Privacy Policy

Version: 3.1

Last Updated: 26th May 2026

This Privacy Policy explains how Ironworks Software Ltd (“Company”, “we”, “us”, “our”) collects, uses, processes, stores, and protects personal data when you use BizHub365, including:

  • The website at https://bizhub365.com;
  • Web dashboards and APIs;
  • iOS applications distributed via the Apple App Store;
  • Android applications distributed via Google Play.

1. Data Controller

Ironworks Software Ltd
5 South Charlotte Street
Edinburgh, Scotland, EH2 4AN

Contact: https://bizhub365.com/support

For the purposes of UK GDPR and EU GDPR, we act as:

  • Data Controller for account, billing, and platform data;
  • Data Processor where you upload tax or client data and we process it solely on your instructions.

2. Personal Data We Collect

We may collect the following categories of personal data:

  • Name
  • Email address
  • Telephone number (optional)
  • Billing and business address
  • Account credentials
  • Financial and tax-related information uploaded by you
  • Bank account and transaction data (where you choose to connect a bank account), such as account name/type, masked account identifiers, balances, transaction dates, amounts, merchant/descriptions, and related categories (if provided)
  • Technical logs (IP address, device type, browser type, timestamps)
  • Approximate device location (latitude and longitude), transiently processed and not stored by us, where you explicitly choose to use the "Use my location" feature on our public trades directory pages (see Section 6 — Location Services)
  • E-commerce integration data (where you connect a third-party store): customer names, email addresses, shipping and billing addresses, telephone numbers, order details, product descriptions, quantities, and financial transaction amounts imported from your connected platform on your instruction.

We do not sell personal data.

3. Data We Do Not Intentionally Collect

  • Advertising identifiers;
  • Device contact lists;
  • Biometric data;
  • Special category data unless voluntarily uploaded by you.

We do not collect or store device location data for tracking or profiling purposes. The limited, transient use of device location coordinates via the optional "Use my location" feature is described in Section 2 and Section 6.

4. Lawful Bases for Processing

  • Contractual necessity – to provide the Service;
  • Legal obligation – accounting and regulatory compliance;
  • Legitimate interests – platform security and service improvement;
  • Consent – where explicitly provided (including when you connect a bank account).

5. How We Use Personal Data

  • Provide and maintain the Service;
  • Process payments;
  • Enable HMRC integrations and Submissions;
  • Provide bank feed functionality (if enabled by you), including importing transactions and supporting reconciliation and reporting features;
  • Respond to support requests;
  • Prevent fraud and ensure security;
  • Comply with legal obligations;
  • Sync orders, customers, and stock levels between connected e-commerce platforms and your BizHub365 account, where you choose to enable an integration.

6. Data Sharing

We may share data with the following processors and service providers:

  • Stripe (payment processing);
  • SMTP2GO (email delivery);
  • Anthropic, PBC (AI-powered financial statement analysis, document processing, and AI-assisted features, where you choose to use those features);
  • HMRC APIs (where you initiate a Submission);
  • Professional advisers, auditors, or regulators where required;
  • Law enforcement where legally compelled.

E-Commerce Platform Integrations

Where you choose to connect a third-party e-commerce platform, we act as your data processor to import and process data from that platform on your behalf. Each platform you connect is an independent data controller for the data held within it. You remain responsible for ensuring your customers have been informed that their data may be shared with BizHub365 for accounting and order management purposes.

Platforms we currently support:

  • WordPress / WooCommerce (self-hosted software installed on the merchant's own server; data is transmitted directly to BizHub365 via a plugin and is not shared with any WordPress or WooCommerce third-party infrastructure).
  • Magento / Adobe Commerce (Adobe Inc., United States)
  • PrestaShop (PrestaShop SA, France, European Union)
  • OpenCart (self-hosted software installed on the merchant's own server; data is transmitted directly to BizHub365 via a plugin and is not shared with any OpenCart third-party infrastructure).

Only the data necessary to create invoices, customer records, and stock entries within BizHub365 is imported. We do not share your e-commerce customer data with any other third party.

Location Services (Nominatim / OpenStreetMap)

On our public trades directory pages, we provide an optional "Use my location" button. If you choose to click it, your browser will request permission to access your device's location. If you grant permission, your browser provides us with your approximate latitude and longitude coordinates.

