Last updated: 30 March 2026
Koovo Limited (“Koovo”, “we”, “us” or “our”) is committed to protecting personal data and handling it responsibly.
This Privacy Policy explains how we collect, use, store, share and otherwise process personal data when you visit our website, request a demo, create an account, use our software, upload or connect documents and data sources, enable integrations, interact with our AI-assisted features, or otherwise engage with us.
This policy is intended for users of our website and software platform, including bookkeeping firms, accountants, finance teams, consolidators, their personnel, prospective customers, and other business contacts. It also applies to personal data contained in documents and records processed through our platform, to the extent we act as a controller for that processing.
1. Who we are
Koovo Limited is a company incorporated in England and Wales.
Company number: 16994171
Registered office: Shelton House, Shelton, Newark, Nottinghamshire, United Kingdom, NG23 5JQ
For privacy-related questions or to exercise your data protection rights, contact us at:
Email: Privacy@Koovo.io
2. Scope of this policy
This policy applies to personal data that we process in connection with:
● our website;
● demo requests, enquiries and marketing interactions;
● user accounts and administration of our platform;@
● authentication and sign-in features;
● billing and account management;
● document upload, import, syncing, OCR, extraction and bookkeeping workflows;
● integrations with third-party platforms and services;
● support, security, fraud prevention, analytics, product improvement and compliance activities; and
● AI-assisted features, model evaluation, model training, automation and related product development activities.
This policy does not apply to third-party websites, products, platforms or services that we do not control, even where they are linked to, accessed through, or integrated with our services.
3. Controller and processor roles
Koovo may act as either a data controller or a data processor, depending on the context and the processing activity.
Where Koovo acts as controller
We act as a controller for personal data we use for our own business purposes, including:
● website visitor data;
● prospect and customer contact details;
● user account and subscription information;
● billing and payment administration;
● support communications;
● security, fraud prevention and service analytics;
● marketing preferences and communications;
● product development, testing, quality assurance and model improvement activities carried out for Koovo’s own purposes; and
● personal data used to train, tune, evaluate, validate, monitor or improve our AI-assisted features, models, automation systems and related product functionality, to the extent we determine the purposes and means of that processing.
Where Koovo acts as processor
Where our customers use our platform to upload, store, process or analyse bookkeeping, accounting, tax, transaction or financial records relating to their own clients, staff, suppliers or customers, Koovo will generally act as a processor on behalf of that customer for the core service activities we perform on their instructions, such as hosting, OCR, extraction, workflow support and storage.
In those cases, the relevant customer is generally responsible for determining the lawful basis and purpose of that processing.
Customer-authorised users, accountants and consolidators
Our platform may permit access by customer-authorised users. Depending on the account configuration and permissions set by the relevant customer or organisation, this may include:
● bookkeeping staff;
● accountants and bookkeepers;
● finance team members;
● administrators;
● reviewers and approvers; and
● users with consolidation, reporting or oversight permissions.
These users may be able to view documents, extracted fields, transaction records, reports, AI- assisted outputs and consolidated information according to the permissions configured for the relevant account.
Where a customer authorises an accountant, adviser, consolidator or other third party to access the platform or data on its behalf, that access is governed by the customer’s permissions, instructions and relationship with that third party.
4. The personal data we collect
We may collect and process the following categories of personal data.
Identity and account data
This may include:
● first name and last name;
● work email address;
● username or login identifier;
● password-related or authentication-related information;
● job title;
● organisation or firm name; and
● account role, permissions and access settings.
Contact data
This may include:
● email address;
● phone number;
● billing contact details; and
● correspondence details.
Customer relationship data
This may include:
● demo requests;
● onboarding information;
● sales notes;
● support requests;
● product feedback;
● training records;
● meeting notes; and
● communications preferences.
Billing and transaction data
This may include:
● subscription information;
● billing address;
● VAT number, where relevant;
● payment status;
● invoices;
● transaction-related records; and
● limited payment-related metadata supplied by our payment provider.
We do not store full card details ourselves.
Technical, usage and security data
This may include:
● IP address;
● browser type and version;
● device information;
● operating system;
● referral source;
● pages viewed;
● actions taken in the product;
● timestamps;
● login, audit and access logs;
● error logs;
● API activity;
● feature usage;
● cookie and similar technology data; and
● other diagnostic, analytics and security data.
