Privacy Policy
How we collect, use, and protect your data
Last updated: March 2026
Aarvo Ltd | United Kingdom
1. Introduction
Aarvo Ltd ("Aarvo", "we", "us", or "our") is committed to protecting your privacy and handling your personal data transparently. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our cloud-based accounting platform at aarvo.com(the "Service").
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
Aarvo Ltd is the data controller for the personal data processed through the Service. If you have any questions about this policy or your data, you can contact us at:
- Email: privacy@aarvo.com
- Data Protection Officer: dpo@aarvo.com
3. Personal Data We Collect
3.1 Account Information
When you create an account or use our Service, we collect:
- Full name
- Email address
- Profile picture (if provided via social login)
- Authentication credentials (managed by our auth provider)
- Workspace and organisation details
3.2 Financial and Tax Data
To provide our accounting and Making Tax Digital (MTD) services, we process:
- Income, expenses, invoices, and receipts
- Supplier and customer records
- Asset registers and depreciation schedules
- VAT returns and VAT registration numbers (VRN)
- Self-assessment data and National Insurance numbers (NINO)
- Corporation Tax and payroll data
3.3 HMRC Data
When you connect your HMRC account to Aarvo, we access and process data via the HMRC API, including:
- VAT Registration Number (VRN)
- National Insurance Number (NINO)
- VAT return data (obligations, submissions, liabilities, payments)
- Self-assessment tax return data
- MTD subscription and obligation status
This data is processed solely for the purpose of fulfilling your tax obligations through Making Tax Digital and related HMRC services. We act as your authorised agent when submitting data to HMRC on your behalf.
3.4 Banking Data
When you connect your bank account(s) via our open banking connectivity provider, we may access:
- Account numbers and sort codes
- Account balances
- Transaction history (descriptions, amounts, dates, counterparties)
- Institution and account holder details
3.5 Payment Data
Subscription payments are processed by our payment processing provider. We do not store full card numbers. Our payment processor may collect:
- Card last four digits and expiry date
- Billing address
- Payment history and subscription status
3.6 Usage and Analytics Data
- IP address, browser type, device information
- Pages visited and features used
- Referral source
- Session duration and interaction patterns
4. How We Use Your Data
We use your personal data to:
- Provide, maintain, and improve the Service
- Process and submit tax returns to HMRC on your behalf
- Reconcile bank transactions and generate financial reports
- Process subscription payments
- Send service-related communications (e.g. tax deadline reminders)
- Detect and prevent fraud or abuse
- Comply with legal obligations
- Analyse usage patterns to improve our product
5. Legal Basis for Processing
We process your data under the following legal bases (UK GDPR Article 6):
- Contract: Processing necessary to provide the Service you have signed up for
- Consent: Where you have given explicit consent (e.g. connecting HMRC or bank accounts)
- Legal obligation: Where we are required to process data to comply with law
- Legitimate interest: Analytics and service improvements, fraud prevention, and security
6. Third-Party Processors
We engage third-party sub-processors to help deliver the Service. Each sub-processor operates under a data processing agreement and processes data only for the purposes described below. We use the following categories of sub-processors:
| Processor Category | Purpose |
|---|---|
| Cloud infrastructure and hosting providers | Database hosting, authentication, application deployment, and content delivery |
| Payment processing providers | Billing, subscription management, and payment information |
| Open banking connectivity providers | Bank account connections and transaction data retrieval |
| Analytics and performance monitoring tools | Usage analytics, referral tracking, session recording, and heatmaps |
| Error monitoring and application performance tools | Error tracking, performance monitoring, and application stability |
| AI-powered document processing services | Automated data extraction and document analysis |
| Marketing and attribution tools | Conversion tracking and advertising performance measurement |
| Tax authority integrations | Tax return submission via HMRC Making Tax Digital APIs |
A complete list of our sub-processors is available on request by emailing privacy@aarvo.com.
7. Data Storage and Security
Your data is stored on our cloud infrastructure provider's servers and is:
- Encrypted at rest using AES-256 encryption
- Encrypted in transit using TLS 1.2+
- Protected by row-level security policies ensuring multi-tenant isolation
- Backed up regularly with point-in-time recovery
We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction.
8. Data Retention
- Account data: Retained for the duration of your account plus 30 days after deletion request
- Financial and tax data: Retained for a minimum of 6 years after the end of the relevant tax year, as required by HMRC record-keeping obligations
- Banking data: Retained for the duration of the bank connection plus 6 years for regulatory compliance
- Payment records: Retained for 7 years for accounting and tax compliance
- Analytics data: Anonymised and aggregated; retained indefinitely
9. Your Rights
Under the UK GDPR, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure: Request deletion of your data (subject to legal retention requirements)
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to restrict processing: Request that we limit how we use your data
- Right to object: Object to processing based on legitimate interests
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, please contact us at privacy@aarvo.com. We will respond within one month of receiving your request.
10. Data Export
You can export your data at any time through the Service. Exports are available in standard formats (CSV, PDF) and include your financial records, transaction history, and tax submissions. For a full data subject access request (DSAR), contact privacy@aarvo.com.
11. Cookies and Analytics
We use the following categories of cookies and similar tracking technologies on the Service:
- Essential cookies: Required for authentication, session management, and core platform functionality. These cookies are necessary for the Service to operate and cannot be disabled.
- Analytics cookies: Used to understand how visitors interact with the Service, including usage patterns, session recordings, heatmaps, and referral tracking. These help us improve the user experience. You may opt out of analytics cookies via our cookie consent mechanism.
- Marketing and tracking cookies:We use conversion tracking pixels to measure the performance of our advertising campaigns. These cookies are set by third-party advertising platforms and help us understand which ads lead to sign-ups or purchases. You may opt out of marketing cookies via our cookie consent mechanism or through the relevant platform's opt-out tools.
We are implementing a cookie consent mechanism that will allow you to accept or reject non-essential cookies when you first visit the Service. You can update your preferences at any time through the cookie settings link in the footer of our website.
For more information about the specific cookies we use and their retention periods, please contact privacy@aarvo.com.
12. International Data Transfers
Some of our sub-processors are based outside the United Kingdom and may transfer personal data to countries that do not have equivalent data protection laws. Where such transfers occur, we ensure appropriate safeguards are in place in accordance with UK GDPR, including UK International Data Transfer Agreements (IDTAs), Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions issued by the UK Secretary of State. We conduct Transfer Impact Assessments (TIAs) where required to evaluate the level of data protection in the recipient country. A summary of international transfers and the safeguards in place is available on request by emailing privacy@aarvo.com.
13. Children's Data
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect data from children.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. Your continued use of the Service after such changes constitutes acceptance of the updated policy.
15. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
16. Contact Us
For any questions about this Privacy Policy or your personal data, please contact:
- Email: privacy@aarvo.com
- Data Protection Officer: dpo@aarvo.com