receipts) is processed via our Services.
• “Data Controller” is the entity that determines the purposes and means of processing Personal Data. In this context, the Client is the Data Controller.
• “Data Processor” is the entity that processes Personal Data on behalf of the Data Controller. Briefcase is the Data Processor.
• “Sub-Processor” is any third party appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Data Controller.
3. Scope of this Privacy Policy
This Privacy Policy applies to:
• Personal Data we collect from Clients and End Users through the use of our Services.
• Personal Data collected through our Site, communications, and interactions with you.
4. Information We Collect
4.1. Information Provided by Clients
• Account Information: Name, email address, postal address, phone number, company name, username, and password.
• Financial Information: Payment details processed via Stripe.
• Client Data: Invoices, receipts, and historical ledger data from connected Xero accounts, which may contain Personal Data of End Users.
4.2. Information Collected Automatically
• Technical Information: IP address, browser type, operating system, device information.
• Usage Information: Pages viewed, features used, time spent on our Services.
• Cookies and Similar Technologies: Data collected through cookies to enhance user experience.
4.3. Information from Third Parties
• Third-Party Integrations: Information received from third-party services like Xero when you connect your account.
5. How We Use Your Information
We use Personal Data for the following purposes:
5.1. Provision of Services
• Service Delivery: To provide, maintain, and improve our Services.
• Automated Processing: To process invoices and receipts, extract necessary information, and post to Xero.
• Integration: To integrate with third-party accounting software and provide historical data insights.
5.2. Communication
• Account Management: To communicate with you about your account, transactions, and updates.
• Customer Support: To provide support and respond to inquiries.
5.3. Legal and Compliance
• Regulatory Compliance: To comply with legal obligations, including financial regulations relevant to the accounting industry.
• Enforcement: To enforce our Terms of Service and other agreements.
5.4. Marketing (with Consent)
• Promotional Materials: To send newsletters, offers, and other marketing communications. You may opt-out at any time.
6. Legal Basis for Processing Personal Data
Our processing of Personal Data is based on the following legal grounds under the UK GDPR:
• Contractual Necessity: Processing is necessary for the performance of a contract with you (providing the Services).
• Legitimate Interests: Processing is necessary for our legitimate interests in delivering and improving the Services, provided these interests are not overridden by your rights.
• Consent: For marketing communications and where you have given explicit consent.
• Legal Obligation: Processing is necessary to comply with legal obligations.
7. Disclosure of Personal Data
We may share Personal Data with:
7.1. Sub-Processors and Service Providers
We use third-party service providers to support our Services. These include:
• Amazon Web Services (AWS) (Ireland): Cloud infrastructure and storage.
• Render (Frankfurt): Cloud hosting services.
• OpenAI (USA): Large Language Model (LLM) provider under an enterprise agreement with a Data Processing Addendum. OpenAI does not train on the data we send and retains data logs for up to 30 days for performance and debugging purposes.
• Stripe (USA): Payment processing services.
All Sub-Processors are bound by confidentiality agreements and are prohibited from using Personal Data for any purpose other than providing services to us.
7.2. Legal Requirements
We may disclose Personal Data if required to do so by law or in response to valid requests by public authorities.
7.3. Business Transfers
In the event of a merger, acquisition, or sale of assets, Personal Data may be transferred. We will notify you of any such change.
8. International Data Transfers
We may transfer your personal information to countries outside of your residence, including to countries that may not have the same level of data protection laws as your home country. When we do so, we will take steps to ensure that your personal information is adequately protected in accordance with this Privacy Policy.
9. Data Security
We implement industry-standard security measures to protect Personal Data:
• Encryption: Data is encrypted both in transit (TLS 1.2+) and at rest (AES-256).
• Access Controls: Strict access controls and authentication measures.
• Monitoring: Regular security assessments and monitoring.
• Data Minimization: Collecting only the data necessary for the purposes outlined.
10. Data Retention
We retain Personal Data only as long as necessary for:
• Service Provision: The duration of the contractual relationship.
• Legal Compliance: To comply with legal and regulatory obligations.
• Dispute Resolution: To resolve disputes and enforce agreements.
Upon termination or at the Client’s request, we will delete or return Personal Data, unless retention is required by law.
