Privacy Policy

1. Who We Are

Distil (operated by Haisem Ltd) provides an AI-powered document processing and accounting platform for UK accounting practices, sole traders, and small businesses. Users upload invoices, receipts, and bank statements; our service extracts structured financial data and makes it available for review, export, and submission to accounting software such as Xero and QuickBooks Online. Additional features include sales invoicing, MTD VAT and ITSA submissions to HMRC, profit & loss reporting, cash flow forecasting, balance sheet views, and mileage tracking.

Data controller: Haisem Ltd (trading as Distil)
Contact: info@haisem.co.uk

2. The Practice and Team Model

Distil is designed for accounting practices and sole traders. A practice is the top-level entity representing your firm or sole-trader account. A subscription belongs to a practice, not to an individual user. Multiple team members (accountants, managers, and staff) can be invited to share the same practice account, each with their own login credentials.

All documents, extracted data, and activity logs are owned at the practice level. Every team member within a practice can view the same data. The practice owner retains responsibility for managing team access and ensuring that invited members are authorised to handle the documents held in the account.

Distil also supports client upload links: a practice can generate a shareable, token-based URL and send it to their own clients (end clients of the accounting firm). Those end clients can upload documents directly via that link without creating a Distil account. Their uploaded documents are stored under the practice’s data and subject to the same retention and security controls described in this policy.

3. What Data We Collect

3.1 Account and practice data

• Email address and password (managed via Supabase Auth)
• Practice name
• Role within the practice (owner or member)
• Subscription and billing information (managed via Stripe; we do not store payment card details)
• Invitation records for pending team members

3.2 Uploaded documents and sales invoices

• The original document files (PDF, JPEG, PNG) — invoices, receipts, and bank statements
• AI-extracted data: supplier name, invoice number, date, due date, amounts (net, VAT, total), VAT codes, currency, nominal codes, document type, and transaction-level bank statement data
• Sales invoice data: client/customer names, addresses, invoice line items, amounts, payment status, and payment dates
• File metadata: file name, file size, upload timestamp, processing status
• Client name or label associated with the document (as entered by the accountant)

3.3 Tax and HMRC submission data

• National Insurance Number (NINO), UTR, and HMRC business ID — used for ITSA submissions
• VAT registration number — used for MTD VAT returns
• HMRC OAuth tokens (encrypted at rest using AES-256-GCM)
• Submitted return data: period, amounts, status, and HMRC acknowledgement references

3.4 Mileage data

• Journey descriptions (start/end locations as text, no GPS tracking)
• Distances (miles), dates, and vehicle type (car, motorcycle, bicycle)
• Calculated HMRC simplified expense amounts

3.5 Integration data

• Xero and QuickBooks Online OAuth 2.0 access tokens and refresh tokens, encrypted at rest using AES-256-GCM
• Connected organisation or company names from those integrations

3.6 Usage and technical data

• Number of documents and pages processed each month (for quota enforcement)
• Upload timestamps and processing durations
• IP address, browser type, and device information (collected by our authentication and analytics services)
• Security audit logs: login events, document downloads, rate-limit violations, team membership changes

3.7 Data uploaded by end clients via upload links

When an end client of an accounting practice uploads a document using a shared link, we collect the uploaded file and its metadata. The end client does not need to create an account, and no email address or personal profile is collected from them. Their documents are associated with the practice’s account.

4. How We Use Your Data

• Document processing: We pass uploaded documents to AWS Textract for optical character recognition and to OpenAI for structured data extraction. This is the core service you have contracted us to provide.
• Data storage and retrieval: Processed documents and extracted data are stored so that you can review, correct, export, and submit them to accounting software.
• Integration publishing: With your authorisation, we use stored OAuth tokens to publish bills and attach documents to your connected Xero or QuickBooks Online organisation.
• Tax submissions: With your authorisation, we submit VAT returns and ITSA quarterly updates to HMRC via their MTD APIs. We store your NINO and HMRC credentials securely for this purpose.
• Sales invoicing: We store invoice data you create so you can manage, track payments, and include revenue in your P&L and VAT returns.
• Mileage tracking: We store journey records you enter so you can claim HMRC-approved mileage expenses and include them in reporting.
• Billing and subscription management: We use Stripe to process payments and manage subscriptions.
• Quota enforcement: We track monthly page counts to enforce your plan limits.
• Security and compliance: We maintain audit logs to detect abuse, investigate incidents, and meet regulatory obligations.
• Service improvement and error monitoring: Anonymised error reports and usage analytics help us fix bugs and improve the product.
• Communications: We may send you transactional emails (e.g. subscription receipts, team invitations) and occasional product updates. You can unsubscribe from marketing emails at any time.

