Privacy Policy
1. Introduction
- 1.1Maxware Ltd, a company registered in England and Wales ("Maxware", "Company", "we", "us", "our"), provides MAX, an AI-native practice management platform for UK accounting practices, comprising a web application, an Individual/Client Portal, WhatsApp/e-mail based communications, and the Max AI assistant (together, the "Services").
- 1.2We are committed to protecting the privacy and security of personal data belonging to our Clients, their staff, their Individuals (clients and leads of the accounting practice), and visitors to our website. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights available to you.
- 1.3We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
- 1.4This policy applies to all users of the Services: accounting practice staff (e.g. Client Managers, Processing Team), Individuals accessing the Portal or communicating via WhatsApp, and visitors to our website.
- 1.5Maxware Ltd acts as a data controller for its own purposes — including the operation of our website, account administration, and the KYC/AML records we are required to keep in our own right — and as a data processor on behalf of the accounting practice (the "Client") for the client and individual data processed through the platform in the course of the Client's engagement with its own customers. Where we act as a processor, our processing is governed additionally by a Data Processing Agreement (DPA) entered into with the Client.
2. Definitions
3. Principles of Data Protection
We adhere to the following principles in all our data processing activities:
- •Lawfulness, fairness and transparency — data is processed lawfully, fairly, and transparently.
- •Purpose limitation — data is collected for specified, explicit, and legitimate purposes.
- •Data minimisation — we collect only what is necessary for the stated purpose.
- •Accuracy — we take reasonable steps to keep data accurate and up to date.
- •Storage limitation — data is retained only as long as necessary (see Section 9).
- •Integrity and confidentiality — data is processed securely, with appropriate technical and organisational measures (see Section 10).
- •Accountability — we maintain records of processing activities and can demonstrate compliance.
4. Personal Data We Collect
4.1 Website visitors
IP address, device and browser type, pages viewed, and referral source. Website and Portal usage analytics are provided by Vercel using a privacy-friendly, cookieless method: the data is aggregated, does not rely on analytics cookies or persistent identifiers, and is not used to track you across websites (see Section 12).
4.2 Client staff (Client Managers, Processing Team)
Name, work email address, job title, phone number, login credentials, and platform activity logs.
4.3 Individuals (via Portal and WhatsApp)
Identity information: full name, date of birth, address, and identification documents (e.g. passport, driving licence) submitted for KYC/AML verification via our Didit integration.
Contact information: mobile number (for WhatsApp), email address.
Financial and business information: business name, Companies House details, bank transaction data, invoices, receipts, and other documents uploaded to the digital cashbook or document library.
Communications: messages exchanged with Max via WhatsApp or the Portal, including message content and metadata (timestamps, delivery status).
Payment information processed via AdFin and GoCardless for billing and direct debit purposes. Maxware does not directly store full card or bank account credentials; these are held by the relevant payment processor under its own security standards (e.g. PCI-DSS).4.4 Special category data
Identification documents submitted for KYC/AML purposes may incidentally reveal special category data (for example, information from which racial or ethnic origin could be inferred). We process such data only to the extent necessary to comply with our legal obligations under UK anti-money laundering law, and we do not use it for any other purpose. Our lawful basis is Article 6(1)(c) UK GDPR (legal obligation); where the information is special category data, we additionally rely on Article 9(2)(g) (substantial public interest), meeting the condition in paragraph 12 (regulatory requirements relating to unlawful acts and dishonesty) of Schedule 1, Part 2 to the Data Protection Act 2018. As required for that condition, we maintain an Appropriate Policy Document explaining how we comply with the data protection principles and setting out our retention arrangements for this data.
4.5 Bookkeeping and ledger data
Bookkeeping and ledger data entered into the Services consists largely of transaction-level financial records that typically do not identify a natural person, and which are governed by our Terms and Conditions and by the Client's engagement with its own customers. Where such records do identify or relate to an identifiable natural person (for example, a sole trader's bank statement or a named payee), that information is personal data and is protected in accordance with this policy and applicable data protection law.
4.6 Source of the data
We collect most information about Individuals from the Client (the accounting practice) rather than from the Individual directly, and we obtain some information from third parties such as Companies House, our KYC/AML provider, and our payment providers. Where we have not obtained personal data directly from the Individual, this Section, together with Sections 4 and 7, explains what data we hold and the sources it comes from, as required by Article 14 UK GDPR.
4.7 Providing your information
Providing identity documents and related KYC/AML information is both a legal and a contractual requirement. If an Individual does not provide it, the Client will be unable to complete the identity verification required by law and, as a result, may be unable to onboard or continue to act for that Individual.
