Last Updated: 3 July 2026 · Last substantive update: 3 July 2026
What changed in this version
AIONA Ltd, trading as AIONA ("we", "our", or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our intelligent accounting software platform ("AIONA" or the "Service"). We are the data controller for the personal data described below.
AIONA Ltd is registered in England & Wales under company number 16606520, registered office 128 City Road, London, United Kingdom, EC1V 2NX.
If you join the waitlist on our website, we collect your work email address and, optionally, your name and business name. We use these solely to contact you about AIONA's availability, early access, and launch. The lawful basis is your consent, which you can withdraw at any time using the unsubscribe link in any email we send, or by writing to support@aionatech.com — we will then stop contacting you and delete your waitlist record. Every waitlist email we send identifies AIONA Ltd as the sender and includes a way to opt out. Waitlist records are deleted no later than 12 months after our public launch unless you have opened an account.
We process your information to:
Our lawful bases under UK GDPR Article 6, mapped to purpose:
| Purpose | Lawful basis |
|---|---|
| Providing the Service — accounts, document extraction, ledger, reports, reconciliation, and filings you initiate | Performance of a contract |
| Statutory record-keeping, VAT/MTD filing obligations, HMRC fraud-prevention headers (§3.5), and identity/AML checks where required | Legal obligation |
| Security logging, fraud and abuse prevention, debugging, and service improvement | Legitimate interests |
| Optional integrations you connect (bank feed, Xero, HMRC), and waitlist/launch updates | Consent |
When you upload or forward a document, we extract its text and key fields. A first pass runs on our own servers using local optical character recognition (Tesseract). For structured extraction of invoices, receipts, and statements we use Google Cloud Document AI (configured in the EU region). AWS Textract may be used as a fallback in limited circumstances. Each of these processes the document's image/PDF content to return fields such as vendor, dates, totals, VAT, and line items.
We use automated techniques (including AI) to classify documents and suggest how each line maps to your chart of accounts. These are suggestions only. No document affects your ledger until a person reviews and approves it; any automatic posting is a per-supplier setting you switch on yourself. We therefore do not make decisions producing legal or similarly significant effects about you by solely automated means within the meaning of UK GDPR Article 22. We keep a log of these classification inputs and outputs (for example, the vendor name and line description sent, and the account suggested) so that coding decisions are auditable and so the system can learn from your corrections.
The in-app AI Assistant is powered by large language models provided by Anthropic (the Claude family), accessed through Anthropic's API. When you ask the Assistant a question, your query and a relevant, company-scoped slice of your accounting data (which may include supplier and customer names, document text, and figures) are sent to Anthropic to generate a response. The Assistant is read-only and is restricted to the single company you are working in. We do not keep a server-side transcript of your Assistant conversations; conversation context is held in your browser session for the duration of the chat. We use these AI services under terms that prohibit them from using your data to train their models.
Some compliance and benchmarking features analyse public company-register information (from Companies House) and aggregated financial ratios using AWS Bedrock. These features operate on public-register and aggregated data, not on your private ledger content.
When you connect AIONA to HMRC and use Making Tax Digital features (for example retrieving VAT obligations or submitting a VAT return), HMRC requires all MTD software, by law, to send certain information about the device and connection being used alongside each API request. This helps HMRC detect and prevent fraud, is a condition of using HMRC's APIs, and cannot be switched off while using HMRC-connected features. The data transmitted with each HMRC request includes:
This data is sent only to HMRC, only when you use HMRC-connected features, and only for HMRC's fraud-prevention purposes. The lawful basis is legal obligation. HMRC's own use of this data is described in HMRC's transaction monitoring privacy notice.
