← Back to AIONA

Privacy Policy

Last Updated: 3 July 2026 · Last substantive update: 3 July 2026

What changed in this version

AIONA Ltd, trading as AIONA ("we", "our", or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our intelligent accounting software platform ("AIONA" or the "Service"). We are the data controller for the personal data described below.

AIONA Ltd is registered in England & Wales under company number 16606520, registered office 128 City Road, London, United Kingdom, EC1V 2NX.

1. Information We Collect

1.1 Information You Provide

1.2 Information We Collect Automatically

1.3 Information from Third Parties

1.4 Waitlist and Pre-Launch Contact Data

If you join the waitlist on our website, we collect your work email address and, optionally, your name and business name. We use these solely to contact you about AIONA's availability, early access, and launch. The lawful basis is your consent, which you can withdraw at any time using the unsubscribe link in any email we send, or by writing to support@aionatech.com — we will then stop contacting you and delete your waitlist record. Every waitlist email we send identifies AIONA Ltd as the sender and includes a way to opt out. Waitlist records are deleted no later than 12 months after our public launch unless you have opened an account.

2. How We Use Your Information

We process your information to:

Our lawful bases under UK GDPR Article 6, mapped to purpose:

PurposeLawful basis
Providing the Service — accounts, document extraction, ledger, reports, reconciliation, and filings you initiatePerformance of a contract
Statutory record-keeping, VAT/MTD filing obligations, HMRC fraud-prevention headers (§3.5), and identity/AML checks where requiredLegal obligation
Security logging, fraud and abuse prevention, debugging, and service improvementLegitimate interests
Optional integrations you connect (bank feed, Xero, HMRC), and waitlist/launch updatesConsent

3. Automated Processing and Artificial Intelligence

3.1 Document Data Extraction (OCR)

When you upload or forward a document, we extract its text and key fields. A first pass runs on our own servers using local optical character recognition (Tesseract). For structured extraction of invoices, receipts, and statements we use Google Cloud Document AI (configured in the EU region). AWS Textract may be used as a fallback in limited circumstances. Each of these processes the document's image/PDF content to return fields such as vendor, dates, totals, VAT, and line items.

3.2 Automated Classification — Human in the Loop

We use automated techniques (including AI) to classify documents and suggest how each line maps to your chart of accounts. These are suggestions only. No document affects your ledger until a person reviews and approves it; any automatic posting is a per-supplier setting you switch on yourself. We therefore do not make decisions producing legal or similarly significant effects about you by solely automated means within the meaning of UK GDPR Article 22. We keep a log of these classification inputs and outputs (for example, the vendor name and line description sent, and the account suggested) so that coding decisions are auditable and so the system can learn from your corrections.

3.3 AI Assistant

The in-app AI Assistant is powered by large language models provided by Anthropic (the Claude family), accessed through Anthropic's API. When you ask the Assistant a question, your query and a relevant, company-scoped slice of your accounting data (which may include supplier and customer names, document text, and figures) are sent to Anthropic to generate a response. The Assistant is read-only and is restricted to the single company you are working in. We do not keep a server-side transcript of your Assistant conversations; conversation context is held in your browser session for the duration of the chat. We use these AI services under terms that prohibit them from using your data to train their models.

3.4 Other AI Analysis

Some compliance and benchmarking features analyse public company-register information (from Companies House) and aggregated financial ratios using AWS Bedrock. These features operate on public-register and aggregated data, not on your private ledger content.

3.5 HMRC Fraud Prevention Data (Making Tax Digital)

When you connect AIONA to HMRC and use Making Tax Digital features (for example retrieving VAT obligations or submitting a VAT return), HMRC requires all MTD software, by law, to send certain information about the device and connection being used alongside each API request. This helps HMRC detect and prevent fraud, is a condition of using HMRC's APIs, and cannot be switched off while using HMRC-connected features. The data transmitted with each HMRC request includes:

This data is sent only to HMRC, only when you use HMRC-connected features, and only for HMRC's fraud-prevention purposes. The lawful basis is legal obligation. HMRC's own use of this data is described in HMRC's transaction monitoring privacy notice.

