Login Book a demo

Data Privacy Statement

At Inflo we are committed to protecting and respecting your privacy in compliance with applicable data protection law. This Data Privacy Statement relates to use of the Inflo Software Platform, including Inflo Link, as well as any interactions with Inflo through our website, email or other communication means. It explains what personal data we collect from you, why we collect it, how we use it, who we share it with, and how we keep it secure. 

INFLO GROUP LIMITED (company number 09912744), whose registered office is at 69 Church Way, North Shields, United Kingdom, NE29 0AE, is the data controller responsible for your personal data. 

Inflo Group Limited (‘Inflo’) has not appointed a Data Protection Officer as we are not required to do so under applicable data protection law. For all data protection queries please contact us at sayhi@inflosoftware.com. 

Inflo’s systems and data processing mechanisms are designed to comply with applicable data protection laws including the Data Protection Act 2018, UK GDPR, EU GDPR, and the California Consumer Privacy Act (CCPA) where applicable. 

 

Why do we collect and use personal data 

Inflo processes data extracted from accounting systems on your behalf as instructed by you within our agreement. We use this input data to calculate KPIs and statistics which are provided to you and your users. This data is also anonymised, aggregated and used to generate benchmarking statistics, for example, to compare profit margins with businesses in the same industry (end clients are able to opt out of benchmarking when they join Inflo if they do not wish their data to be used in this way). Inflo Ingest is designed to extract only general ledger transaction records based on parameters specified by the user. 

Inflo Collaborate also stores files requested from end clients by accounting firms to support accounting procedures. Information shared in this way is specified by the accounting firm. 

Information processed by Inflo Ingest and Inflo Collaborate may include personal data where this has been included by end clients in general ledger transaction records (e.g. transaction descriptions) and files (e.g. payroll records). This data is only used to perform our obligations to you under the contract. For this purpose, Inflo acts as the processor of personal data. You should not transfer personal data to us unless you believe it is absolutely necessary. 

In addition, we may also collect and use personal data for the purposes set out below. The lawful basis we rely on for each purpose is identified alongside it: 

  • Authenticate users on the Inflo platform using cookies and user account information — Lawful basis: Performance of a contract 
  • Respond to feedback, comments and questions received from you in service-related communication and activities, such as webchat sessions, phone calls, documents, and emails — Lawful basis: Legitimate interests (responding to customer enquiries) 
  • Send you information about our company, services, events and activities and perform direct marketing activities where legitimate and mutual interest is established — Lawful basis: Legitimate interests (direct marketing). You can object to us using your data for  marketing at any time by contacting us at sayhi@inflosoftware.com 

Where we send electronic marketing communications (such as emails or texts), we will ensure we have a separate lawful basis under the Privacy and Electronic Communications Regulations 2003 (PECR). For existing customers, we rely on the soft opt-in where we have collected your contact details in the course of a sale or negotiations for a sale, and we market only our own similar products or services. For all other recipients, we will obtain your prior consent before sending electronic marketing. 

  • Reply to Contact me or other web forms you have completed on the Inflo website — Lawful basis: Legitimate interests (responding to enquiries) 
  • Perform contractual obligations such as order confirmation, invoicing and similar — Lawful basis: Performance of a contract 
  • Notify you about any disruptions to our services or conduct surveys about your opinion on our services — Lawful basis: Legitimate interests (service improvement and communication) 
  • Process a job application — Lawful basis: Steps taken prior to entering into a contract 

Where we rely on legitimate interests as our lawful basis, we have assessed that our interests are not overridden by your data protection rights and freedoms. You have the right to object to processing based on legitimate interests at any time — see Your Rights below. 

Where we collect special category personal data (for example, health or diversity information), we will do so only with your explicit consent. 

If you choose not to provide personal data that we need to perform a contract with you or to comply with a legal obligation, we may not be able to provide you with the relevant service or fulfil the relevant obligation. We will tell you at the point of collection whether providing the data is mandatory or voluntary and what the consequences of not providing it are. 

 

How do we protect your data 

Inflo has in place strong technical and organizational measures to protect against unauthorized, unlawful or accidental processing, destruction, loss, alteration, disclosure of, or access to personal data. Inflo’s approach to information security has been certified to the International Standard on Information Security Management (ISO 27001). 

Data is stored and processed on Microsoft’s Azure Cloud Platform and Azure Cloud Services which are also certified to ISO 27001, as well as the Code of Practice for Protection of Personally Identifiable Information in Public Clouds (ISO 27018). Microsoft Azure acts as a sub-processor of data in providing these services. 

All client input data is encrypted, whether in transit or at rest, using a combination of Azure’s Storage Service Encryption (SSE) and Hypertext Transport Protocol over certified secure socket layer (SSL). A minimum of 256-bit AES is used for encryption at rest and transmission. 