11. Your Rights
Under the UK GDPR, you have the following rights regarding your Personal Data:
11.1. Right of Access
• Description: Obtain confirmation as to whether or not your Personal Data is being processed and access to such data.
• How to Exercise: Contact us at support@briefcase.so.
11.2. Right to Rectification
• Description: Request correction of inaccurate or incomplete Personal Data.
• How to Exercise: Update your account information or contact us.
11.3. Right to Erasure
• Description: Request deletion of Personal Data where there is no lawful basis for continued processing.
• How to Exercise: Contact us with your request.
11.4. Right to Restrict Processing
• Description: Request limitation on the processing of your Personal Data under certain circumstances.
• How to Exercise: Contact us for assistance.
11.5. Right to Data Portability
• Description: Receive your Personal Data in a structured, commonly used, and machine-readable format.
• How to Exercise: Contact us to request your data.
11.6. Right to Object
• Description: Object to processing based on legitimate interests or for direct marketing purposes.
• How to Exercise: Update your preferences or contact us.
11.7. Right to Withdraw Consent
• Description: Withdraw consent at any time where processing is based on consent.
• How to Exercise: Contact us or unsubscribe from communications.
11.8. Right to Lodge a Complaint
• Description: Lodge a complaint with the Information Commissioner’s Office (ICO) if you believe your rights have been violated.
• How to Exercise: Visit the ICO website at https://ico.org.uk/.
12. Cookies and Similar Technologies
We use cookies and similar tracking technologies to enhance your experience:
• Types of Cookies: Session cookies, preference cookies, security cookies.
• Purpose: Authentication, user preferences, performance analytics.
• Your Choices: You can manage your cookie preferences through your browser settings.
13. Children’s Privacy
Our Services are not intended for individuals under the age of 16. We do not knowingly collect Personal Data from children under 16. If you become aware that a child has provided us with Personal Data, please contact us immediately.
14. Third-Party Links and Services
Our Site may contain links to third-party websites and services not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time:
• Notification: We will notify you of significant changes by email or through the Services.
• Effective Date: Changes become effective when posted on this page with an updated “Last Updated” date.
• Continued Use: Your continued use of the Services after changes indicates acceptance of the updated Privacy Policy.
16. Contact Us
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:
• Email: support@briefcase.so
Acknowledgment
By using our Services, you acknowledge that you have read, understood, and agree to this Privacy Policy.
Appendix: Data Processing Agreement (Controller-Processor Agreement)
As part of our commitment to GDPR compliance, this Privacy Policy incorporates a Data Processing Agreement between the Client (Data Controller) and Briefcase (Data Processor):
Subject Matter and Duration
• Subject Matter: Processing of Personal Data as necessary to provide the Services.
• Duration: For the duration of the Services and until deletion of all Personal Data as per these Terms.
Nature and Purpose of Processing
• Nature: Automated processing of invoices, receipts, and financial documents.
• Purpose: To provide the Services as described, including integration with Xero and automation of accounting tasks.
Types of Personal Data
• Personal Data included in financial documents: names, addresses, contact details, transaction details.
Categories of Data Subjects
• Clients, End Users, customers, suppliers, and employees whose data is processed.
Obligations of the Data Processor (Briefcase)
• Processing on Instructions: Process Personal Data only on instructions from the Client.
• Confidentiality: Ensure personnel authorised to process Personal Data are committed to confidentiality.
• Security Measures: Implement appropriate technical and organisational measures to protect Personal Data.
• Assistance: Assist the Client in fulfilling obligations to respond to data subject requests.
• Data Breach Notification: Notify the Client without undue delay upon becoming aware of a Personal Data Breach.
• Data Deletion: Delete or return all Personal Data upon termination of Services within 30 days, unless required by law to retain it.
• Audit Rights: Make available all information necessary to demonstrate compliance and allow for audits.
Obligations of the Data Controller (Client)
• Lawful Basis: Ensure a lawful basis for processing Personal Data and for sharing it with Briefcase.
• Data Subject Rights: Inform data subjects of the processing and ensure their rights are respected.
Let's stay in touch
Enter your email below to get notified when we launch. We won't send you any junk mail (promise).