Integration and connected-service data
If you connect third-party services to Koovo, we may receive, retrieve or access data required to provide those integrations, such as:
● profile and account identifiers from sign-in providers;
● authorised tokens and related authentication metadata;
● accounting or bookkeeping data made available through connected platforms;
● data imported from document, finance, tax or accounting systems;
● metadata from connected email, file or accounting systems; and
● information required to sync, import, export, reconcile or automate workflows.
Document, transaction and bookkeeping data
Depending on how our services are used, this may include:
● invoices;
● receipts;
● bills;
● transaction records;
● purchase records;
● supplier, customer or payee details;
● tax or bookkeeping records;
● financial references;
● bank transaction-related data where connected or uploaded;
● supporting business documents; and
● the text, images, metadata and extracted fields contained in or derived from those materials.
These documents may include personal data relating to individuals such as sole traders, staff members, customers, suppliers, directors, beneficial owners, contractors or other contacts.
AI input, output and model-improvement data
Where you use AI-assisted or automation features, we may process:
● uploaded documents and extracted text;
● prompts, instructions and user corrections;
● AI-generated or model-generated outputs;
● labels, annotations and reviewer feedback;
● usage patterns and interaction data;
● performance and quality metrics; and
● derived data used to test, validate, monitor, train, tune or improve our AI-assisted features, models and automation systems.
Consolidated and reporting data
We may create reporting, reconciliation, consolidated, benchmarking or analytical views from data processed through the platform. Some of these outputs may still contain personal data, depending on the content and granularity of the output.
5. How we collect personal data
We collect personal data in the following ways:
● directly from you when you contact us, request a demo, create an account, subscribe, upload documents, use our services, provide feedback, or correspond with us;
● automatically through your use of our website or platform, including cookies, logs and analytics technologies;
● from your employer, firm or organisation where they invite you to use the platform or grant you access;
● from accountants, bookkeepers, consolidators or other authorised users acting on behalf of a customer or organisation;
● from identity and authentication providers when you choose single sign-on or connected sign-in;
● from payment providers and accounting or integration partners where needed to provide the service;
● from publicly available business sources where relevant for business verification, onboarding, fraud-prevention or compliance purposes; and
● from customers or authorised users who upload, sync, import, email or otherwise provide documents and data into the platform.
6. How we use personal data and our lawful bases
We only use personal data where we have a valid lawful basis under applicable data protection law.
To provide and operate our services
We use personal data to:
● create and manage accounts;
● authenticate users;
● host and operate the platform;
● ingest, store and organise documents and records;
● perform OCR, extraction, classification, reconciliation and workflow support;
● maintain integrations;
● provide consolidation and reporting functionality; and
● communicate important service information.
Legal basis: contract performance; legitimate interests in operating and delivering our services.
To manage permissions and customer-authorised access
We use personal data to:
● assign user roles;
● apply access permissions;
● enable access for accountants, bookkeepers, consolidators and other authorised users;
● log account activity; and
● help customers administer access and security settings.
Legal basis: contract performance; legitimate interests in secure service administration.
To manage subscriptions and billing
We use personal data to:
● administer subscriptions;
● process invoices and payments;
● manage renewals;
● keep financial records; and
● recover amounts owed.
Legal basis: contract performance; legal obligation where required for tax, accounting or record-keeping; legitimate interests in managing our business and collecting payment.
To provide support and respond to enquiries
We use personal data to:
● respond to enquiries;
● provide onboarding and training;
● investigate support issues;
● review bugs, product issues and user-reported errors; and
● provide service-related communications.
Legal basis: contract performance; legitimate interests in customer support and service quality; legal obligation where applicable.
To secure our systems and prevent fraud or misuse
We use personal data to:
● troubleshoot issues;
● maintain system security;
● detect abuse, misuse, fraud or unauthorised access;
● monitor performance and reliability;
● audit access; and
● investigate incidents and enforce our terms.
Legal basis: legitimate interests in securing our services, customers and users; legal obligation where applicable.
To improve, analyse and develop our products and services
We use personal data to:
● understand how our services are used;
● analyse usage patterns and customer needs;
● test and improve product functionality and user experience;
● develop new features;
● improve data extraction, categorisation, matching and workflow performance; and
● create analytics, benchmarks and service-improvement outputs.
