How SmartBooks handles your data.

1. Who we are

“SmartBooks” is a trading name of Rajoka Limited, a company registered in England and Wales. Rajoka Limited is the data controller for personal data collected through usesmartbooks.com and the SmartBooks platform.

• Legal entity: Rajoka Limited
• Companies House number: 12069067
• Registered office: 64b Yardley Green Road, Birmingham, England, B9 5QE
• ICO data protection registration: ZA837360
• Privacy / DPO contact: dpo@rajoka.com

2. Scope of this notice

This notice covers personal data processed when you visit usesmartbooks.com, join the waitlist, request a demo, contact us by email, or use the SmartBooks platform once it is generally available. Where SmartBooks acts as a data processor on behalf of an accountancy or bookkeeping firm (their clients’ data), that processing is governed by the data-processing agreement signed with the firm, which takes precedence over the corresponding sections of this notice.

3. The personal data we collect

We collect only what we need to operate the service:

• Waitlist form: work email address and the timestamp of submission.
• Demo request form: name, work email, firm or business name, role, client/document volume bracket, and an optional free-text note.
• Account and platform data (once you are a customer): account credentials (managed via our authentication provider), firm and user profile, role and permissions, billing details (handled by our payments provider, see section 7), and audit-log metadata for every action you take in the product.
• Client and accounting records (where you are a firm using SmartBooks for client work): documents you upload (invoices, receipts, statements), bookkeeping entries, ledger data, VAT return figures, MTD ITSA quarterly update figures, Self Assessment figures, statutory accounts figures, and the names, contact details and tax references of clients you choose to enter.
• Open banking data (where you connect a bank account): account holder name, account number/sort code (masked in display), and transaction data retrieved via our regulated open-banking provider (see section 7). We never see or store your online banking credentials.
• Payment data (where you collect payments via SmartBooks): payer name, amount, reference and settlement status. Card numbers and bank credentials are handled by our regulated payments provider, not by us.
• HMRC submission metadata: the figures you submit to HMRC via SmartBooks, the HMRC receipt number, the response code, the bookkeeper or user who approved the submission, and the device/network metadata HMRC requires us to send (see section 6 — Fraud-prevention headers).
• Technical data: IP address, user agent, referrer, pages visited and approximate location derived from IP. Collected by our hosting and analytics providers for operational logging, security and abuse prevention.
• Cookies and similar: see section 9.

4. Why we collect it and our lawful basis

Under UK GDPR Article 6, we rely on the following bases:

• Waitlist:consent — Article 6(1)(a). You can withdraw at any time via the unsubscribe link or by emailing dpo@rajoka.com.
• Demo:taking steps at your request prior to entering into a contract — Article 6(1)(b).
• Providing the platform once you are a customer: performance of a contract — Article 6(1)(b).
• HMRC submissions and related record-keeping: compliance with a legal obligation — Article 6(1)(c) — read with HMRC’s software-vendor obligations and the Making Tax Digital regulations.
• Security, abuse prevention, service operation and product improvement:legitimate interests — Article 6(1)(f). A legitimate-interests assessment is available on request.
• Marketing communications to non-customers: consent — Article 6(1)(a) plus PECR. For existing customers we may rely on the “soft opt-in” for closely related products; you can opt out at any time.

5. Where we get personal data from

Almost all personal data comes directly from you. We also receive data from:

• Your bank, via our regulated open-banking provider, only after you have given an explicit consent to that provider under PSD2 / the UK Open Banking standards.
• HMRC, in the form of receipts, response payloads and obligation lookups when we submit on your behalf or check your filing obligations.
• Companies House, when we look up or file statutory accounts for a company you control.
• Your firm,if you are a client of an accountancy or bookkeeping firm that uses SmartBooks — they may invite you and pre-fill your contact details.

6. HMRC, MTD and fraud-prevention headers

SmartBooks is software designed to submit Making Tax Digital (MTD) VAT returns, MTD Income Tax Self Assessment (ITSA) quarterly updates and end-of-period statements, Self Assessment returns and statutory accounts on your behalf through HMRC’s and Companies House’s official APIs.

HMRC recognition status.SmartBooks has completed HMRC’s sandbox testing for MTD VAT and MTD ITSA and has applied for production API credentials. Until production credentials are granted, we will not submit any live filing to HMRC on a customer’s behalf. Our current status is shown on the Trust & security page.

Fraud-prevention headers. HMRC requires every MTD software vendor to send a defined set of fraud-prevention headers with each call to the MTD APIs. These headers describe the device, network and connection used to make the submission. The data we send to HMRC for this purpose includes:

• Your public IP address and (for the originating device) local IP address
• Your device identifier (a pseudonymous hash) and operating system / device model
• The browser or app user-agent string and the time zone of the device
• The screen size, window size and colour depth of the screen used
• The user IDs of the person who initiated and approved the submission inside SmartBooks
• The connection type (Wi-Fi, mobile, etc.) where available
• The version and vendor identifiers for the SmartBooks software

We are legally required to send these headers; they cannot be switched off. HMRC uses them to detect fraud and protect the tax system. The lawful basis is compliance with a legal obligation — Article 6(1)(c).

HMRC as a recipient.When you submit a return through SmartBooks, the contents of that return and the fraud-prevention headers above are sent to HMRC. HMRC then processes that data under its own privacy notice, which is published on GOV.UK. We retain a copy of every submission and HMRC’s receipt so that the filing is replayable in any future enquiry.

7. Sub-processors and who we share data with

We share personal data only with sub-processors that have signed a data-processing agreement with us containing the UK GDPR Article 28 obligations. The live list and the regions they operate from are below; the canonical, version-controlled list lives on the Trust & security page and is updated in advance of any change.