5. Legal Basis for Processing

• Contract performance (Article 6(1)(b)): Processing your documents and providing the service you have subscribed to.
• Legal obligation (Article 6(1)(c)): Retaining financial records in line with HMRC requirements (up to 6 years).
• Legitimate interests (Article 6(1)(f)): Security monitoring, fraud prevention, error tracking, and service analytics.
• Consent (Article 6(1)(a)): Optional marketing communications, where you have opted in.

6. Data Retention

When you close your account or request data deletion, we will delete your account profile, team data, and integration tokens promptly. Original document files and extracted data subject to HMRC retention obligations will be securely deleted once the applicable retention period expires.

7. Third-Party Services

We use the following third-party services to operate the platform. Each processes data only to the extent necessary to provide their function.

We do not sell your data to any third party. We do not share personal data with advertisers.

8. Data Storage and Security

All data is stored in UK data centres. We apply the following security measures:

• All data in transit is encrypted using TLS 1.2 or higher
• Documents at rest are encrypted using AES-256 (AWS S3 server-side encryption)
• Integration tokens (Xero, QuickBooks) are encrypted using AES-256-GCM before storage
• Access to document files uses time-limited signed URLs; direct file access is not publicly available
• All state-changing API requests are protected by CSRF tokens
• Role-based access control: practice data is only accessible to authenticated members of that practice
• Row-level security enforced at database level for all data tables
• Security audit logs record all sensitive operations

Despite these measures, no internet-based service can guarantee complete security. If you believe your account has been compromised, please contact us immediately at info@haisem.co.uk.

9. Cookies

We use the following types of cookies:

• Strictly necessary cookies: Session and authentication cookies set by Supabase Auth. These are required for you to log in and use the platform. They cannot be disabled.
• Analytics cookies: PostHog may set cookies to track usage patterns on the platform and public-facing pages. These do not contain personal financial data.

We do not use advertising, tracking, or profiling cookies. We do not participate in ad networks.

10. International Data Transfers

We aim to process and store data in the UK wherever possible. However, some third-party services we rely on (including OpenAI, Stripe, and PostHog) may process data outside the UK or EEA. Where this occurs, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or equivalent mechanisms, as required by UK GDPR Article 46.

AWS Textract processing runs within UK/EU AWS regions. Supabase and our primary S3 document storage are in UK data centres.

11. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct inaccurate or incomplete data.
• Right to erasure: You can ask us to delete your data. Note that documents subject to HMRC retention requirements (up to 6 years) may not be deletable before the retention period expires.
• Right to restriction: You can ask us to restrict processing of your data in certain circumstances.
• Right to data portability: You can request an export of your extracted data in a machine-readable format (CSV export is available directly from the dashboard).
• Right to object: You can object to processing based on legitimate interests (e.g. analytics).
• Rights related to automated decision-making: Our AI extraction is used to assist human review, not to make decisions with legal or significant effects. You can correct any extracted field before exporting or publishing.

To exercise any of these rights, email us at info@haisem.co.uk. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

12. Practice Owner Responsibilities

Where accounting practices use Distil to process documents on behalf of their own clients, the practice acts as a data processor in relation to that client data. The accounting firm (practice owner) is responsible for:

• Ensuring they have a lawful basis to upload their clients’ financial documents
• Informing their own clients that their documents will be processed by Distil using AI services
• Managing team member access appropriately (inviting only authorised staff)
• Revoking access for team members who leave the practice
• Complying with their own obligations under UK GDPR as a data controller in respect of their clients’ personal data

13. Children’s Privacy

Distil is a professional accounting tool intended for use by businesses and their authorised staff. It is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at info@haisem.co.uk and we will delete it promptly.

14. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of the service after notification constitutes acceptance of the revised policy.

15. Contact Us

For any questions about this privacy policy, to exercise your data rights, or to report a privacy concern, please contact us:

Email: info@haisem.co.uk

We aim to respond to all privacy enquiries within 5 working days and will resolve requests within 30 days as required by UK GDPR.