Legal basis: legitimate interests in improving, developing and securing our products and services.
To provide AI-assisted and automation features
We use relevant data inputs to provide AI-assisted extraction, categorisation, matching, summarisation, drafting, workflow support and similar functionality.
This may involve the processing of document content, extracted text, prompts, corrections, annotations, output data and related metadata.
Legal basis: contract performance; legitimate interests in operating and improving AI-assisted features and automation.
To train, tune, validate, test, evaluate, monitor and improve models and automation systems
We may use personal data, including personal data contained in uploaded documents, extracted data, prompts, outputs, user corrections, annotations, feedback and related metadata, to:
● create and maintain training, validation and testing datasets;
● fine-tune or otherwise improve models and AI-assisted features;
● evaluate accuracy, performance, safety, bias, robustness and quality;
● improve automation, extraction, categorisation, summarisation, matching and reporting capabilities; and
● develop new or improved machine-learning, AI-assisted or rules-based functionality.
Where we carry out this processing for Koovo’s own product-development or model-improvement purposes, we generally do so as a controller to the extent required by applicable law.
We may carry out these activities using identifiable, pseudonymised, de-identified or aggregated data, depending on the use case and safeguards applied.
Legal basis: legitimate interests in developing, training, testing, improving and securing our products, models and automation systems; and, where required by law, another lawful basis permitted under applicable data protection law.
To communicate with you about our services
We use personal data to:
● send service updates;
● notify you of changes to our services, policies or terms;
● provide account, billing, security or incident notices; and
● send administrative messages.
Legal basis: contract performance; legitimate interests in operating our business and communicating with users; legal obligation where applicable.
To send marketing communications
Where permitted by law, we may send you updates about our services, features, content or events.
You can opt out of marketing communications at any time by using the unsubscribe mechanism in the message or by contacting us.
Legal basis: consent or legitimate interests, depending on the context, recipient type and applicable law.
To comply with legal and regulatory obligations
We may use personal data where necessary to comply with legal obligations, regulatory requirements, tax rules, anti-fraud or anti-money laundering requirements, law-enforcement requests, court orders, or to establish, exercise or defend legal claims.
Legal basis: legal obligation; legitimate interests in protecting our rights and responding to legal issues.
7. AI-assisted features and human review
Our services may use AI-assisted or automated tools to help process documents and support bookkeeping workflows.
These features are intended to assist users by extracting, classifying, matching, summarising or drafting information. They are not intended, by themselves, to make solely automated decisions about individuals that produce legal or similarly significant effects without appropriate safeguards and human involvement.
Users should review outputs before relying on them for accounting, bookkeeping, tax, compliance or financial purposes.
8. Sharing personal data
We may share personal data with the following categories of recipients where reasonably necessary for the purposes described in this policy:
● hosting, infrastructure and cloud service providers;
● database, storage, backup and disaster recovery providers;
● authentication and identity providers;
● payment and billing providers;
● customer support, communications and analytics providers;
● accounting, tax, bookkeeping and integration partners;
● OCR, document-processing, AI and machine-learning service providers;
● professional advisers, such as lawyers, accountants, auditors and insurers;
● regulators, tax authorities, law-enforcement bodies or courts where required;
● actual or prospective acquirers, investors, lenders or group companies in connection with a corporate transaction, subject to appropriate confidentiality and data protection safeguards; and
● customers, organisations and their authorised users, where data is made available within the platform according to the relevant permissions.
Examples of providers or platforms we may use or connect with include:
● Amazon Web Services (AWS) for hosting, storage, compute, databases, backup and infrastructure;
● OpenAI for document analysis, extraction, categorisation, summarisation and related AI-assisted processing;
● Google / Gemini and related services for OCR, document-processing and related product functionality;
● Microsoft and Google for authentication or identity-related services where enabled;
● Stripe for billing and payment services;
● Xero, Sage, HMRC and other accounting, tax or finance platforms where connected or enabled.
We will only share personal data to the extent reasonably necessary for the relevant purpose.
9. International data transfers
Some of our service providers, subprocessors, partners or affiliates may process personal data outside the UK.
Where we transfer personal data internationally, we take steps to ensure an appropriate level of protection is in place, such as:
● adequacy regulations;
● the UK International Data Transfer Agreement;
● the UK Addendum to the EU Standard Contractual Clauses;
● standard contractual clauses or equivalent safeguards; or
● another lawful transfer mechanism permitted by applicable law.