We may also disclose personal data where required by law (for example, a court order or a valid request from HMRC or the ICO), and to professional advisers (legal, accounting, insurance) under a duty of confidence.

8. International data transfers

Our primary infrastructure is in the UK and the EU. A small number of sub-processors operate from the United States (in particular, parts of Resend, Google Analytics 4 and Microsoft Clarity). Where personal data is transferred outside the UK, we rely on one of the following safeguards under UK GDPR Articles 44–49:

• The UK’s adequacy regulations (including the UK extension to the EU–US Data Privacy Framework, where the recipient is certified);
• The International Data Transfer Agreement (IDTA) issued by the ICO; or
• The European Commission’s Standard Contractual Clauses with the UK Addendum.

You can request a copy of the relevant safeguard for a specific transfer by emailing dpo@rajoka.com.

9. Cookies and similar technologies

We use the minimum set of cookies needed to run the site and, with your consent, a small set of analytics cookies. Marketing cookies are off by default and are only set if you explicitly opt in via the cookie banner. You can change your choice at any time by clearing the SmartBooks cookies in your browser and re-opening the site.

10. How long we keep personal data

We retain data only for as long as we have a lawful reason to:

• Waitlist email addresses: until you unsubscribe, or 24 months after the last contact, whichever is sooner.
• Demo submissions: 24 months after the demo, unless we sign an engagement.
• Customer account data: for the duration of your contract, plus 7 years from the end of the contract, to meet UK accounting and tax record-keeping obligations.
• VAT records and MTD VAT submission payloads: 6 years, in line with HMRC’s VAT record-keeping requirements.
• MTD ITSA submission payloads, Self Assessment records and supporting documents: a minimum of 5 years 10 months after the end of the relevant tax year (longer where the customer is a business or landlord, in line with HMRC guidance).
• Statutory accounts records: 6 years for private companies and 3 years for limited liability partnerships, in line with the Companies Act 2006.
• Open-banking transaction data: for the consent period set with our open-banking provider (typically up to 90 days for active access), and then archived inside the customer’s bookkeeping records under the retention rules above.
• Audit logs: 7 years.
• Operational logs: 90 days.
• Marketing-consent records: for the life of the consent plus 24 months.

Where you ask us to delete data and we are required to keep it under one of the obligations above, we will block further processing of that data and delete it at the end of the statutory period.

11. How we protect personal data

• TLS 1.3 in transit between every client and SmartBooks; HSTS on every public endpoint.
• AES-256 encryption at rest on the application database and stored files.
• Role-based access control, mandatory multi-factor authentication for staff, and a least-privilege model for production data.
• Read-only, append-only audit logs covering every privileged action.
• Sub-processor due diligence under our vendor-risk policy before onboarding.
• Annual review of access lists, encryption keys and incident-response runbooks.

A full security overview — including our certifications roadmap (ISO 27001 and SOC 2 Type II targets) — is published on the Trust & security page.

12. Personal data breaches

We maintain a documented incident-response plan. If a personal data breach occurs and is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours of becoming aware of it, in line with UK GDPR Article 33. We will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, under Article 34.

13. Automated decision-making and profiling

SmartBooks does not make solely automated decisions producing legal or similarly significant effects on you under UK GDPR Article 22. The platform uses machine-assisted classification of documents and transactions, but a human bookkeeper or accountant must approve any HMRC submission, payment collection or material posting before it takes effect.

14. Children

SmartBooks is a business product. It is not directed at children and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided data to us, contact dpo@rajoka.com and we will delete it.

15. Your rights under UK GDPR

You have the following rights in respect of your personal data:

• Right of access (a “subject access request” or DSAR)
• Right to rectification of inaccurate data
• Right to erasure (the “right to be forgotten”), subject to our legal record-keeping obligations
• Right to restrict processing
• Right to data portability
• Right to object to processing based on legitimate interests or direct marketing
• Right not to be subject to a solely automated decision (see section 13)
• Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal
• Right to lodge a complaint with the Information Commissioner’s Office (ICO)

How to exercise a right. Email dpo@rajoka.comwith “Data subject request” in the subject line. We may ask you to verify your identity before responding (typically by replying from the email on the account, or by other reasonable means). We respond within one calendar month and may extend by a further two months for complex or numerous requests — in which case we will tell you within the first month. There is normally no fee; we may charge a reasonable fee, or refuse, where a request is manifestly unfounded or excessive, and we will explain our reasoning if we do.

Complaints. You can complain to the ICO at ico.org.uk/make-a-complaint or call 0303 123 1113. We’d prefer the chance to put things right first, but you are not required to contact us before going to the ICO.

16. If you are a client of a firm using SmartBooks

Where your accountancy or bookkeeping firm uses SmartBooks to act for you, the firm is the data controller for your records and Rajoka Limited is the data processor under a written data-processing agreement. Please raise data-protection queries with your firm first — they are best placed to act on them. If you are unable to reach them, contact dpo@rajoka.com and we will help.

17. Changes to this notice

We may update this notice from time to time. The version number and “last updated” date at the top of the page change with every revision. For material changes — for example, a new sub-processor that touches identifiable personal data, or a change to the lawful basis for any processing — we will notify customers by email or in-product at least 30 days before the change takes effect.

18. Contact

Privacy queries, rights requests and complaints: dpo@rajoka.com.

Postal address — Data Protection Officer, Rajoka Limited, 64b Yardley Green Road, Birmingham, England, B9 5QE.

General enquiries: hello@usesmartbooks.com · Customer support: support@usesmartbooks.com.