Privacy Policy

Last updated: 8 April 2026

Ordnad (“we”, “us”, “our”) is operated by CreativeMinds. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our AI accounting, tax filing, and compliance platform (the “Service”), including our mobile app, web dashboard, and API integrations with third-party services such as HM Revenue & Customs (HMRC), Companies House, and Skatteverket.

1. Data We Collect

Account Information

Email address (used for authentication and communication)
Name (optional, used for display and filing)
Company details: name, registration number, address, company type, VAT scheme

Financial Documents

Receipts, invoices, and bank statements you upload or photograph
Transaction data extracted by our AI system (merchant, amount, VAT, category)
Financial reports generated from your data (P&L, balance sheet, VAT returns)

Filing Data

Tax returns and compliance filings prepared through the Service
Submission confirmations and reference numbers from tax authorities
Digital signatures used for filing authorisation

Third-Party Integration Data

HMRC: When you connect your HMRC account, we store OAuth access tokens and refresh tokens to submit VAT returns and access Making Tax Digital (MTD) services on your behalf. We access only the scopes you authorise.
Companies House: We may retrieve public company information (filing history, officer details) using the Companies House API.
Skatteverket: For Swedish companies, filing packages are prepared for submission to the Swedish Tax Agency.

Technical Data

IP address and approximate location (for security and audit logging)
Device type, browser, and operating system
Session data and authentication tokens

2. How We Use Your Data

To provide AI-powered bookkeeping: extracting data from documents, classifying transactions, and generating reports
To prepare and submit tax returns and compliance filings on your behalf
To connect with HMRC, Companies House, and other tax authorities via authorised APIs
To send deadline reminders and compliance notifications
To maintain audit trails for regulatory compliance
To improve our AI models and Service (using anonymised, aggregated data only)
To prevent fraud and ensure security of your account

3. Legal Basis for Processing (GDPR & UK GDPR)

Contract performance: Processing necessary to provide the Service you signed up for.
Legitimate interest: Security monitoring, fraud prevention, and service improvement.
Legal obligation: Maintaining records required by tax and accounting regulations.
Consent: Where required, such as connecting third-party integrations like HMRC.

4. Data Storage & Security

Your data is stored on encrypted servers hosted by Railway (PostgreSQL) and Cloudflare R2 (document storage), both located in the EU/EEA.
All data is encrypted in transit (TLS 1.2+) and at rest.
OAuth tokens for HMRC and other integrations are stored encrypted in our database.
We implement role-based access controls and maintain comprehensive audit logs.
Document uploads are stored in isolated, per-company storage buckets.

5. Data Sharing

We do not sell your data. We share data only with:

Tax authorities (HMRC, Skatteverket) — only when you explicitly authorise and initiate a filing submission.
AI processing — Document text is sent to Anthropic (Claude AI) for extraction and classification. No financial data is retained by Anthropic beyond processing.
Infrastructure providers — Railway (hosting), Cloudflare (storage), Resend (email) — acting as data processors under DPAs.

6. Data Retention

Account and company data: retained while your account is active, plus 30 days after deletion.
Financial documents and transactions: retained for the statutory period required by your jurisdiction (typically 7 years for Sweden, 6 years for the UK).
Audit logs: retained for 7 years as required by accounting regulations.
OAuth tokens: retained while the integration is active; deleted immediately upon disconnection.

7. Your Rights

Under GDPR and UK GDPR, you have the right to:

Access — Request a copy of your personal data.
Rectification — Correct inaccurate data.
Erasure — Request deletion of your data (subject to legal retention requirements).
Portability — Export your data in a machine-readable format.
Restriction — Limit how we process your data.
Objection — Object to processing based on legitimate interest.
Withdraw consent — Disconnect integrations or delete your account at any time.

To exercise these rights, email us at [email protected].

8. HMRC-Specific Data Handling

When you connect your HMRC account through our Service:

We use the OAuth 2.0 protocol as specified by HMRC's Making Tax Digital programme.
Access tokens are refreshed automatically and stored securely. You can revoke access at any time from your Ordnad settings or directly through your HMRC online account.
We access only the API scopes necessary for the services you use (e.g., VAT submission, obligations).
We do not access or store your HMRC login credentials.
Fraud prevention headers (as required by HMRC) may include device and connection metadata.

9. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. No cookie consent banner is needed as we only use strictly necessary cookies.

10. Children's Privacy

Our Service is designed for business use and is not directed at children under 18. We do not knowingly collect data from children.

11. International Transfers

Your data is primarily processed within the EU/EEA. Where data is processed outside the EEA (e.g., AI processing via Anthropic in the US), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs).

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. Continued use of the Service after changes constitutes acceptance.

13. Contact

For privacy-related questions or data requests:

Email: [email protected]
Data Controller: CreativeMinds