Inflo employees processing data are subject to a duty of confidence and we perform data protection risk assessments as required to ensure that all customer data is appropriately protected. 

We will notify the Information Commissioner’s Office (ICO) of any personal data breach within 72 hours of becoming aware of it where it is likely to result in a risk to your rights and freedoms. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay. In any event, we will keep you informed of any breach affecting your personal data and the steps we are taking to address it. 

For full details of Inflo’s information security practices, technical controls, sub-processor list, and certifications (including ISO 27001 and SOC 2), please refer to the Inflo Security Whitepaper, available on request from  https://trust.inflo.com/  

 

Cookies and Similar Technologies 

Inflo’s website and platform use cookies and similar technologies to operate and improve our services. This section explains how we use them and your choices. 

 

What are cookies? 

A cookie is a small piece of information sent by a web server to store on your browser so it can later be read back. Cookies may collect information including a unique identifier, user preferences, profile information, membership information, and usage statistics. 

 

Essential cookies 

Some cookies are strictly necessary to provide the services you have requested, such as keeping you logged in or completing a transaction. These cookies do not require your consent as they are essential to the functioning of the platform and website. 

 

Non-essential cookies 

We also use non-essential cookies for analytics, advertising personalisation, and measuring the effectiveness of marketing campaigns. These include: 

  • Analytics cookies: to track how users interact with our website and platform, including pages visited and time spent 
  • Advertising and personalisation cookies: to tailor your experience and to track the performance of Inflo advertisements 
  • Third-party cookies: set by our service providers for analytics, email tracking (including embedded pixels), and similar purposes 

We will ask for your consent before setting any non-essential cookies. You can accept, reject, or manage your cookie preferences at any time by clicking the cookie preferences link on our website. Withdrawing consent is as easy as giving it and will not affect the lawfulness of any processing carried out before withdrawal. 

Your browser settings may also allow you to control cookies. However, disabling cookies may affect the functionality of our website and platform. 

For more information about the specific cookies we use, their purposes and durations, please see our Cookie Policy available on our website. 

 

Recording of Telephone Calls and Video Meetings 

We may record telephone calls and video meetings for the following purposes: 

  • Training and quality assurance 
  • Verification of instructions or agreed actions 
  • Responding to queries or complaints 
  • Improving our products, services and customer experience 

Where we intend to record a call or video meeting, we will inform you at the start of the session. You may decline to be recorded, in which case the call or meeting will proceed without recording. 

Recordings are retained only for as long as necessary for the purposes described above. Access to recordings is restricted to those with a legitimate business need. 

Where recording is facilitated by a third-party platform (such as Gong), that provider acts as a sub-processor of your personal data and is subject to appropriate data processing agreements. 

The lawful basis for recording is our legitimate interests in training, quality assurance, and accurate record-keeping, balanced against your right to privacy. You have the right to object to this processing — please see Your Rights below. 

 

Where do we store your data 

All data and files are processed, replicated and backed up in Microsoft Azure’s secure data centres which are located within the following locations: 

  • ‍Americas – Toronto (Primary) / Quebec City (Backup) 
  • Asia-Pacific – New South Wales (Primary) / Victoria (Backup) 
  • Europe, Middle East & Africa – Ireland (Primary) / Netherlands (Backup) 
  • United States – Washington (Primary) / Wyoming (Backup) 

All data and files are held and stored in compliance with local data protection directives, laws and regulations within these regions. 

Where we transfer your personal data outside of the UK or EEA, we ensure that appropriate transfer safeguards are in place, including: 

  • For transfers to the United States: the UK Extension to the EU-US Data Privacy Framework, where the recipient is certified under that framework (including Microsoft Azure); or the ICO’s International Data Transfer Agreement (IDTA) where they are not 
  • For transfers to other third countries: the IDTA or the UK Addendum to the EU Standard Contractual Clauses, together with a Transfer Risk Assessment where required 

In addition, we may obtain your consent to international transfers as part of our agreement with you at the point of onboarding. 

You may withdraw your consent to international transfers at any time by contacting us at sayhi@inflosoftware.com, although please note that withdrawal may affect our ability to provide the services to you. We will inform you of the applicable safeguards on request. 

 

How long do we keep your personal data 

We store personal data for as long as necessary to fulfil the purpose for which the personal data was collected, while considering the need to answer your queries or resolve possible problems, to comply with legal requirements under applicable laws, to attend to any legal claims/complaints, and for safeguarding purposes. 