  • Purpose: To identify your nearest UK town or city and pre-populate the location search field, so you can quickly find relevant local trade guides.
  • How it works: Your coordinates are sent directly from your browser to Nominatim, a reverse-geocoding service operated by the OpenStreetMap Foundation (OSMF), a charitable company registered in England and Wales. Nominatim returns only a place name (such as a town or city). We receive and display that place name; we do not receive, log, or store your coordinates.
  • Data we store: None. Your coordinates are passed transiently from your browser to Nominatim. BizHub365 servers are not involved in that request and do not retain any location data.
  • Consent: Use of this feature is entirely optional and requires two explicit consent steps — clicking the "Use my location" button, and granting location permission in your browser. You can deny the browser permission at any time without affecting your use of the site.
  • Processor: The OpenStreetMap Foundation acts independently as the operator of Nominatim. OSMF is a UK-based organisation; your coordinates are processed within their infrastructure in accordance with their own privacy policy.

The OpenStreetMap Foundation's privacy policy is available at https://osmfoundation.org/wiki/Privacy_Policy.

AI Processing (Anthropic Claude API)

Where you choose to use AI-powered features (such as financial statement analysis, document interpretation, invoice drafting, or AI-assisted tools), certain data you submit may be processed via the Anthropic Claude API.

  • Purpose: Processing is limited to providing AI-assisted financial analysis and related features within the Service.
  • Processor Role: Anthropic, PBC acts as a data processor under contractual terms designed to include appropriate data protection safeguards.
  • Scope of Data: This may include financial statements, transaction summaries, and associated business data submitted by you for analysis.
  • No Credential Access: We do not transmit user passwords or authentication credentials to Anthropic.
  • No Training Use: Anthropic does not use API inputs or outputs to train its models by default.

We require all processors to implement appropriate administrative, technical, and organisational safeguards.

7. International Transfers

Where personal data is transferred outside the United Kingdom or EEA, we rely on one of the following safeguards: UK adequacy regulations, the UK-US Data Bridge (where the recipient is a certified participant), International Data Transfer Agreements (IDTAs) issued by the ICO, or Standard Contractual Clauses (SCCs).

General Service Providers

Transfers to Anthropic (United States) are made under IDTAs or the UK-US Data Bridge where applicable.

E-Commerce Platform Integrations

Where you connect an e-commerce platform, personal data imported from that platform originates from each platform's own infrastructure. The applicable transfer mechanism for each supported platform is set out below.

Platform(s) Processing Location Transfer Mechanism
PrestaShop France (EU) UK adequacy regulations (EU)
Magento / Adobe Commerce United States IDTA or UK-US Data Bridge where the provider is a certified participant
WordPress / WooCommerce Merchant's own server No transfer to third-party infrastructure; data is transmitted directly to BizHub365 via a plugin
OpenCart Merchant's own server No transfer to third-party infrastructure; data is transmitted directly to BizHub365 via a plugin

8. Data Retention

We retain data only as long as necessary for contractual, regulatory, accounting, or legitimate business purposes.

Account data may be retained for up to 6 years after closure where required for tax and legal compliance.

9. Security

We implement administrative, technical, and organisational safeguards designed to protect Personal Data appropriate to the nature of the Service.

  • Encryption in transit using TLS;
  • Encryption at rest within managed database and storage environments;
  • Role-based access controls and authentication safeguards;
  • Secure cloud hosting infrastructure;
  • Access logging and monitoring of security-relevant events;
  • Routine patching and maintenance of infrastructure components.

Definition (Encryption at rest):

“Encryption at rest” means data stored within persistent storage systems (such as databases and backups) is encrypted using provider-managed or application-managed encryption controls.

While we take reasonable steps to protect data, no system can guarantee absolute security. We do not guarantee that unauthorised access, cyber-attack, loss, or disclosure will never occur.

10. Data Breaches

In the event of a personal data breach, we will assess and notify the ICO and affected individuals where required by law.

11. Automated Decision-Making

We do not engage in automated decision-making that produces legal or similarly significant effects.

12. Your Rights

Under UK GDPR and EU GDPR, you may:

  • Request access;
  • Request correction;
  • Request deletion;
  • Object to processing;
  • Request restriction;
  • Request data portability.

Requests can be submitted via: https://bizhub365.com/support

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

13. Cookies

We use essential session cookies strictly required for authentication and Service functionality. We do not use advertising or behavioural tracking cookies.

14. Children’s Privacy

The Service is not intended for children under 13. We do not knowingly collect data from children.

15. Changes to This Policy

We may update this Privacy Policy periodically. Continued use of the Service constitutes acceptance of updates.

16. Contact

Ironworks Software Ltd
5 South Charlotte Street
Edinburgh, Scotland, EH2 4AN
https://bizhub365.com/support