5. How We Use Personal Data, and Our Legal Basis
| Purpose | Example | Legal basis |
|---|---|---|
| Providing the Services | Account provisioning, RBAC permissions, workflow management | Contractual necessity |
| KYC / AML verification | Identity checks via Didit | Legal obligation |
| Client and Individual communication | WhatsApp messages via Max, Portal notifications | Contractual necessity |
| Billing and payment collection | Invoicing via AdFin, direct debits via GoCardless | Contractual necessity |
| AI-assisted processing | Transaction coding, document extraction, automated drafting of routine replies | Legitimate interests |
| Security and fraud prevention | Login monitoring, anomaly detection | Legitimate interests |
| Legal and regulatory compliance | Responding to HMRC, Companies House, or law enforcement requests | Legal obligation |
| Product improvement | Aggregated, de-identified usage analytics | Legitimate interests |
| Marketing communications | Product updates, newsletters | Consent |
Where processing relies on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may object to such processing at any time (see Section 11).
6. Automated Processing and AI
- 6.1The Services use AI, including the Max assistant, to carry out tasks such as coding bank transactions, extracting data from uploaded invoices and documents, matching entries to ledger accounts, and drafting or sending routine WhatsApp responses to Individuals.
- 6.2Some outputs of the Services could produce legal effects concerning an Individual or otherwise similarly significantly affect them (for example, an automated decision to suspend Portal access due to payment arrears, as described in our Terms and Conditions). Where such a decision is based solely on automated processing, the Individual has the right to obtain human intervention, to express their point of view, and to contest the decision. A request for human review may be made as described in Section 11 and will be considered by a member of the Client's or Maxware's staff with authority to review the decision.
- 6.3The AI models that power Max are provided by our third-party AI sub-processors — currently Anthropic (Claude), OpenAI, and Google (Gemini) (see Section 7.2). Financial documents, KYC data, and message content processed by Max are transmitted to that provider's systems solely to generate the outputs described in Section 6.1. Under our agreement with the provider, this data is processed only to provide the service to us, is not used to train or improve the provider's models, and is retained by the provider only for the limited period necessary to deliver the service. We do not use special category data to train or fine-tune any AI models.
- 6.4Data protection impact assessments. Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals — including our large-scale processing of identification documents and KYC/AML data, and AI-assisted decisioning — we carry out a Data Protection Impact Assessment before that processing begins, in accordance with Article 35 UK GDPR.
7. Information Sharing and Disclosure
- 7.1We do not sell or rent personal data to third parties.
- 7.2We share personal data with the following categories of recipient, strictly as necessary to provide the Services:
- •The Client — the accounting practice itself, which is the primary recipient of Individual data processed through the platform.
- Sub-processors and integration partners, including:
- •Xero — ledger posting, bank feed reconciliation
- •Yapily — open banking and bank-feed connectivity
- •AdFin — firm billing automation
- •GoCardless — direct debit collection
- •Didit — KYC/AML identity verification
- •WhatsApp (Meta Platforms, Inc.) — client/individual messaging
- •Companies House — business registration lookups
- •Microsoft — email communication infrastructure
- •Anthropic (Claude), OpenAI, and Google (Gemini) — large language model processing that powers Max's transaction coding, document data extraction, and drafting of WhatsApp and Portal replies
- •Cloud hosting and infrastructure providers supporting the Services
- •Vercel Web Analytics — website and Portal usage analytics (provided as part of our platform hosting)
- •Legal and regulatory authorities, where disclosure is necessary to comply with a legal obligation, prevent fraud, or protect the rights and safety of Maxware, our Clients, or others.
- •Professional advisers (e.g. auditors, insurers, legal counsel), where necessary.
- 7.3All sub-processors are bound by contractual obligations requiring them to protect personal data to a standard consistent with UK GDPR, and to process data only on our documented instructions.
- 7.4WhatsApp messaging is provided via Meta's Business Platform. Message content and limited metadata are processed by Meta in accordance with WhatsApp's own Business Data Policy, in addition to this policy. We recommend Individuals review WhatsApp's terms before engaging with Max via that channel.
- 7.5Changes to our sub-processors. We maintain an up-to-date list of the sub-processors used to deliver the Services. Where we act as a processor for a Client, we will give the Client advance notice of any intended addition or replacement of a sub-processor and a reasonable opportunity to object, in accordance with our Data Processing Agreement with that Client. If a Client raises a reasonable objection that we are unable to resolve, the Client may terminate the affected Services as set out in the DPA.
8. International Data Transfers
- 8.1Some of our sub-processors, including WhatsApp (Meta) and certain cloud infrastructure providers, may process data outside the UK, including in the United States.
- 8.2Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:
- •The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
- •Adequacy regulations recognising the destination country as providing an adequate level of protection; or
- •Other safeguards recognised under UK GDPR.
- 8.3International access by Processing Teams. A Client may operate, or outsource to, a Processing Team whose staff access Personal Data within the Services from outside the United Kingdom, including from countries (such as India) that are not covered by a UK adequacy decision. Where such access involves a restricted transfer of Personal Data, appropriate safeguards are put in place in accordance with Section 8.2 and Article 46 of the UK GDPR, together with a transfer risk assessment where required.
The Client is responsible, as controller, for any international access or transfer arising from its own Processing Team, outsourced staff, or contractors; Maxware is responsible for the safeguards applying to any international access or transfer that it carries out, controls, or enables as part of providing the Services.