You can contact us for more information about the safeguards we use.
10. Data retention
We keep personal data only for as long as reasonably necessary for the purposes described in this policy, including to:
● provide the service;
● manage the customer relationship;
● comply with legal, tax, accounting and regulatory obligations;
● resolve disputes;
● enforce agreements;
● maintain appropriate business and security records; and
● develop, test, audit, monitor, improve and secure our products and AI-assisted features.
Retention periods vary depending on the type of data, the nature of the relationship, the purpose of processing, applicable legal requirements, and whether the data is processed by us as controller or processor.
By category, we generally expect to retain data as follows:
● Prospect and enquiry data: for as long as needed to respond and follow up, and usually for up to 24 months after the last meaningful interaction unless a longer period is justified.
● Account, subscription and customer relationship data: for the duration of the account or relationship and usually for up to 6 years afterwards where needed for contractual, legal, tax, audit or dispute purposes.
● Billing, invoice and financial records: for as long as required by applicable tax, accounting and legal obligations, and usually for at least 6 years where relevant.
● Support records and operational correspondence: for the duration of the relationship and usually for up to 6 years afterwards where needed for support, audit, legal or operational reasons.
● Technical, usage, audit and security logs: typically for up to 12 months, or longer where needed for security, incident response, fraud prevention, service reliability or legal issues.
● Customer-uploaded documents, extracted data and workflow records: for the duration of the customer’s use of the service and then in accordance with the customer agreement, customer instructions, backup cycles and applicable legal requirements.
● Model-improvement, training, validation, testing and evaluation data: for as long as reasonably necessary for development, testing, monitoring, auditing, security and product-improvement purposes, subject to data minimisation, proportionality, contractual commitments and legal requirements.
Where we act as a processor, we retain customer data in accordance with our agreement with the customer and their instructions, subject to any legal obligations that require longer retention.
11. Security
We use appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
These measures may include, as appropriate:
● access controls and authentication safeguards;
● encryption in transit and at rest where appropriate;
● logging and audit trails;
● role-based permissions;
● monitoring and alerting;
● vendor due diligence;
● security review processes;
● testing and change controls; and
● incident response procedures.
No system can be completely secure, but we work to maintain safeguards proportionate to the nature of the data we process.
12. Your rights
Depending on your circumstances and applicable law, you may have the right to:
● access your personal data;
● request correction of inaccurate or incomplete data;
● request deletion of your personal data;
● object to certain processing;
● request restriction of processing;
● request transfer of your personal data;
● withdraw consent where processing is based on consent; and
● complain to a supervisory authority.
If you make a rights request, we will respond without undue delay and, in any event, within the timeframe required by applicable law.
If Koovo acts as a processor for the data in question, we may direct your request to the relevant customer or assist them in responding.
13. Cookies and similar technologies
We may use cookies, local storage, pixels, scripts, tags and similar technologies to operate our website and services, remember preferences, understand usage, improve performance, measure communications and support security.
Where required by law, we will request consent before placing or using non-essential cookies or similar technologies. You can manage your preferences through our cookie banner, browser settings or other tools we make available.
Further details may be provided in a separate Cookie Notice or cookie management tool.
14. Third-party services and integrations
Our services may integrate with third-party products and services. If you enable such integrations, personal data may be shared with or received from those third parties in accordance with:
● your settings;
● your instructions;
● your organisation’s permissions;
● the relevant integration workflow; and
● the third party’s own terms and privacy notices.
You are responsible for reviewing the privacy information of third-party services you choose to connect.
15. Children
Our services are intended for business use and are not directed to children. We do not knowingly collect personal data from children.
16. Changes to this policy
We may update this Privacy Policy from time to time.
When we do, we will update the “Last updated” date above. Where required, we will notify users of material changes by appropriate means, such as through the platform, by email, or by other reasonable notice.
17. How to complain
If you have concerns about how we use personal data, please contact us first at Privacy@Koovo.io and we will try to resolve the issue.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK.
18. Contact us
If you have questions about this Privacy Policy or want to exercise your rights, contact:
Koovo Limited
Shelton House, Shelton, Newark, Nottinghamshire, United Kingdom, NG23 5JQ
Email: Privacy@Koovo.io
Last updated: 30 March 2026
Koovo Limited (“Koovo”, “we”, “us” or “our”) is committed to protecting personal data and handling it responsibly.
