Effective Date: 10 June 2024

Last Updated: 08 May 2025

1. Introduction

At Briefcase Tech Ltd (”Briefcase,” “we,” “us,” or “our”), we are committed to protecting the privacy and security of your personal data. This Privacy Policy outlines how we collect, use, disclose, transfer, and store information about you when you use our website https://www.briefcase.so (the “Site”) and our Software as a Service platform and related services (collectively, the “Services”).

By accessing or using our Services, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person as defined under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

• Customer: The accounting firm or business that subscribes to and uses our Services.

• End User: A client or third party whose data (e.g. invoices, receipts) is processed by the Customer through our Services.

• Data Controller: The entity that determines the purposes and means of processing Personal Data. The Customer is the Data Controller.

• Data Processor: The entity that processes Personal Data on behalf of the Data Controller. Briefcase is the Data Processor.

• Sub-Processor: A third party appointed by the Data Processor to process Personal Data on behalf of the Data Controller.

3. Scope of this Privacy Policy

This Privacy Policy applies to:

• Personal Data we collect from Customers and End Users through use of our Services.

• Personal Data collected through our Site, communications, and interactions with you.

4. Information We Collect

4.1 Information Provided by Customers

• Account Information: Name, email address, postal address, phone number, company name, username, and password.

• Financial Information: Payment details processed via Stripe.

• Customer Data: Invoices, receipts, and historical ledger data from connected Xero or QuickBooks accounts, which may contain Personal Data of End Users.

4.2 Information Collected Automatically

• Technical Information: IP address, browser type, operating system, and device information.

• Usage Information: Pages viewed, features used, time spent on our Services.

• Cookies and Similar Technologies: See Section 12 for more details.

4.3 Information from Third Parties

• Third-Party Integrations: When you connect your account with third-party services like Xero or QuickBooks, we receive accounting context such as supplier names, chart of accounts, VAT registration details, and historical transaction metadata.

5. How We Use Your Information

5.1 Provision of Services

• To provide, maintain, and improve our Services.

• To automate processing of invoices and receipts, extract necessary information, and post to accounting platforms such as Xero or QuickBooks.

• To integrate with connected third-party accounting platforms and provide contextual insights and historical data.

5.2 Communication

• To communicate with you about your account, transactions, or updates.

• To provide customer support and respond to enquiries.

5.3 Legal and Compliance

• To comply with applicable legal obligations, including financial and data protection regulations.

• To enforce our Terms of Service and other agreements.

5.4 Marketing Communications

• We may send you marketing communications in two ways:

  
  

  • Soft Opt-In: If you sign up for our Services, we may send you product updates, offers, or tips related to Briefcase under the “soft opt-in” basis permitted by the UK Privacy and Electronic Communications Regulations (PECR). You can opt out at any time using the unsubscribe link in any message or by contacting support@briefcase.so.

  • Explicit Consent: If you separately sign up to receive our newsletter or marketing emails (e.g. via a form on our website), we will only send you communications based on your explicit consent. You can withdraw this consent at any time by unsubscribing or contacting us.

  
  

6. Legal Basis for Processing Personal Data

Our processing is based on the following legal grounds under the UK GDPR:

• Contractual Necessity: Where processing is required to provide the Services.

• Legitimate Interests: Where processing is necessary for our legitimate business interests, provided these are not overridden by your rights.

• Consent: For marketing communications or optional features where explicit consent is required.

• Legal Obligation: Where processing is necessary to meet statutory obligations.

7. Disclosure of Personal Data

7.1 Sub-Processors and Service Providers

We use trusted third-party Sub-Processors to support the delivery and maintenance of our Services. All are subject to strict contractual obligations, including confidentiality and data protection requirements. Below is a list of our current Sub-Processors, what they are used for, the types of data they process, where data is stored, and how long it is retained:

• Amazon Web Services (AWS)

  
  

  • Purpose: Core hosting and data storage

  • Data Processed: All Customer and End User data, including account information, invoices, and receipts

  • Location: Ireland

  • Retention: Until account deletion or request for removal

  
  

• Stripe

  
  

  • Purpose: Payment processing

  • Data Processed: Name, email address, billing address, and payment details

  • Location: United States

  • Retention: As per Stripe’s Privacy Policy

  
  

• Langsmith

  
  

  • Purpose: Temporary AI model debugging

  • Data Processed: Uploaded invoices and receipts

  • Location: United States

  • Retention: 14 days

  
  

• OpenAI

  
  

  • Purpose: AI document processing and categorisation

  • Data Processed: Invoices, receipts, and context from Xero or QuickBooks

  • Location: United States

  • Retention: Zero (data is not stored post-inference)

  
  

• Anthropic

  
  

  • Purpose: AI document processing and categorisation

  • Data Processed: Invoices and receipts

  • Location: United States

  • Retention: Zero (data is not stored post-inference)

  
  

• Datadog

  
  

  • Purpose: Infrastructure monitoring and diagnostics

  • Data Processed: System logs and metadata

  • Location: Germany

  • Retention: 15 days

  
  

• Mailgun

  
  

  • Purpose: Email-based document upload

  • Data Processed: Email addresses, message content, and attachments when documents are forwarded via email

  • Location: United States

  • Retention: 5 days

  
  

• Temporal

  
  

  • Purpose: Backend workflow orchestration

  • Data Processed: Metadata on job execution and automation state

  • Location: Ireland

  • Retention: 30 days

  
  

• Sentry

  
  

  • Purpose: Application error tracking

  • Data Processed: Diagnostic error traces (may include metadata)

  • Location: United States

  • Retention: 14 days

  
  

• WhatsApp Business (optional)

  
  

  • Purpose: Upload method for invoices and receipts via messaging

  • Data Processed: Phone number, message content, and any attached files

  • Location: Germany

  • Retention: As per WhatsApp’s Privacy Policy

This list of Sub-Processors may be updated from time to time. We will post the updated list here and may notify Customers of material changes. Continued use of the Services after such updates constitutes acceptance of the revised list.

