Legal
Privacy Policy
Last updated: 15 May 2026
1. Who we are
Firm AI Ltd ("we", "us", "our") operates Firm AI, a practice intelligence platform for UK accounting firms, accessible at https://app.firm.ai.
We are the data controller for personal data processed through Firm AI. If you have any questions about this policy or how we handle your data, please contact us at info@firmai.co.uk.
2. What data we collect and why
Account and practice data
When you register, we collect your name, email address, and practice details. We use this to create and manage your account. Our lawful basis is contract — this data is necessary to provide the service.
Client financial data (via Xero)
With your authorisation, we access financial data from your Xero organisation(s) including invoices, aged debtors, P&L reports, balance sheets, VAT returns, and bank transaction summaries. This data is fetched on demand to generate client dashboards and AI-powered insights. Our lawful basis is legitimate interests — processing this data is necessary to deliver the core features you have signed up for.
HMRC Making Tax Digital data
With your authorisation via HMRC's OAuth 2.0 service, we access VAT obligations, liabilities, payments, and penalties from HMRC's MTD API for your clients. We store access tokens (encrypted) to avoid repeated re-authorisation. Our lawful basis is legitimate interests.
HMRC Online Services data (PAYE and Corporation Tax)
If you choose to connect your Government Gateway agent account, we store your encrypted credentials and use them to retrieve PAYE employer liabilities and Corporation Tax data on your behalf. Credentials are encrypted at rest using AES-256-GCM. Our lawful basis is contract — you have explicitly requested this feature.
Device and usage data
To comply with HMRC's fraud prevention requirements, we collect technical device information from your browser when you use the platform, including your IP address, screen dimensions, timezone, browser type, and a persistent device identifier. This data is attached to every HMRC API call as required by HMRC's fraud prevention specification. Our lawful basis is legal obligation.
AI-generated content
When you use the AI assistant features, your queries and the relevant client data context are sent to Anthropic's API to generate responses. Anthropic processes this data as a data processor on our behalf. No data is used to train Anthropic's models without your consent. Our lawful basis is legitimate interests.
3. Data processors we use
We share data with the following processors, each bound by data processing agreements:
- Supabase — database and authentication (EU region)
- Anthropic — AI inference for the assistant feature
- Xero — accounting data source (you authorise access directly)
- HMRC — tax data source (you authorise access directly)
We do not sell your data to any third party.
4. How long we keep your data
We retain your account and practice data for as long as your account is active and for up to 90 days after deletion, to allow for recovery if requested. HMRC API snapshots (PAYE and CT data) are retained until you disconnect your Government Gateway account, at which point they are deleted immediately. Financial data fetched from Xero is not permanently stored — it is retrieved on demand and held only for the duration of your session.
5. Your rights under UK GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Restriction — ask us to limit how we process your data
- Objection — object to processing based on legitimate interests
To exercise any of these rights, email us at info@firmai.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
6. Security
We take data security seriously. All data is encrypted in transit (TLS 1.2+) and at rest. Sensitive credentials are encrypted using AES-256-GCM before storage. Access to customer data is controlled by row-level security policies in our database.
If you discover a security vulnerability, please report it responsibly to info@firmai.co.uk. We aim to acknowledge all reports within 24 hours.
7. Cookies
We use strictly necessary cookies to maintain your session and to store HMRC fraud prevention device data as required by law. We do not use advertising or analytics cookies. No cookie consent banner is shown because all cookies we set are strictly necessary for the service to function.
8. Changes to this policy
We may update this policy from time to time. Where changes are significant, we will notify you by email. The date at the top of this page always reflects when it was last updated.
9. Contact
Firm AI Ltd
Email: info@firmai.co.uk
Security: info@firmai.co.uk