This Privacy Policy explains how we collect, use, store, share and otherwise process personal data when you visit our website, request a demo, create an account, use our software, upload or connect documents and data sources, enable integrations, interact with our AI-assisted features, or otherwise engage with us.
This policy is intended for users of our website and software platform, including bookkeeping firms, accountants, finance teams, consolidators, their personnel, prospective customers, and other business contacts. It also applies to personal data contained in documents and records processed through our platform, to the extent we act as a controller for that processing.
1. Who we are
Koovo Limited is a company incorporated in England and Wales.
Company number: 16994171
Registered office: Shelton House, Shelton, Newark, Nottinghamshire, United Kingdom, NG23 5JQ
For privacy-related questions or to exercise your data protection rights, contact us at:
Email: Privacy@Koovo.io
2. Scope of this policy
This policy applies to personal data that we process in connection with:
● our website;
● demo requests, enquiries and marketing interactions;
● user accounts and administration of our platform;@
● authentication and sign-in features;
● billing and account management;
● document upload, import, syncing, OCR, extraction and bookkeeping workflows;
● integrations with third-party platforms and services;
● support, security, fraud prevention, analytics, product improvement and compliance activities; and
● AI-assisted features, model evaluation, model training, automation and related product development activities.
This policy does not apply to third-party websites, products, platforms or services that we do not control, even where they are linked to, accessed through, or integrated with our services.
3. Controller and processor roles
Koovo may act as either a data controller or a data processor, depending on the context and the processing activity.
Where Koovo acts as controller
We act as a controller for personal data we use for our own business purposes, including:
● website visitor data;
● prospect and customer contact details;
● user account and subscription information;
● billing and payment administration;
● support communications;
● security, fraud prevention and service analytics;
● marketing preferences and communications;
● product development, testing, quality assurance and model improvement activities carried out for Koovo’s own purposes; and
● personal data used to train, tune, evaluate, validate, monitor or improve our AI-assisted features, models, automation systems and related product functionality, to the extent we determine the purposes and means of that processing.
Where Koovo acts as processor
Where our customers use our platform to upload, store, process or analyse bookkeeping, accounting, tax, transaction or financial records relating to their own clients, staff, suppliers or customers, Koovo will generally act as a processor on behalf of that customer for the core service activities we perform on their instructions, such as hosting, OCR, extraction, workflow support and storage.
In those cases, the relevant customer is generally responsible for determining the lawful basis and purpose of that processing.
Customer-authorised users, accountants and consolidators
Our platform may permit access by customer-authorised users. Depending on the account configuration and permissions set by the relevant customer or organisation, this may include:
● bookkeeping staff;
● accountants and bookkeepers;
● finance team members;
● administrators;
● reviewers and approvers; and
● users with consolidation, reporting or oversight permissions.
These users may be able to view documents, extracted fields, transaction records, reports, AI- assisted outputs and consolidated information according to the permissions configured for the relevant account.
Where a customer authorises an accountant, adviser, consolidator or other third party to access the platform or data on its behalf, that access is governed by the customer’s permissions, instructions and relationship with that third party.
4. The personal data we collect
We may collect and process the following categories of personal data.
Identity and account data
This may include:
● first name and last name;
● work email address;
● username or login identifier;
● password-related or authentication-related information;
● job title;
● organisation or firm name; and
● account role, permissions and access settings.
Contact data
This may include:
● email address;
● phone number;
● billing contact details; and
● correspondence details.
Customer relationship data
This may include:
● demo requests;
● onboarding information;
● sales notes;
● support requests;
● product feedback;
● training records;
● meeting notes; and
● communications preferences.
Billing and transaction data
This may include:
● subscription information;
● billing address;
● VAT number, where relevant;
● payment status;
● invoices;
● transaction-related records; and
● limited payment-related metadata supplied by our payment provider.
We do not store full card details ourselves.
Technical, usage and security data
This may include:
● IP address;
● browser type and version;
● device information;
● operating system;
● referral source;
● pages viewed;
● actions taken in the product;
● timestamps;
● login, audit and access logs;
● error logs;
● API activity;
● feature usage;
● cookie and similar technology data; and
● other diagnostic, analytics and security data.