4. Data Storage and Security

4.1 Where Your Data Is Stored

4.2 Security Measures

5. Data Sharing and Sub-Processors

We do not sell your personal or financial data. We share data with the sub-processors below only for the purposes listed, and only when the relevant feature or integration is in use. All sub-processors are engaged under data-processing terms consistent with UK GDPR Article 28.

Processor Purpose Region When
Fly.ioCloud hosting of the application and databaseUK (London)Always
Google CloudDocument storage (Cloud Storage) and document data extraction (Document AI)EU / UKWhenever you upload or process documents
AnthropicAI Assistant and automated transaction-coding suggestions (Claude models)United StatesWhen AI features are used
Amazon Web Services (AWS)AI analysis of public company-register data, OCR fallback, backup email delivery, and storage of public datasetsUS / EUWhen those features run
ResendTransactional email (verification codes, password resets, invitations, notices)United StatesAlways
PostmarkInbound email capture (forwarding invoices/receipts to your AIONA address)United StatesWhen you use email-in capture
StripeSubscription billing and card payment processingUS / UK / EUOn paid plans
DiditIdentity verification (KYC/AML) where enhanced verification is requiredEUOnly if enhanced identity verification is enabled
Sentry (Functional Software, Inc.)Application error monitoring — crash reports, which may include your IP address, browser details, and the screen or action in use when an error occurred (configured not to capture personal data by default)United StatesWhen error monitoring is enabled
XeroAccounting data sync (accounts, contacts, invoices, payments)GlobalOnly when you connect Xero
HMRCVAT and Making Tax Digital submissions and obligation trackingUKOnly when you authorise filing
Companies HouseCompany-register lookups and supplier verificationUKDuring onboarding and supplier checks
TrueLayerOpen Banking bank feed (account and transaction data). TrueLayer Limited is the FCA-authorised account information service provider; AIONA is not FCA-regulated and receives only the read-only data you instruct TrueLayer to shareUK / EUOnly when you connect a bank feed

5.1 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to establish, exercise, or defend legal claims, or to protect the rights, property, or safety of AIONA, our users, or others.

5.2 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you in advance of any such transfer and of any resulting change to how your data is processed.

6. Data Retention

We retain your data for as long as your account is active and as needed to provide the Service. Financial records (posted journals, audit events, VAT submissions, reconciliations, and the documents that evidence them) are retained for 7 years, to satisfy the stricter of the Companies Act 2006 minimum (6 years for private companies) and HMRC's VAT evidence requirements (6 full years plus the current year).

When you close your account, personal identifiers are removed from those retained financial records — your name and email are replaced with an anonymous reference while the underlying accounting entries (debits, credits, dates) are preserved to meet our statutory obligations. Login history and refresh tokens are permanently deleted, as there is no legal obligation to retain them.

Sign-in and security logs are retained for up to 24 months from creation. Logs of automated classification inputs and outputs (§3.2) are retained for the same period as the accounting records they explain, so that coding decisions remain auditable.

7. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the right to:

To exercise any of these rights, contact us at support@aionatech.com. We respond within the UK GDPR one-month window.

8. Cookies, Local Storage, and Tracking

AIONA keeps you signed in using authentication tokens stored in your browser's local storage, together with a small number of strictly necessary interface preferences. These are essential and do not require consent under the UK Privacy and Electronic Communications Regulations (PECR). Full details are in our Cookie Policy.

We do not currently use advertising cookies or third-party analytics trackers. If we introduce optional analytics in the future, we will only enable them after you opt in through a consent banner, and we will add a control in the application for changing your choice at any time.

9. International Data Transfers

The Service is hosted in the United Kingdom, and we keep your data in the UK and EU wherever practicable. Some of our sub-processors are based outside the UK — in particular Anthropic, Resend, Postmark, Stripe, Sentry, and certain Amazon Web Services features are based in the United States. Where personal data is transferred outside the UK, we rely on one or more of the following safeguards:

10. Children's Privacy

AIONA is a business tool intended for use by people aged 18 or over. We do not knowingly collect personal information from children.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and surfaced in the app for at least 30 days before they take effect. Minor, clarifying updates will be reflected in the "Last Updated" date only. Your continued use of AIONA after a material change takes effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

AIONA Ltd
Email: support@aionatech.com
Registered in England & Wales, company number 16606520
Registered office: 128 City Road, London, United Kingdom, EC1V 2NX

This Privacy Policy is effective as of 3 July 2026.