HomePrivacy Policy

Privacy Policy

Last reviewed date: March 2026

1. Introduction

1.1 FigsFlow (collectively “FigsFlow”, “we”, “us”, or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you visit our website at www.figsflow.com (the “Website”), use our software platform (the “Platform”), or otherwise interact with us.

1.2 FigsFlow provides Proposal, Pricing, Engagement Letter, and Anti-Money Laundering (AML) software solutions specifically designed for accounting professionals. In doing so, we handle personal data relating to our clients, their end-clients, website visitors, and prospective users.

1.3 This Privacy Policy is issued in accordance with:

a. the UK General Data Protection Regulation (UK GDPR);

b. the Data Protection Act 2018 (DPA 2018);

c. the Privacy and Electronic Communications Regulations 2003 (PECR); and

d. any other applicable UK data protection legislation.

1.4 Please read this Privacy Policy carefully. By using our website or Platform, you acknowledge that you have read and understood its contents. If you do not agree with any part of this Privacy Policy, you should cease using the Website and our services.

2. Who We Are

2.1 FigsFlow is the Data Controller in respect of personal data processed through the Website and Platform, except where we act as a Data Processor on behalf of our accountancy firm clients (see Section 10 for further information on our role as a Data Processor).

2.2 If you have any questions regarding this Privacy Policy or wish to exercise any of your data protection rights, contact our Data Protection Officer (DPO) Jony Mainaly at jony@ukpa.co.uk or contact our team directly by using the contact details provided in Section 14. We aim to respond to all valid data rights requests within one calendar month.

3. Data we collect

3.1 What Personal Data We Collect

The personal data we collect about you depends on how you interact with us. Below is an overview of the categories of information we may hold.

3.2 Information you give us directly

3.2.1 When you register for an account, request a demo, contact our support team, or otherwise engage with FigsFlow, you may provide us with details such as your name, job title, and professional qualifications (for example, ACA, ACCA, or CTA). We also collect contact information including your email address, telephone number, and business postal address, along with account credentials and any preferences or settings you configure on the Platform.

3.2.2 If your firm uses our AML module, you may submit client due diligence information, including names, addresses, dates of birth, and identity verification outcomes, as part of your Anti-Money Laundering obligations. This data is processed by FigsFlow on your firm’s behalf (refer to section 10 for further details on our role as a Data Processor in this context).

3.2.3 For billing purposes, we collect your business address and VAT number. Payment card details are handled directly by our PCI-DSS-compliant payment processor and are never stored on FigsFlow’s systems.

3.3 Information we collect automatically

When you visit our website or use the Platform, we automatically collect certain technical information about your device and browsing activity. This includes your IP address, browser type and version, operating system, time zone settings, and browser plug-in types. We also gather usage data such as the pages you visit, features you access, session duration, clickstream data, and the URL that referred you to us to help us understand how our services are being used and where we can improve them. Cookies and similar tracking technologies also contribute to this data collection; please refer to our Cookies Policy.

3.4 Information we receive from third parties

FigsFlow may receive information about you or your firm from trusted third parties where this is relevant to the services we provide. For example, we may reference publicly available information from Companies House in relation to accountancy firms and their directors. Where our AML module is in use, we receive identity verification results from specialist third-party screening providers. Our payment processor may share transaction confirmation and fraud-screening signals with us, and our analytics partners may provide aggregated, anonymised insights about Website performance.

3.5 Special category data

FigsFlow does not knowingly collect or process special category personal data, such as information about health, racial or ethnic origin, political opinions, religious beliefs, or biometric identifiers through the Website or Platform. If you believe that special category data has been submitted to us in error, please contact us immediately at the details provided in section 14 so that we can take appropriate steps.

4. Why we use your Data

4.1 UK GDPR requires us to have a clear legal reason known as a “lawful basis” for every way in which we use your personal data. We do not collect or process your information simply because it might be useful; we only do so where we have a genuine and legitimate purpose, and where the law permits it.

4.2 The main reasons we use your data are to provide and improve our Platform, to fulfil our contractual obligations to you, to comply with legal requirements (particularly around Anti-Money Laundering), and to run our business effectively and securely. In more detail:

a. Delivering our services to you: when you sign up for FigsFlow and use the Platform to create proposals, set pricing, issue engagement letters, or carry out AML due diligence, we process your data because it is necessary to perform the contract we have with you. Without it, we simply could not provide the service.

b. Taking payment and preventing fraud: we process billing information to fulfil our contractual obligations and, where required, to comply with financial regulations. Our payment processor also uses certain data to detect and prevent fraudulent transactions.

c. Meeting our AML legal obligations: where our Platform is used to conduct client due diligence on behalf of accountancy firms, we are required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 to process certain personal data. This is a strict legal obligation, not a choice.

d. Keeping you informed about your account: we send transactional communications such as invoices, system alerts, and important Platform updates as part of our contract with you. These are not marketing; they are necessary for the service to function properly.