Integration and connected-service data
If you connect third-party services to Koovo, we may receive, retrieve or access data required to provide those integrations, such as:
● profile and account identifiers from sign-in providers;
● authorised tokens and related authentication metadata;
● accounting or bookkeeping data made available through connected platforms;
● data imported from document, finance, tax or accounting systems;
● metadata from connected email, file or accounting systems; and
● information required to sync, import, export, reconcile or automate workflows.
Document, transaction and bookkeeping data
Depending on how our services are used, this may include:
● invoices;
● receipts;
● bills;
● transaction records;
● purchase records;
● supplier, customer or payee details;
● tax or bookkeeping records;
● financial references;
● bank transaction-related data where connected or uploaded;
● supporting business documents; and
● the text, images, metadata and extracted fields contained in or derived from those materials.
These documents may include personal data relating to individuals such as sole traders, staff members, customers, suppliers, directors, beneficial owners, contractors or other contacts.
AI input, output and model-improvement data
Where you use AI-assisted or automation features, we may process:
● uploaded documents and extracted text;
● prompts, instructions and user corrections;
● AI-generated or model-generated outputs;
● labels, annotations and reviewer feedback;
● usage patterns and interaction data;
● performance and quality metrics; and
● derived data used to test, validate, monitor, train, tune or improve our AI-assisted features, models and automation systems.
Consolidated and reporting data
We may create reporting, reconciliation, consolidated, benchmarking or analytical views from data processed through the platform. Some of these outputs may still contain personal data, depending on the content and granularity of the output.
5. How we collect personal data
We collect personal data in the following ways:
● directly from you when you contact us, request a demo, create an account, subscribe, upload documents, use our services, provide feedback, or correspond with us;
● automatically through your use of our website or platform, including cookies, logs and analytics technologies;
● from your employer, firm or organisation where they invite you to use the platform or grant you access;
● from accountants, bookkeepers, consolidators or other authorised users acting on behalf of a customer or organisation;
● from identity and authentication providers when you choose single sign-on or connected sign-in;
● from payment providers and accounting or integration partners where needed to provide the service;
● from publicly available business sources where relevant for business verification, onboarding, fraud-prevention or compliance purposes; and
● from customers or authorised users who upload, sync, import, email or otherwise provide documents and data into the platform.
6. How we use personal data and our lawful bases
We only use personal data where we have a valid lawful basis under applicable data protection law.
To provide and operate our services
We use personal data to:
● create and manage accounts;
● authenticate users;
● host and operate the platform;
● ingest, store and organise documents and records;
● perform OCR, extraction, classification, reconciliation and workflow support;
● maintain integrations;
● provide consolidation and reporting functionality; and
● communicate important service information.
Legal basis: contract performance; legitimate interests in operating and delivering our services.
To manage permissions and customer-authorised access
We use personal data to:
● assign user roles;
● apply access permissions;
● enable access for accountants, bookkeepers, consolidators and other authorised users;
● log account activity; and
● help customers administer access and security settings.
Legal basis: contract performance; legitimate interests in secure service administration.
To manage subscriptions and billing
We use personal data to:
● administer subscriptions;
● process invoices and payments;
● manage renewals;
● keep financial records; and
● recover amounts owed.
Legal basis: contract performance; legal obligation where required for tax, accounting or record-keeping; legitimate interests in managing our business and collecting payment.
To provide support and respond to enquiries
We use personal data to:
● respond to enquiries;
● provide onboarding and training;
● investigate support issues;
● review bugs, product issues and user-reported errors; and
● provide service-related communications.
Legal basis: contract performance; legitimate interests in customer support and service quality; legal obligation where applicable.
To secure our systems and prevent fraud or misuse
We use personal data to:
● troubleshoot issues;
● maintain system security;
● detect abuse, misuse, fraud or unauthorised access;
● monitor performance and reliability;
● audit access; and
● investigate incidents and enforce our terms.
Legal basis: legitimate interests in securing our services, customers and users; legal obligation where applicable.
To improve, analyse and develop our products and services
We use personal data to:
● understand how our services are used;
● analyse usage patterns and customer needs;
● test and improve product functionality and user experience;
● develop new features;
● improve data extraction, categorisation, matching and workflow performance; and
● create analytics, benchmarks and service-improvement outputs.
Legal basis: legitimate interests in improving, developing and securing our products and services.
