CustomerCompass
Product Pricing Docs What's new Demo
Login / Register

Privacy Policy

Jurisdiction: UK GDPR / Data Protection Act 2018 · Effective 2026-08-01 · v1.0

1. Who we are

Customer Compass is a proactive revenue-and-risk decision agent for service businesses that use Xero. The service is operated by Digital Tactics Ltd, a company registered in England and Wales at 5 Boundary Road, Hove, East Sussex, BN3 4EH.

Digital Tactics Ltd is the data controller for the information you share with us through customercompass.ai, its subdomains and the Customer Compass application. Our ICO registration number is Z2807798. You can verify this on the ICO public register.

For any privacy question you can contact our Data Protection Officer, Christopher Dean, at chris@digitaltactics.co.uk. For general support the M365-hosted inbox is support@customercompass.ai.

2. What personal data we collect

We keep the data we collect to the minimum needed to run the service. In practice that means:

  • Account data — your email address, hashed password (Cognito manages the hash, we never see it in the clear), and optional TOTP MFA seed. If you sign in with Google or Microsoft we receive the email address associated with that provider only.
  • Profile preferences — your preferred locale, your Terms of Service acceptance timestamp, and your telemetry-consent choice.
  • Billing data — Stripe processes card data on their own systems; we never see or store card numbers. From Stripe we retain your Customer ID, the last four digits of the card for receipt display, billing address, and invoice history.
  • Xero connection data — an OAuth 2.0 access token and refresh token per Xero organisation you connect, stored encrypted (see Section 10 and the Security Statement).
  • Xero business data we read on your behalf — contacts, invoices, payments, credit notes, quotes, bank transactions, bills and items for the connected organisation. We do not read employee or payroll personal data.
  • Scan output — the deterministic insights and drafted actions produced by each scan. These sit in your own per-user prefix in our S3 bucket.
  • Audit and diagnostic logs — sign-in events, Xero connect / disconnect events, scan runs, action approvals and billing changes. Retained for 12 months.
  • Anonymised telemetry (opt-in only) — event counts and enum-only metadata. Never contains client identifiers, invoice numbers or free text. Section 9 explains the design.

We do not collect special-category data. We do not attempt to profile individuals inside your client base.

3. Legal basis for processing

Under UK GDPR every processing purpose has to be justified against one of the six lawful bases. We publish ours so you can hold us to it:

  • Providing the service you asked for — contract (Art. 6(1)(b)). Runs your scans, drafts your actions, presents your results.
  • Billing and fraud prevention — contract and legal obligation (Art. 6(1)(b), (c)). Stripe processes payments; we retain invoice records for HMRC compliance.
  • Authentication and account security — legitimate interests (Art. 6(1)(f)) balanced against your interests. Includes the HaveIBeenPwned breach check on sign-up and sign-in.
  • Audit logging — legal obligation and legitimate interests (Art. 6(1)(c), (f)). Required for Xero App Marketplace certification and for investigating incidents.
  • Anonymised product telemetry — consent (Art. 6(1)(a)). Off by default; opt-in at sign-up and revocable at any time from /uk/account/privacy.
  • Sending transactional email (verification, receipts, security notices) — contract (Art. 6(1)(b)).
  • Sending optional marketing email — consent (Art. 6(1)(a)). Separate opt-in; unsubscribe in every message.

Because our AI features draft the wording around numbers we have computed deterministically, we do not carry out solely automated decision-making with legal or similarly significant effect (UK GDPR Art. 22). Every action is presented as a draft for you to approve.

4. How long we keep your data

We keep data only as long as we need it. The main retention windows are:

  • Account and profile data — for the life of your account, then deleted within 30 days of account closure.
  • Xero tokens — until you disconnect the organisation or close your account, then destroyed immediately.
  • Scan blobs (S3) — for the life of your account, unless you purge them from /uk/account/scans. Purged blobs are removed within 24 hours.
  • Audit log — 12 months rolling.
  • Anonymised telemetry — 24 months from event date, then automatically expired via DynamoDB TTL.
  • Billing records — six years from the end of the tax year, in line with HMRC record-keeping rules.
  • Support correspondence — 24 months from last contact.
  • Stripe event ledger — seven days rolling (dedupe window).

Backups have their own life cycle: encrypted DynamoDB point-in-time backups are retained for 35 days and then expire.

5. Sub-processors

We use the following sub-processors. We have written data-processing terms with each of them and we review the list at least annually. The full list — with region, purpose, and category of data — is below.

  • Amazon Web Services (AWS) — infrastructure hosting in the London region (eu-west-2). Processes all customer data. Sub-processor list at aws.amazon.com/compliance/sub-processors.
  • Anthropic — large-language model provider used to draft the wording of insights and actions. Data sent is limited to insight metadata (signal type, deterministic numbers, contact aliases) — never full invoices, personal names, or bank information.
  • OpenAI — fallback LLM used when the primary provider is unavailable. Same restricted payload shape as Anthropic.
  • Stripe Payments UK Ltd — payment processing. Receives your email address, billing address, card details and purchase history. Card data never touches our systems.
  • Xero Ltd — the accounting platform you connect. Xero is a joint controller for the accounting data you have chosen to share with us, not a downstream sub-processor.
  • Amazon SES (part of AWS) — transactional email delivery.
  • Microsoft 365 — inbound support email hosting for support@customercompass.ai.
  • Google LLC (Google Analytics 4) — anonymised event metadata only, UK-region data setting enabled, IP anonymisation on, off by default (opt-in via cookie banner, Consent Mode v2).

We do not sell personal data. We do not share your Xero data with third parties for their own purposes.

