Legal

Privacy Policy

Last updated: 1 July 2026

Cratebooks reads your bank transactions so you can sort your business expenses and income for tax. This policy explains what we collect, why, and the control you keep over it. Plain English, no surprises.

The short version. We use read-only bank access, so Cratebooks can see your transactions but can never move your money. Your bank connection is encrypted. We never sell your data or share it for advertising. You can disconnect a bank or delete your account at any time.

1. Who we are

Cratebooks ("we", "us") provides a tool that connects to your bank, categorises your business expenses and income, and exports clean, Making Tax Digital ready totals. We are the data controller for the personal data described here.

For any privacy question, or to exercise your rights, contact us at privacy@cratebooks.com.

2. What we collect

Account details

Your email address and a securely hashed version of your password. We never store your password in readable form.

Bank transaction data

When you connect a bank through our provider Plaid, we receive read-only transaction information: dates, amounts, merchant and description text, and the name of the account and institution. We use this to detect and categorise your expenses and income. We do not receive your online banking password or login credentials, and we cannot initiate payments or move money.

Decisions you make

The keep, bin and category choices you make in the app, plus any merchant rules you teach it, so your totals stay consistent and improve over time.

Payment details

Subscriptions are handled by Stripe. Stripe processes your card details directly; we never see or store your full card number. We keep a Stripe customer reference and your subscription status so we know your account is active.

Basic technical data

Standard server logs (such as IP address and request time) needed to run the service securely and prevent abuse.

3. How we use your data

We do not use your transaction data for advertising, and we do not sell it to anyone.

4. Legal bases (UK GDPR)

5. Who we share it with

We only share data with the processors needed to run Cratebooks, under contracts that require them to protect it:

We may also disclose data if required by law. If Cratebooks is ever involved in a business transfer, your data would move under the same protections set out here.

6. How we protect it

7. How long we keep it

We keep your account and transaction data for as long as your account is open, so your records stay available across tax periods. When you delete your account we remove your personal data and revoke the bank connection, except where we must retain limited records to meet legal or accounting obligations. You can disconnect any single bank at any time, which removes its stored access token.

8. Your rights

Under UK data protection law you can:

To make a request, email privacy@cratebooks.com. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

Cratebooks uses a single sign-in token to keep you logged in. We do not use advertising or third-party tracking cookies.

10. Where your data is held

Your data is stored on servers operated by our hosting and processing partners. Where data is transferred outside the UK or EEA, it is protected by appropriate safeguards such as UK-approved standard contractual clauses.

11. Children

Cratebooks is a business tool intended for people aged 18 and over. It is not directed at children.

12. Changes to this policy

If we make material changes we will update this page and the "last updated" date, and where appropriate notify you in the app.

13. Contact

Questions about your privacy or this policy? Email privacy@cratebooks.com.