To provide AI-assisted and automation features
We use relevant data inputs to provide AI-assisted extraction, categorisation, matching, summarisation, drafting, workflow support and similar functionality.
This may involve the processing of document content, extracted text, prompts, corrections, annotations, output data and related metadata.
Legal basis: contract performance; legitimate interests in operating and improving AI-assisted features and automation.
To train, tune, validate, test, evaluate, monitor and improve models and automation systems
We may use personal data, including personal data contained in uploaded documents, extracted data, prompts, outputs, user corrections, annotations, feedback and related metadata, to:
● create and maintain training, validation and testing datasets;
● fine-tune or otherwise improve models and AI-assisted features;
● evaluate accuracy, performance, safety, bias, robustness and quality;
● improve automation, extraction, categorisation, summarisation, matching and reporting capabilities; and
● develop new or improved machine-learning, AI-assisted or rules-based functionality.
Where we carry out this processing for Koovo’s own product-development or model-improvement purposes, we generally do so as a controller to the extent required by applicable law.
We may carry out these activities using identifiable, pseudonymised, de-identified or aggregated data, depending on the use case and safeguards applied.
Legal basis: legitimate interests in developing, training, testing, improving and securing our products, models and automation systems; and, where required by law, another lawful basis permitted under applicable data protection law.
To communicate with you about our services
We use personal data to:
● send service updates;
● notify you of changes to our services, policies or terms;
● provide account, billing, security or incident notices; and
● send administrative messages.
Legal basis: contract performance; legitimate interests in operating our business and communicating with users; legal obligation where applicable.
To send marketing communications
Where permitted by law, we may send you updates about our services, features, content or events.
You can opt out of marketing communications at any time by using the unsubscribe mechanism in the message or by contacting us.
Legal basis: consent or legitimate interests, depending on the context, recipient type and applicable law.
To comply with legal and regulatory obligations
We may use personal data where necessary to comply with legal obligations, regulatory requirements, tax rules, anti-fraud or anti-money laundering requirements, law-enforcement requests, court orders, or to establish, exercise or defend legal claims.
Legal basis: legal obligation; legitimate interests in protecting our rights and responding to legal issues.
7. AI-assisted features and human review
Our services may use AI-assisted or automated tools to help process documents and support bookkeeping workflows.
These features are intended to assist users by extracting, classifying, matching, summarising or drafting information. They are not intended, by themselves, to make solely automated decisions about individuals that produce legal or similarly significant effects without appropriate safeguards and human involvement.
Users should review outputs before relying on them for accounting, bookkeeping, tax, compliance or financial purposes.
8. Sharing personal data
We may share personal data with the following categories of recipients where reasonably necessary for the purposes described in this policy:
● hosting, infrastructure and cloud service providers;
● database, storage, backup and disaster recovery providers;
● authentication and identity providers;
● payment and billing providers;
● customer support, communications and analytics providers;
● accounting, tax, bookkeeping and integration partners;
● OCR, document-processing, AI and machine-learning service providers;
● professional advisers, such as lawyers, accountants, auditors and insurers;
● regulators, tax authorities, law-enforcement bodies or courts where required;
● actual or prospective acquirers, investors, lenders or group companies in connection with a corporate transaction, subject to appropriate confidentiality and data protection safeguards; and
● customers, organisations and their authorised users, where data is made available within the platform according to the relevant permissions.
Examples of providers or platforms we may use or connect with include:
● Amazon Web Services (AWS) for hosting, storage, compute, databases, backup and infrastructure;
● OpenAI for document analysis, extraction, categorisation, summarisation and related AI-assisted processing;
● Google / Gemini and related services for OCR, document-processing and related product functionality;
● Microsoft and Google for authentication or identity-related services where enabled;
● Stripe for billing and payment services;
● Xero, Sage, HMRC and other accounting, tax or finance platforms where connected or enabled.
We will only share personal data to the extent reasonably necessary for the relevant purpose.
9. International data transfers
Some of our service providers, subprocessors, partners or affiliates may process personal data outside the UK.
Where we transfer personal data internationally, we take steps to ensure an appropriate level of protection is in place, such as:
● adequacy regulations;
● the UK International Data Transfer Agreement;
● the UK Addendum to the EU Standard Contractual Clauses;
● standard contractual clauses or equivalent safeguards; or
● another lawful transfer mechanism permitted by applicable law.
