Privacy Policy
This Privacy Policy explains how Cadogan Advisory Ltd ("we", "us", "our") collects, uses, and protects your personal data when you use ClearCash, our personal finance and tax compliance web application available at https://clearcash.site (the "Service").
We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
Data Controller: Cadogan Advisory Ltd, a company registered in England and Wales (registered office: 167-169 Great Portland Street, 5th Floor, London W1W 5PF).
ICO registration number: ZB622871.
Contact for data protection matters: m.veronese@cadoganadvisory.co.uk
2. Personal data we collect
Account information
- Name, email address, password (hashed), phone number
- User type (individual, accountant, or firm administrator)
- Firm membership and role within a firm (where applicable)
Tax and financial data
- Self-employment income and expenses
- Property rental income and expenses
- Dividends, savings interest, employment income, foreign income
- HMRC Unique Taxpayer Reference (UTR), National Insurance Number (NINO), VAT registration numbers
- HMRC Making Tax Digital (MTD) submission data
- Bank account details and transactions (via authorised open banking providers)
- Receipts, invoices, and supporting documents you upload
Professional services data (for accountants and firms)
- Client lists, engagement letters, quotes, invoices, time entries
- Anti-money laundering (AML) due diligence records
- Identity verification data
- QuickBooks integration data (customer records, invoices, items, tax codes) when you connect a QuickBooks account
Technical data
- IP address, browser type, device identifiers
- Login activity, session data, audit logs
- Cookies and similar tracking technologies (see Section 9)
3. How we use your data
We process your personal data on the following lawful bases:
| Purpose | Lawful basis |
|---|---|
| Provide the Service (account creation, tax calculations, MTD submissions) | Performance of a contract |
| Comply with HMRC, AML, and other regulatory obligations | Legal obligation |
| Process payments (when paid plans become available) | Performance of a contract |
| Send service notifications, security alerts | Legitimate interests |
| Send marketing communications | Consent (you may withdraw at any time) |
| Improve the Service, analyse usage | Legitimate interests |
| Respond to support requests | Performance of a contract / legitimate interests |
4. Sharing your data
We share your personal data only when necessary, with the following categories of recipients:
HMRC (His Majesty's Revenue and Customs)
We submit tax returns, VAT returns, and other regulatory filings to HMRC on your behalf when you initiate such submissions. We send only the data required by HMRC's Application Programming Interfaces (APIs).
Sub-processors (data processors acting on our instructions)
| Sub-processor | Purpose | Location |
|---|---|---|
| Hostinger | Application hosting and database storage | Singapore (with EU-region failover) |
| Cloudflare R2 | Receipt and document storage | Global edge network |
| Mailtrap | Transactional and marketing email delivery | EU |
| Pusher Channels | Real-time messaging infrastructure | EU |
| Intuit (QuickBooks) | Accounting integration (only if you connect QuickBooks) | USA |
| Sumsub | Identity verification (only when you initiate a verification) | UK / EU |
| Finexer | Open banking (only if you connect a bank) | UK |
We have data processing agreements in place with all sub-processors, and any international transfers are protected by Standard Contractual Clauses or equivalent safeguards.
Your accountant or firm
If you are an individual user invited by an accountant, that accountant and their firm members will see the data you share through the Service. You control what they can access through your account permissions.
Legal and regulatory authorities
We may disclose data when required by law, court order, or to protect our legal rights.
We do not sell your personal data. We do not use your data to train artificial intelligence models without your explicit consent.
5. International transfers
Your data is primarily stored within the UK and EU. Where data is transferred outside the UK (for example, to Intuit in the USA when you use the QuickBooks integration), we rely on:
- Adequacy decisions issued by the UK government, where available
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
- Additional technical safeguards including encryption in transit and at rest
6. How long we keep your data
| Data category | Retention period |
|---|---|
| Account data | While your account is active, plus 30 days after closure |
| Tax records (HMRC compliance) | 7 years from the end of the tax year (statutory requirement) |
| AML and identity verification records | 5 years after the end of the business relationship (statutory requirement) |
| Financial transactions | 7 years (statutory requirement) |
| Audit logs | 2 years |
| Marketing preferences | Until you withdraw consent |
After the retention period expires, your data is securely deleted or anonymised.
7. Your rights
Under UK GDPR, you have the right to:
- Access your personal data and receive a copy
- Rectify inaccurate or incomplete data
- Erase your data ("right to be forgotten"), subject to legal retention requirements
- Restrict processing in certain circumstances
- Object to processing based on legitimate interests or for direct marketing
- Data portability -- receive your data in a structured, machine-readable format
- Withdraw consent at any time, where consent is the lawful basis
- Lodge a complaint with the UK Information Commissioner's Office (ICO): https://ico.org.uk
To exercise any of these rights, contact us at m.veronese@cadoganadvisory.co.uk. We will respond within one month.
8. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Encrypted storage of sensitive identifiers (NINO, HMRC tokens)
- Access controls based on user roles and firm membership
- Regular security updates and dependency vulnerability scanning
- Audit logging of access to sensitive data
In the event of a personal data breach affecting your rights, we will notify you and the ICO within the legally required timeframes.
9. Cookies
We use the following types of cookies:
- Strictly necessary cookies -- required for the Service to function (session management, security)
- Functional cookies -- remember your preferences (language, theme)
- Analytics cookies -- help us understand how the Service is used (only with your consent)
You can manage cookie preferences in your browser settings. Disabling strictly necessary cookies may prevent the Service from working correctly.
10. Children
The Service is not intended for use by individuals under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you by email or through the Service of material changes at least 30 days before they take effect.
12. Contact us
For any questions about this Privacy Policy or how we handle your data:
Cadogan Advisory Ltd
167-169 Great Portland Street, 5th Floor
London W1W 5PF
United Kingdom
Email: m.veronese@cadoganadvisory.co.uk
Phone: +44 7535 464167
ICO registration: ZB622871