7.2 Data Segregation

We never share data between End Users or Customers. Data is logically separated at the database level. Each Customer and End User is assigned a separate database record to ensure strict isolation. No data from one Customer or End User is used in automation, training, or processing for another.

7.3 Legal Requirements

We may disclose Personal Data if required to do so by law or in response to valid requests by public authorities.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, Personal Data may be transferred. We will notify you of any such change.

8. International Data Transfers

Some Personal Data may be processed or accessed outside the UK or EEA, including the United States. We ensure that appropriate safeguards such as Standard Contractual Clauses are in place for all international transfers in accordance with UK GDPR.

You can refer to Section 7.1 for specific details on locations, purposes, and retention periods for each Sub-Processor.

9. Data Security

We implement robust technical and organisational measures to protect your data, aligned with best practices in cloud security and data protection. These include:

• Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

• Access Controls: Role-based access control with audit logging.

• Monitoring: Continuous infrastructure and application monitoring using Datadog and Sentry.

• Minimisation: Only the data necessary for specific processing tasks is collected or shared.

• Review: Output from large language models (LLMs) is reviewed internally by authorised staff only for debugging and improvement purposes.

10. Data Retention

• We retain your and your End Users’ data for the duration of your subscription.

• If your subscription ends, we may delete all data (including invoices and receipts) after 30 days without further notice.

• Some data may be retained where required to comply with legal or regulatory obligations.

• You may request deletion at any time (subject to those obligations).

11. Your Rights

You have the following rights under UK GDPR:

• Access: Request details of the data we hold on you.

• Rectification: Correct inaccurate or incomplete data.

• Erasure: Request deletion of your data where processing is no longer necessary.

• Restriction: Limit processing under certain circumstances.

• Portability: Request a copy of your data in machine-readable format.

• Objection: Object to data processing based on legitimate interests.

• Withdraw Consent: Revoke consent where processing is based on consent.

• Lodge a Complaint: File a complaint with the Information Commissioner’s Office (ico.org.uk).

To exercise these rights, email support@briefcase.so.

12. Cookies and Similar Technologies

We use cookies to enhance user experience:

• Session Cookies: Maintain login state and navigation.

• Preference Cookies: Remember settings and choices.

• Security Cookies: Help protect user accounts.

You can control or disable cookies through your browser settings.

13. Use of AI and Language Models

We use large language models (LLMs) to automate document extraction and categorisation as part of our Services.

13.1 What We Send and Why

We may send the following data to LLM providers to enable automated processing of financial documents:

• Invoices, receipts, and attachments uploaded by the Customer.

• Contextual information retrieved from your connected Xero or QuickBooks account, including supplier names, chart of accounts, line of business, and VAT registration details.

This data is strictly necessary for categorisation, VAT code assignment, and posting automation.

13.2 Providers and Safeguards

We currently work with:

• OpenAI (USA)

• Anthropic (USA)

Both providers operate under zero-data retention agreements with Briefcase. This means:

• Your data is not stored after processing.

• Your data is never used to train models.

• Logs are not retained beyond the session.

13.3 Access and Oversight

LLM outputs are reviewed solely for debugging and product improvement. While reviews are conducted exclusively by authorised Briefcase employees, we may use trusted tools such as Langsmith (see Section 7.1) to temporarily store and visualise LLM inputs and outputs for this purpose. Langsmith is a trusted third-party sub-processor that operates under data protection terms aligned with GDPR and retains data for no more than 14 days.

14. Children’s Privacy

Our Services are not intended for individuals under 16. We do not knowingly collect Personal Data from children. Please contact us if you believe we have received such data.

15. Third-Party Links and Services

Our Site may contain links to or integrations with third-party websites or services (e.g. Xero, QuickBooks, Stripe). These operate independently and are subject to their own privacy policies. We encourage you to review their terms directly.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time:

• We may notify you of significant changes via email or within the Services.

• The updated version will be posted with a new “Last Updated” date.

• Continued use of the Services after changes become effective constitutes acceptance.

17. Contact Us

If you have questions about this Privacy Policy or your data:

Email: support@briefcase.so

18. Appendix: Data Processing Agreement (Controller–Processor Agreement)

This Privacy Policy incorporates a Data Processing Agreement between the Customer (Controller) and Briefcase (Processor), covering:

• Subject Matter: Processing of Personal Data for automation of bookkeeping tasks.

• Duration: For the length of the Customer relationship and until deletion per Section 10.

• Nature and Purpose: Automated processing of financial documents (e.g. invoices, receipts) to extract information and post to Xero or QuickBooks.

• Types of Data: Names, addresses, contact details, transaction details, contextual accounting data.

• Data Subjects: Customers, End Users, suppliers, and employees.

• Obligations of Briefcase:

  
  

  • Process only on Customer or End User instruction

  • Maintain confidentiality

  • Ensure security and assist with audits

  • Notify of breaches

  • Delete or return data on termination

  
  

• Obligations of Customer:

  
  

  • Ensure a lawful basis for processing

  • Inform data subjects of the processing

  • Provide lawful instructions to Briefcase