Legal
Privacy Policy (BETA)
⚠️ This is a placeholder draft. Lawyer review required before any beta user signs. See docs/legal/PRIVACY_POLICY.md for the canonical source.
1. Who we are
Comma is operated by Comma Accountants Ltd (the firm), regulated by [ICAEW / ACCA] (membership number [X]) and supervised for Anti-Money Laundering by [Body] under the Money Laundering Regulations 2017. Comma Accountants Ltd is incorporated in England (company number pending registration).
2. Personal data we hold
We hold three categories of personal data: account data (name, email, WhatsApp number), AML/KYC data (date of birth, address, identity verification evidence), and books data (transactions, journal entries, conversations). Books data is held under your engagement letter as data processor; everything else as data controller.
3. Retention
We retain books data for 6 years after the end of the engagement (HMRC requirement) and AML records for 5 years (MLR 2017 reg 40). Account data is retained for the duration of the engagement plus 6 years. The full statutory retention list is in compliance/gdpr/retention.ts.
4. Your rights
You have the right to access, rectify, erase, restrict, object to processing, port your data, and withdraw consent (UK GDPR). Use Settings → Privacy in-app, or email [dpo@ledger.example]. Statutory retention overrides may preserve some records on erasure — when that happens we'll tell you which.
5. AI processing
We use AI models (Anthropic Claude, OpenAI embeddings) to do most of the bookkeeping. Inputs are sent to the provider for the inference call only; outputs are stored with an ai_decision_id so every advice is traceable. We do not use customer data to train models. You may opt out of AI processing and we'll fall back to a human-only bookkeeping path at the firm's standard hourly rate.
6. Sub-processors
Anthropic, OpenAI, Vercel, Neon, Inngest, Clerk, Meta (WhatsApp), SmartSearch, Stripe (post-beta), and Sentry. All US-based sub-processors are bound by SCCs / EU-US DPF. The current list is maintained at https://[firm-domain]/sub-processors.
7. Contact
Email [dpo@ledger.example]. The regulator for data protection complaints is the Information Commissioner's Office (ICO), ico.org.uk.