Privacy Policy

1 Who We Are

Interlink Accounts is operated by Interlink Digital Ltd ("we", "us", "our"), a company registered in England and Wales. We are the data controller for the personal data processed through our platform.

Interlink Digital has been crafting digital excellence since 1996. We take our responsibilities as a data controller extremely seriously.

Data Protection Contact: privacy@interlink.digital

2 Data We Collect

2.1 Account Information

When you register for Interlink Accounts, we collect:

• Full name and email address
• Organisation name and business type
• Telephone number (optional)
• Password (stored as a bcrypt hash - we never store plain-text passwords)
• VAT registration number (if applicable)
• PAYE employer reference (if applicable)

2.2 Financial Data

To provide accounting services, we process financial data you enter into the platform:

• Bank transactions, balances, and statements
• Invoices, bills, credit notes, and quotes
• Chart of accounts and journal entries
• Payroll records, employee details, and salary information
• Tax submissions and compliance records
• Receipts, documents, and file uploads
• Contact details of your customers and suppliers

2.3 Usage Data

We automatically collect certain information when you use the Service:

• IP address and approximate location (country/region level)
• Browser type, version, and operating system
• Pages visited, features used, and time spent
• Device type and screen resolution
• Referring website or source
• Error logs and performance data

2.4 Communication Data

When you contact us or interact with our support channels:

• Email correspondence
• Support ticket content and chat transcripts
• Feedback, survey responses, and feature requests

2.5 Data We Do Not Collect

3 How We Use Your Data

Purpose	Data Used	Legal Basis
Providing the accounting platform	Account info, financial data	Contract
Processing payroll and tax submissions	Employee data, financial data	Contract
Sending invoices and financial documents	Contact details, financial data	Contract
AI-powered transaction categorisation	Transaction descriptions, amounts	Contract / Legitimate interest
Security monitoring and fraud prevention	Usage data, IP addresses	Legitimate interest
Platform improvement and analytics	Usage data (anonymised)	Legitimate interest
Customer support	Account info, communication data	Contract
Billing and payment processing	Account info, billing data	Contract
Product updates and service notifications	Email address	Contract / Legitimate interest
Marketing communications (with consent)	Email address, name	Consent
Legal compliance (tax, AML regulations)	As required by law	Legal obligation

4 Legal Basis for Processing

Under the UK GDPR, we process your personal data on the following legal bases:

• Performance of a contract - Processing necessary to provide the Service you have subscribed to, including accounting, payroll, and tax submission features.
• Legitimate interests - Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and preventing fraud. We always balance our interests against your rights.
• Legal obligation - Processing necessary to comply with UK law, including tax regulations, anti-money laundering requirements, and financial reporting obligations.
• Consent - Where we rely on your consent (e.g., marketing emails), you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

5 Data Sharing

5.1 We Do Not Sell Your Data

5.2 Third-Party Service Providers

We share data with carefully selected service providers who assist us in operating the platform:

Provider Type	Purpose	Data Shared
Hosting provider	Server infrastructure	All platform data (encrypted)
Payment processor	Subscription billing	Billing details only
Email service	Transactional emails	Email addresses, names
Banking API provider	Open Banking feeds	Bank account identifiers

All third-party providers are bound by data processing agreements and are required to protect your data to the same standards we apply.

5.3 HMRC and Government Bodies

When you use our MTD, RTI, or CIS submission features, relevant financial data is transmitted directly to HMRC via their approved APIs. This is initiated by you and is necessary for tax compliance.

5.4 Legal Requirements

We may disclose your data if required to do so by law, regulation, legal process, or governmental request, including to meet national security or law enforcement requirements.

6 Data Security

We implement robust technical and organisational measures to protect your data:

• Encryption in transit - All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest - Sensitive data is encrypted at rest using AES-256 encryption
• Password security - Passwords are hashed using bcrypt with a cost factor of 12
• Access controls - Role-based access controls limit data access to authorised personnel only
• Rate limiting - API and authentication endpoints are protected against brute-force attacks
• CSRF protection - All forms are protected against cross-site request forgery
• Regular backups - Automated daily backups with point-in-time recovery
• Security monitoring - Continuous monitoring for suspicious activity and potential vulnerabilities
• Incident response - Documented incident response procedures with defined notification timelines

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying affected users in the event of a data breach, in accordance with our obligations under UK GDPR.

7 Data Retention

Data Type	Retention Period	Reason
Account information	Duration of account + 90 days	Service provision and data export window
Financial records	Duration of account + 90 days	Service provision and data export window
Tax submission records	7 years from submission	HMRC record-keeping requirements
Payroll records	7 years from creation	HMRC and employment law requirements
AML/KYC records	5 years from end of relationship	Money Laundering Regulations 2017
Usage analytics	24 months (anonymised)	Service improvement
Support correspondence	3 years	Service quality and dispute resolution
Server logs	90 days	Security monitoring

Where legal retention periods apply (e.g., HMRC requirements for tax records), we will retain the minimum data necessary to meet those obligations, even after account closure.

8 Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access - You can request a copy of all personal data we hold about you (Subject Access Request). We will respond within 30 days.
• Right to rectification - You can ask us to correct any inaccurate or incomplete personal data. Most data can be corrected directly within the platform.
• Right to erasure - You can request deletion of your personal data, subject to legal retention requirements. Closing your account triggers automatic deletion after the 90-day export window.
• Right to restrict processing - You can ask us to limit how we process your data in certain circumstances.
• Right to data portability - You can request your data in a structured, commonly used, machine-readable format. Our export tools allow you to download your data at any time.
• Right to object - You can object to processing based on legitimate interests. You can opt out of marketing communications at any time.
• Right to withdraw consent - Where processing is based on consent, you can withdraw it at any time.
• Rights related to automated decision-making - You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI features are advisory and always require human review.

To exercise any of these rights, contact us at privacy@interlink.digital. We will respond to all legitimate requests within 30 days.

9 International Data Transfers

Your data is primarily stored and processed within the United Kingdom. Where data is transferred to countries outside the UK, we ensure appropriate safeguards are in place, including:

• UK adequacy decisions for the recipient country
• Standard contractual clauses approved by the ICO
• Binding corporate rules where applicable

We will always inform you if your data is being transferred outside the UK and ensure that appropriate protections are in place.

10 Children's Privacy

Interlink Accounts is a business accounting platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

11 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Send you an email notification at least 14 days before the changes take effect
• Display a notice within the Interlink Accounts dashboard
• Update the "Last updated" date at the top of this page

We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

12 Contact & Complaints

If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113