Privacy Policy
Cratebooks reads your bank transactions so you can sort your business expenses and income for tax. This policy explains what we collect, why, and the control you keep over it. Plain English, no surprises.
The short version. We use read-only bank access, so Cratebooks can see your transactions but can never move your money. Your bank connection is encrypted. We never sell your data or share it for advertising. You can disconnect a bank or delete your account at any time.
1. Who we are
Cratebooks ("we", "us") provides a tool that connects to your bank, categorises your business expenses and income, and exports clean, Making Tax Digital ready totals. We are the data controller for the personal data described here.
For any privacy question, or to exercise your rights, contact us at privacy@cratebooks.com.
2. What we collect
Account details
Your email address and a securely hashed version of your password. We never store your password in readable form.
Bank transaction data
When you connect a bank through our provider Plaid, we receive read-only transaction information: dates, amounts, merchant and description text, and the name of the account and institution. We use this to detect and categorise your expenses and income. We do not receive your online banking password or login credentials, and we cannot initiate payments or move money.
Decisions you make
The keep, bin and category choices you make in the app, plus any merchant rules you teach it, so your totals stay consistent and improve over time.
Payment details
Subscriptions are handled by Stripe. Stripe processes your card details directly; we never see or store your full card number. We keep a Stripe customer reference and your subscription status so we know your account is active.
Basic technical data
Standard server logs (such as IP address and request time) needed to run the service securely and prevent abuse.
3. How we use your data
- To categorise your transactions and produce your expense, income and tax-quarter totals.
- To provide, secure and support your account.
- To take payment for your subscription.
- To protect the service (for example, rate-limiting sign-ins to prevent abuse).
We do not use your transaction data for advertising, and we do not sell it to anyone.
4. Legal bases (UK GDPR)
- Contract: to deliver the service you signed up for, including running your data through our categorisation engine and taking payment.
- Consent: you explicitly connect each bank account through Plaid, and you can withdraw that consent at any time by disconnecting it.
- Legitimate interests: keeping the service secure and preventing fraud and abuse.
5. Who we share it with
We only share data with the processors needed to run Cratebooks, under contracts that require them to protect it:
- Open banking Plaid connects to your bank on a read-only basis. See the Plaid End User Privacy Policy.
- Payments Stripe processes subscription payments. See the Stripe Privacy Policy.
- Hosting Our cloud hosting and database provider stores your data so the service can run.
We may also disclose data if required by law. If Cratebooks is ever involved in a business transfer, your data would move under the same protections set out here.
6. How we protect it
- Your bank access token is encrypted at rest (Fernet / AES).
- Passwords are stored only as bcrypt hashes.
- Traffic is served over HTTPS.
- Access to your data requires your login, and accounts are isolated from one another.
7. How long we keep it
We keep your account and transaction data for as long as your account is open, so your records stay available across tax periods. When you delete your account we remove your personal data and revoke the bank connection, except where we must retain limited records to meet legal or accounting obligations. You can disconnect any single bank at any time, which removes its stored access token.
8. Your rights
Under UK data protection law you can:
- Access the personal data we hold about you.
- Correct data that is wrong.
- Delete your account and data.
- Export your data (the app's CSV export gives you your transactions and totals).
- Withdraw your consent to a bank connection by disconnecting it.
- Object to or restrict certain processing.
To make a request, email privacy@cratebooks.com. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
9. Cookies
Cratebooks uses a single sign-in token to keep you logged in. We do not use advertising or third-party tracking cookies.
10. Where your data is held
Your data is stored on servers operated by our hosting and processing partners. Where data is transferred outside the UK or EEA, it is protected by appropriate safeguards such as UK-approved standard contractual clauses.
11. Children
Cratebooks is a business tool intended for people aged 18 and over. It is not directed at children.
12. Changes to this policy
If we make material changes we will update this page and the "last updated" date, and where appropriate notify you in the app.
13. Contact
Questions about your privacy or this policy? Email privacy@cratebooks.com.