You can contact us for more information about the safeguards we use.
10. Data retention
We keep personal data only for as long as reasonably necessary for the purposes described in this policy, including to:
● provide the service;
● manage the customer relationship;
● comply with legal, tax, accounting and regulatory obligations;
● resolve disputes;
● enforce agreements;
● maintain appropriate business and security records; and
● develop, test, audit, monitor, improve and secure our products and AI-assisted features.
Retention periods vary depending on the type of data, the nature of the relationship, the purpose of processing, applicable legal requirements, and whether the data is processed by us as controller or processor.
By category, we generally expect to retain data as follows:
● Prospect and enquiry data: for as long as needed to respond and follow up, and usually for up to 24 months after the last meaningful interaction unless a longer period is justified.
● Account, subscription and customer relationship data: for the duration of the account or relationship and usually for up to 6 years afterwards where needed for contractual, legal, tax, audit or dispute purposes.
● Billing, invoice and financial records: for as long as required by applicable tax, accounting and legal obligations, and usually for at least 6 years where relevant.
● Support records and operational correspondence: for the duration of the relationship and usually for up to 6 years afterwards where needed for support, audit, legal or operational reasons.
● Technical, usage, audit and security logs: typically for up to 12 months, or longer where needed for security, incident response, fraud prevention, service reliability or legal issues.
● Customer-uploaded documents, extracted data and workflow records: for the duration of the customer’s use of the service and then in accordance with the customer agreement, customer instructions, backup cycles and applicable legal requirements.
● Model-improvement, training, validation, testing and evaluation data: for as long as reasonably necessary for development, testing, monitoring, auditing, security and product-improvement purposes, subject to data minimisation, proportionality, contractual commitments and legal requirements.
Where we act as a processor, we retain customer data in accordance with our agreement with the customer and their instructions, subject to any legal obligations that require longer retention.
11. Security
We use appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
These measures may include, as appropriate:
● access controls and authentication safeguards;
● encryption in transit and at rest where appropriate;
● logging and audit trails;
● role-based permissions;
● monitoring and alerting;
● vendor due diligence;
● security review processes;
● testing and change controls; and
● incident response procedures.
No system can be completely secure, but we work to maintain safeguards proportionate to the nature of the data we process.
12. Your rights
Depending on your circumstances and applicable law, you may have the right to:
● access your personal data;
● request correction of inaccurate or incomplete data;
● request deletion of your personal data;
● object to certain processing;
● request restriction of processing;
● request transfer of your personal data;
● withdraw consent where processing is based on consent; and
● complain to a supervisory authority.
If you make a rights request, we will respond without undue delay and, in any event, within the timeframe required by applicable law.
If Koovo acts as a processor for the data in question, we may direct your request to the relevant customer or assist them in responding.
13. Cookies and similar technologies
We may use cookies, local storage, pixels, scripts, tags and similar technologies to operate our website and services, remember preferences, understand usage, improve performance, measure communications and support security.
Where required by law, we will request consent before placing or using non-essential cookies or similar technologies. You can manage your preferences through our cookie banner, browser settings or other tools we make available.
Further details may be provided in a separate Cookie Notice or cookie management tool.
14. Third-party services and integrations
Our services may integrate with third-party products and services. If you enable such integrations, personal data may be shared with or received from those third parties in accordance with:
● your settings;
● your instructions;
● your organisation’s permissions;
● the relevant integration workflow; and
● the third party’s own terms and privacy notices.
You are responsible for reviewing the privacy information of third-party services you choose to connect.
15. Children
Our services are intended for business use and are not directed to children. We do not knowingly collect personal data from children.
16. Changes to this policy
We may update this Privacy Policy from time to time.
When we do, we will update the “Last updated” date above. Where required, we will notify users of material changes by appropriate means, such as through the platform, by email, or by other reasonable notice.
17. How to complain
If you have concerns about how we use personal data, please contact us first at Privacy@Koovo.io and we will try to resolve the issue.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK.
18. Contact us
If you have questions about this Privacy Policy or want to exercise your rights, contact:
Koovo Limited
Shelton House, Shelton, Newark, Nottinghamshire, United Kingdom, NG23 5JQ
Email: Privacy@Koovo.io
Koovo Privacy Policy
Koovo Privacy Policy
