Privacy Policy
Last updated: 4 June 2026
1. Who we are
Cysoni provides software that helps UK accountancy practices capture invoices, receipts and bank statements from their clients and post them to accounting software such as Xero. For questions about this policy or your data, contact us at privacy@cysoni.co.uk.
2. Our role: controller and processor
For the accounts of the practices that use Cysoni (your name, email and login), we are the data controller. For the underlying client and financial data that a practice captures through Cysoni (e.g. a client's invoices and bank statements), the practice is the controller and Cysoni acts as a data processor on the practice's instructions. Practices and Cysoni enter into a Data Processing Agreement governing that relationship.
3. What we process
Practice account data: name, email address, hashed password and role.
Client records: the client/business name and contact email a practice enters.
Connected-inbox content: with the client's explicit, read-only consent, we scan their mailbox to identify invoices and receipts. We only read mail — we never send, modify or delete it.
Uploaded documents: photos, PDFs and statements a client submits via a capture link.
Accounting connection: OAuth tokens for the practice's connected Xero organisation, stored encrypted at rest.
Extracted data: supplier, amounts, dates, VAT and line items extracted from documents.
4. How we use it and our lawful basis
We process this data to provide the service — capturing documents, classifying and extracting their details, and posting them to the practice's accounting software — under the lawful bases of performance of a contract and our legitimate interestsin operating and securing the service. We do not sell personal data or use it for advertising.
5. Sub-processors and third parties
We rely on the following providers to deliver the service: Google (Gmail API, read-only inbox access), Xero (posting bills), Anthropic(AI classification and data extraction), Google Cloud / Firebase (database and file storage, in the UK/EU region), Vercel (application hosting), Resend (transactional email) and Stripe (billing). Each processes data only as needed to provide their part of the service.
6. AI processing
Document classification and field extraction are performed by Anthropic's Claude models via their API. Data sent to the API is not used to train their models. Data obtained from the Xero API is never used to train any AI or machine-learning model.
7. Data retention
We keep account and captured-document data for as long as a practice's account is active. When a client or account is deleted, we remove the associated records and stored files. Accounting software (e.g. Xero) remains the system of record for any documents already posted to it.
8. Security
Connection tokens are encrypted at rest (AES-256-GCM). Access to client data is restricted to the owning practice and its authorised team members. All data is transmitted over HTTPS. Server-side access controls govern every request.
9. Your rights
Under UK GDPR you have the right to access, correct, delete or port your personal data, and to object to or restrict its processing. To exercise these rights contact privacy@cysoni.co.uk. Where Cysoni acts as a processor, requests relating to a practice's client data should be directed to that practice. You may also complain to the Information Commissioner's Office (ICO).
10. Cookies
We use a single strictly-necessary cookie to keep you signed in. We do not use advertising or third-party tracking cookies.
11. International transfers
Our database and file storage are hosted in the UK/EU region. Some sub-processors may process data outside the UK/EU under appropriate safeguards (such as Standard Contractual Clauses).
12. Changes
We may update this policy from time to time; material changes will be notified to account holders.