We do not sell your personal or financial data. We share data with the sub-processors below only for the purposes listed, and only when the relevant feature or integration is in use. All sub-processors are engaged under data-processing terms consistent with UK GDPR Article 28.
| Processor | Purpose | Region | When |
|---|---|---|---|
| Fly.io | Cloud hosting of the application and database | UK (London) | Always |
| Google Cloud | Document storage (Cloud Storage) and document data extraction (Document AI) | EU / UK | Whenever you upload or process documents |
| Anthropic | AI Assistant and automated transaction-coding suggestions (Claude models) | United States | When AI features are used |
| Amazon Web Services (AWS) | AI analysis of public company-register data, OCR fallback, backup email delivery, and storage of public datasets | US / EU | When those features run |
| Resend | Transactional email (verification codes, password resets, invitations, notices) | United States | Always |
| Postmark | Inbound email capture (forwarding invoices/receipts to your AIONA address) | United States | When you use email-in capture |
| Stripe | Subscription billing and card payment processing | US / UK / EU | On paid plans |
| Didit | Identity verification (KYC/AML) where enhanced verification is required | EU | Only if enhanced identity verification is enabled |
| Sentry (Functional Software, Inc.) | Application error monitoring — crash reports, which may include your IP address, browser details, and the screen or action in use when an error occurred (configured not to capture personal data by default) | United States | When error monitoring is enabled |
| Xero | Accounting data sync (accounts, contacts, invoices, payments) | Global | Only when you connect Xero |
| HMRC | VAT and Making Tax Digital submissions and obligation tracking | UK | Only when you authorise filing |
| Companies House | Company-register lookups and supplier verification | UK | During onboarding and supplier checks |
| TrueLayer | Open Banking bank feed (account and transaction data). TrueLayer Limited is the FCA-authorised account information service provider; AIONA is not FCA-regulated and receives only the read-only data you instruct TrueLayer to share | UK / EU | Only when you connect a bank feed |
We may disclose your information if required by law, court order, or government regulation, or to establish, exercise, or defend legal claims, or to protect the rights, property, or safety of AIONA, our users, or others.
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you in advance of any such transfer and of any resulting change to how your data is processed.
We retain your data for as long as your account is active and as needed to provide the Service. Financial records (posted journals, audit events, VAT submissions, reconciliations, and the documents that evidence them) are retained for 7 years, to satisfy the stricter of the Companies Act 2006 minimum (6 years for private companies) and HMRC's VAT evidence requirements (6 full years plus the current year).
When you close your account, personal identifiers are removed from those retained financial records — your name and email are replaced with an anonymous reference while the underlying accounting entries (debits, credits, dates) are preserved to meet our statutory obligations. Login history and refresh tokens are permanently deleted, as there is no legal obligation to retain them.
Sign-in and security logs are retained for up to 24 months from creation. Logs of automated classification inputs and outputs (§3.2) are retained for the same period as the accounting records they explain, so that coding decisions remain auditable.
Under the UK General Data Protection Regulation, you have the right to:
To exercise any of these rights, contact us at support@aionatech.com. We respond within the UK GDPR one-month window.
AIONA keeps you signed in using authentication tokens stored in your browser's local storage, together with a small number of strictly necessary interface preferences. These are essential and do not require consent under the UK Privacy and Electronic Communications Regulations (PECR). Full details are in our Cookie Policy.
We do not currently use advertising cookies or third-party analytics trackers. If we introduce optional analytics in the future, we will only enable them after you opt in through a consent banner, and we will add a control in the application for changing your choice at any time.
The Service is hosted in the United Kingdom, and we keep your data in the UK and EU wherever practicable. Some of our sub-processors are based outside the UK — in particular Anthropic, Resend, Postmark, Stripe, Sentry, and certain Amazon Web Services features are based in the United States. Where personal data is transferred outside the UK, we rely on one or more of the following safeguards:
AIONA is a business tool intended for use by people aged 18 or over. We do not knowingly collect personal information from children.
We may update this Privacy Policy from time to time. Material changes will be communicated by email and surfaced in the app for at least 30 days before they take effect. Minor, clarifying updates will be reflected in the "Last Updated" date only. Your continued use of AIONA after a material change takes effect constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or our data practices, please contact us:
AIONA Ltd
Email: support@aionatech.com
Registered in England & Wales, company number 16606520
Registered office: 128 City Road, London, United Kingdom, EC1V 2NX
This Privacy Policy is effective as of 3 July 2026.