Retention periods vary depending on the type of data: 

  • Data supporting the audit opinion and stored in Inflo Workpapers is retained for seven years for Limitation Act purposes 
  • Other platform data (data not included in Workpapers or your firm’s audit documentation) is deleted 180 days after the relevant engagement is archived by default, with a minimum of 28 days enforced to prevent accidental deletion. You control when this data is deleted in accordance with your firm’s information security policies 
  • Recordings of calls and meetings are retained only for as long as necessary for the purposes described in this notice.  

When personal data is no longer required, we will delete it in a secure manner to ensure it cannot be reconstructed or read. Any request for copies of data following the archiving of an Inflo room will require access to archive storage facilities and may result in a charge. 

 

What rights do you have 

Data subjects have the following rights with respect to personal information: 

  • The right to request a copy of the personal information that Inflo hold about you, 
  • The right to request that Inflo correct your personal information if it is inaccurate or out of date, 
  • The right to request that your personal information is deleted when it is no longer necessary for us to retain such data, 
  • The right to withdraw any consent to personal information processing at any time. For example, your consent to receive e-marketing communications, 
  • The right to request that Inflo provide you with your personal information in a portable and commonly used format for transfer to another party, 
  • The right to request a restriction on further data processing, in case there is a dispute in relation to the accuracy or processing of your personal information, and 
  • The right to object to processing based on legitimate interests or for direct marketing purposes, see further below. 
  • Right to object: You have the right to object at any time to the processing of your personal data where we rely on legitimate interests as our lawful basis. You also have the right to object to the processing of your personal data for direct marketing purposes at any time, including profiling to the extent it relates to direct marketing. Where you object to direct marketing, we will stop processing your data for that purpose immediately. Where you object to processing based on legitimate interests, we will stop unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or where the processing is necessary for the establishment, exercise or defence of legal claims. 
  • If you wish to make a request to exercise any of these rights, please submit it to sayhi@inflosoftware.com . We will respond within one month of receipt. Where a request is complex or we have received a number of requests, we may extend this period by a further two months and will notify you accordingly. 

 

Automated Decision-Making 

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing, including profiling, without human involvement. 

Where we use automated tools to assist with elements of our service (such as analytics or platform usage analysis), these are used only to support, and not to replace, human decision-making. If we introduce any new automated decision-making processes that have a significant effect on you, we will update this notice and inform you accordingly. You have the right to request human review of any automated decision, to express your point of view, and to contest the outcome. To exercise this right, please contact us at sayhi@inflosoftware.com. 

 

Do we share your data with anyone 

We do not share, sell, rent, or trade your information with any third parties without your consent, except in the following cases. 

To confirm eligibility to access services and benefits: 

Where additional services and benefits are offered to members of professional bodies, affiliations or other organizations as part of member partnership schemes, we will share your membership information with these organizations to confirm eligibility. We may also use this information to provide management information to these organizations on the performance of membership schemes. 

‍If required by law: we will disclose your personal data if required by law and/or to comply with a judicial proceeding, court order or legal process. However, we will do what we can to ensure that your privacy rights continue to be protected. 

‍To protect our rights: we will disclose your personal data if we reasonably believe that disclosure is necessary to protect our rights and/or that of our affiliates, you or others. This includes the health and safety of employees and visitors, physical and online operations, property, intellectual rights, and privacy. 

‍In using sub-contractors: Inflo uses Microsoft Azure – a recognized, industry-leading hosting provider – to process accounting data and files within hosted systems and databases on our behalf as a sub-processor. We are responsible for making sure they commit themselves to adhere to our data privacy policy and applicable data protection legislation. Inflo retains full control of this data. 

We also use  third-party service providers (processors) to store and process data for which Inflo acts as a controller. These include providers of the following categories of services:   

  • CRM and marketing platform services (including website visitor tracking and marketing communications) 
  • Statistical analysis and analytics services 
  • Email delivery and campaign management services 
  • Event management services 
  • Auditing services 
  • Payment processing services 

A full list of our third-party processors is available on request by contacting us at sayhi@inflosoftware.com. 

All third-party processors are prohibited from using your personal data except for the purposes for which it was shared, and they are required to maintain the confidentiality of your information under terms consistent with this Policy. 

 

Changes to this privacy statement 

Inflo reserves the right to amend this Privacy Statement at any time. The applicable version will always be found on our website. We encourage you to check this Privacy Statement occasionally to ensure that you are happy with any changes. 

 

Who can I complain to? 

Inflo is registered with the Information Commissioner’s Office (ICO) in the UK. ICO registration number: ZA210621. Website: www.ico.org.uk 

If you have a concern about how we handle your personal data, we encourage you to contact us first at sayhi@inflosoftware.com so we can try to resolve it. If you remain dissatisfied, you have the right to lodge a complaint with the ICO at any time. 

Ready to see the difference?

Book a demo today and discover how Inflo can transform your audit practice.