Access by a Processing Team, whether from within or outside the United Kingdom, is subject to the same security and access-control measures described in Section 10, governed by role-based access controls configured by the Client. The Client remains responsible for ensuring those permissions are appropriate, proportionate, kept up to date, and limited to individuals who require access for authorised business purposes.
9. Data Retention
- 9.1We retain personal data only for as long as necessary for the purposes set out in this policy, including to satisfy legal, accounting, tax, or regulatory requirements.
- 9.2Indicative retention periods:
- •KYC/AML records: retained for a minimum of 5 years from the end of the business relationship, in line with the Money Laundering Regulations 2017, unless a longer period is required or permitted by law.
- •Lead data (not converted to active client): reviewed and deleted or anonymised within 12 months of the lead becoming inactive, unless a longer period is required for legal reasons.
- •Client and Individual account data: retained for the duration of the engagement with the Client, plus a period afterward to meet accounting and tax record-keeping obligations. This will typically be up to 6 years after the end of the relevant relationship, engagement, accounting period, or tax period, unless a longer period is required or permitted by law.
- •WhatsApp, email, and other communication logs: retained for as long as necessary for Client service, audit, quality assurance, dispute-resolution, and record-keeping purposes. Routine communication logs are typically retained for no longer than 24 months unless they relate to an active matter, accounting or tax records, AML/KYC records, a complaint, a dispute, or another legal or regulatory requirement.
- •Website analytics data (Vercel Web Analytics): our website analytics are cookieless. The per-visitor session hash used to count unique visitors is automatically discarded within 24 hours, and only aggregated, non-identifying statistics are retained thereafter, for the period set by our Vercel Web Analytics plan configuration. This processing relies on our legitimate interests rather than consent.
- 9.3On termination of the Client's agreement with Maxware, data is handled in accordance with clause 15.4 of our Terms and Conditions.
10. Security
- 10.1We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction, including:
- •Encryption of personal data in transit and at rest;
- •Role-based access controls restricting data access to authorised personnel according to platform permissions;
- •Multi-factor authentication for all accounts (including staff and portal);
- •Regular security audits and vulnerability assessments;
- •Segregation of Client data to prevent cross-Client access;
- •Logging and monitoring of access to sensitive records, including identity verification data.
- 10.2Where Maxware acts as a controller (as described in Section 1.5) and becomes aware of a personal data breach likely to result in a risk to individuals' rights and freedoms, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it, and will notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms. Where Maxware acts as a processor on behalf of a Client, we will notify the affected Client without undue delay after becoming aware of a breach and will assist the Client in meeting its own notification obligations; in that case the Client, as controller, is responsible for deciding whether to notify the ICO and affected Individuals.
11. Your Rights
Subject to applicable exemptions, you have the right to:
- •Access - request a copy of the personal data we hold about you.
- •Rectification - request correction of inaccurate or incomplete data.
- •Erasure - request deletion of your personal data, subject to our legal and regulatory retention obligations (see Section 9).
- •Restriction - request that we limit the processing of your data in certain circumstances.
- •Data portability - request your data in a structured, commonly used, machine-readable format.
- •Object - object to processing based on legitimate interests or for direct marketing purposes.
- •Withdraw consent - withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
- •Not be subject to solely automated decision-making producing legal or similarly significant effects, without human review being available (see Section 6.2).
Where you are an Individual linked to a Client, some of these rights may need to be exercised via the Client (as data controller for that relationship) rather than directly with Maxware, depending on the nature of the request. We will direct you accordingly.
To exercise any of these rights, contact us at nyal@usemax.ai. We will respond within one month of receiving your request, as required by UK GDPR. Where a request is complex or we receive a number of requests from you, we may extend this period by up to two further months; if we do, we will inform you within one month of your request and explain why.
Right to complain: If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
12. Cookies
- 12.1Our website and Portal use cookies and similar technologies to distinguish you from other users and remember your preferences. We analyse how the Services are used through Vercel's cookieless analytics, which does not rely on cookies or persistent identifiers.
- 12.2We use the following categories of cookies:
- •Strictly necessary - required for the Services to function (e.g. session authentication). These cannot be disabled.
- •Functional - remember preferences and settings.
- •Analytics - we use Vercel's cookieless, privacy-friendly analytics, which collect only aggregated usage data and do not set cookies or track you across websites; there is therefore no analytics cookie to disable.
- 12.3You can control or disable non-essential cookies through your browser settings or via our cookie consent tool.
13. Children's Data
- 13.1The Services are intended for use by business professionals and adult individuals in connection with accounting and business administration. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected such data, we will take steps to delete it promptly.
14. Changes to This Policy
- 14.1We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the Services themselves. The "Last updated" date at the top of this document will be revised accordingly.
- 14.2Where changes are material - for example, a new category of data collected, a new purpose of processing, or a new category of recipient - we will notify Clients and, where appropriate, Individuals via email or in-platform notification, in addition to posting the update on our website.
15. Contact Us
Maxware Ltd (company number 16177711)
Registered office: 10 Harmer Street, Gravesend, DA12 2AX
Email: nyal@usemax.ai
ICO Registration Number: ZC190506