6. International data transfers

Your Customer Compass data is hosted in the AWS London region (eu-west-2). Some sub-processors are outside the UK and EEA:

  • Anthropic, OpenAI, Stripe, Google, Microsoft — headquartered in the United States. Transfers are covered by the UK's addendum to the EU Standard Contractual Clauses (UK IDTA / Addendum) and, where applicable, by the sub-processor's Data Privacy Framework certification.

Before enabling any new sub-processor we run a transfer impact assessment. If the assessment concludes we cannot achieve an essentially equivalent level of protection, we do not enable the sub-processor. The current transfer impact assessments are held internally and available on request to chris@digitaltactics.co.uk.

7. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify data that is inaccurate or incomplete.
  • Erase your data (subject to legal retention rules such as HMRC billing records).
  • Restrict processing while you contest accuracy or object to a legitimate-interests basis.
  • Object to processing based on legitimate interests, and to any direct marketing.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent for anything you consented to (marketing, telemetry) without affecting past processing.

You can exercise these rights in-app: sign in, then /uk/account/privacy for consent choices, /uk/account/scans for data export and purge, and /uk/account/delete for full account closure. You can also email chris@digitaltactics.co.uk. We aim to respond within 30 days; we may extend by two further months for complex requests as UK GDPR permits, and we will tell you if we do.

You can complain to the UK Information Commissioner's Office at any time — see Section 11.

8. Cookie Policy

We keep our cookie use to the strict minimum. Every cookie we set is listed here. When new cookies are introduced this list is updated before they are deployed.

CookiePurposeCategoryLifetimePECR consent?
cc_locale Remembers your locale choice so you land on the right marketing site (e.g. /uk). First-party. Value is an IETF language tag such as en-GB. Essential 1 year No — strictly necessary for the service you asked for.
Cognito session cookies (CognitoIdentityServiceProvider.*) Keeps you signed in to the application. HttpOnly, Secure, SameSite=Lax, scoped to .customercompass.ai. Essential Access token 60 minutes, refresh token 30 days No — strictly necessary for authentication.
cc-consent Records your PECR / GDPR consent choices so the banner does not reappear on every visit. Essential 6 months No — required to remember your consent.
_ga, _ga_* (Google Analytics 4) Anonymised event metadata. UK-region data setting enabled, IP anonymisation on, no cross-site tracking. Analytics Up to 24 months Yes — opt-in via the cookie banner (Consent Mode v2). Off by default.

We do not use advertising cookies, cross-site tracking pixels, or session-replay tools. If we ever add one we will update this table and re-prompt for consent.

You can change your cookie choices at any time from the "Cookie settings" link in the site footer.

9. Anonymised telemetry

If you opt in at sign-up, we record enum-only event counts to understand which parts of the product are useful. The event schema is public:

  • Event type — enum, e.g. scan_completed, action_approved.
  • Event timestamp.
  • Session hash — SHA-256 of (cognito_sub + a rotating daily salt). The salt is destroyed after 24 hours, so sessions are irreversibly de-linked from the user after one day.
  • Country code — two-letter ISO code, derived from your IP at request time; the IP itself is not stored.
  • Signal type — for scan events, the enum name of the signal that fired.
  • Event metadata — enum values only. No free text. No client identifiers. No invoice or contact data.

Telemetry sits in DynamoDB with a 24-month TTL and append-only IAM. It cannot be joined back to your Xero data or your identity after the session-hash salt rotates. You can opt out at any time from /uk/account/privacy; opting out stops future collection immediately, and existing rows are aged out by TTL.

10. Data security

The full Security Statement is at /uk/security. Highlights:

  • All traffic in transit uses TLS 1.2 or better.
  • DynamoDB and S3 are encrypted at rest with a customer-managed AWS KMS key.
  • Xero access tokens are additionally encrypted with your Cognito user ID as the KMS encryption context, so tokens cannot be decrypted for the wrong user even by an operator with broad access.
  • Passwords are hashed by Cognito; we enforce a minimum-8-character policy with mixed case, digits and symbols, plus a HaveIBeenPwned breach check on sign-up and sign-in.
  • Email verification is enforced before you can sign in.
  • Optional TOTP MFA is available; SMS MFA is deliberately not offered (SIM-swap risk).

11. Complaints and the ICO

If you have a concern about how we handle your data, please contact our DPO first at chris@digitaltactics.co.uk so we can try to put it right.

You can also complain to the UK Information Commissioner's Office at any time:

  • Website: ico.org.uk/make-a-complaint
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Our current ICO registration is Z2807798. You can look it up on the ICO public register.

12. Changes to this policy

We may update this Privacy Policy from time to time. The Effective date at the top of the page is the date of the current version. For material changes — for example a new sub-processor or a new lawful basis — we will notify you by email and, where applicable, ask for renewed consent before the change takes effect.

Previous versions are archived and available on request.

13. Contact

Data Protection Officer: Christopher Dean — chris@digitaltactics.co.uk.

Support inbox: support@customercompass.ai. Initial response within two business days.

Post: Digital Tactics Ltd, 5 Boundary Road, Hove, East Sussex, BN3 4EH, United Kingdom.

Data controller. Digital Tactics Ltd, ICO registration Z2807798, registered at 5 Boundary Road, Hove, East Sussex, BN3 4EH, United Kingdom.

ICO Registration Z2807798.

DPO: chris@digitaltactics.co.uk. Support: support@customercompass.ai.

Related:
  • Privacy Policy
  • Terms of Service
  • Security Statement

Customer Compass

Digital Tactics Ltd, 5 Boundary Road, Hove, East Sussex, BN3 4EH.

support@customercompass.ai

Product

  • Pricing
  • Demo
  • Docs
  • What's new

Company

  • Privacy
  • Terms
  • Security
  • Support

Language / locale

© 2026 Digital Tactics Ltd. All rights reserved.