e. Marketing our products and services: we will only contact you with news, product updates, or promotional material where you have given us your consent to do so, or where we are permitted to do so under the “soft opt-in” provisions of the Privacy and Electronic Communications Regulations 2003 (PECR) because you are an existing client and the communication relates to similar services. You can opt out at any time.

f. Responding to your enquiries and supporting you: when you contact our support team or send us a question, we process your information to respond to you. We do this based on our legitimate interest in providing a well-functioning customer experience.

g. Improving and securing the Platform: we analyse how the Website and Platform are used to identify areas for improvement and to detect security threats or fraudulent activity. We do this based on our legitimate interests in maintaining a reliable, secure, and competitive service.

h. Enforcing our terms and protecting our rights: where necessary, we may use personal data to enforce our Terms of Service or defend ourselves in legal proceedings. Again, this is based on our legitimate interests and, where applicable, our legal obligations.

4.3 Legitimate Interests

Where we rely on “Legitimate Interests” as our legal ground for processing, we have carried out a formal assessment to satisfy ourselves that our interests are proportionate and do not override your rights and freedoms. You have the right to object to this type of processing at any time. Please see section 8 for details on how to do so.

4.4 Consent

Where we ask for your consent for example, before sending marketing emails or placing non-essential cookies on your device, you are always free to withdraw that consent at any time. Doing so will not affect the lawfulness of anything we did before you withdrew it. To withdraw your consent, simply contact us at the details provided in section 14 or click the unsubscribe link in any marketing communication we have sent you.

5. Who We Share Your Personal Data With

We do not sell your personal data to any third party, and we never will. There are, however, limited circumstances in which we need to share your information with others to deliver our services, meet our legal obligations, or protect our legitimate interests. In every case, we only share what is necessary and we put appropriate safeguards in place before doing so.

5.1. Our service providers and technology partners

5.1.2 Like most software businesses, FigsFlow relies on a carefully selected range of third-party service providers to operate the Platform and deliver our services to you. These include cloud infrastructure providers who host and store data on our behalf, payment processors who handle billing and fraud prevention, and identity verification and AML screening providers who support our compliance-related features. We also work with email delivery platforms such as Microsoft, customer support and helpdesk software, analytics and performance monitoring tools, and CRM systems that help us manage our client relationships effectively including HubSpot.

5.1.3 Every one of these providers is bound by a contract that prohibits them from using your personal data for any purpose other than delivering the service we have engaged them for. They must process your data strictly on our written instructions and in full compliance with applicable data protection law.

5.2 Professional advisers and regulatory bodies

We may be required to disclose information to regulatory authorities such as the Information Commissioner’s Office (ICO), HM Revenue & Customs (HMRC), law enforcement agencies, or courts, where we are under a legal obligation to do so or where disclosure is necessary to protect our legal rights or the rights of others. In such cases, we share only the minimum information required and, where possible, seek to give you advance notice.

6. International Data Transfers

6.1 Personal data collected within the UK and the European Economic Area (EEA) benefits from a high standard of legal protection. Not every country in the world offers the same level of safeguards, however, and it is important that you understand how we handle your data when it moves across borders.

6.2 FigsFlow’s Platform primarily hosts and operates within the UK. There are circumstances, however, where we may transfer your personal data outside the UK: for example, where we engage

cloud infrastructure providers, software tools, or other service providers whose systems are in other countries. In such cases, your personal data may be transferred to countries that do not have a formal adequacy determination from the UK Secretary of State under Section 17A of the Data Protection Act 2018.

6.3 Wherever your personal data is transferred outside the UK or EEA, we take appropriate steps to ensure that it receives a level of protection that is consistent with UK data protection law.

7. Data Retention

7.1 We retain personal data only for as long as necessary to fulfil the purposes for which it has been collected.

7.2 Pursuant to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) FigsFlow will retain data for a period of five years from the end of the business relationship. This is a legal obligation, and we are unable to delete such data earlier upon request.

7.3 At the end of the applicable retention periods, personal data will be securely deleted or anonymised in accordance with our Data Retention Policy.

8. Your Rights

8.1 As a Data subject, you have the following rights in relation to your personal data under the UK GDPR and DPA 2018. Please note that these rights are not absolute and are subject to certain conditions and exemptions:

a. Right of Access (Article 15 UK GDPR): You have the right to obtain confirmation of whether we process your personal data and to request a copy of the personal data we hold about you (Subject Access Request or SAR). We will respond within one calendar month, which may be extended by a further two months in complex cases.

b. Right to Rectification (Article 16 UK GDPR): You have the right to request correction of any inaccurate or incomplete personal data we hold about you. We will action rectification requests without undue delay.

c. Right to Erasure (Article 17 UK GDPR): You have the right to request deletion of your personal data in certain circumstances, including where: the data is no longer necessary for the purpose for which it was collected; you have withdrawn your consent; or you have exercised your right to object. This right does not apply where we are required to retain data by law (e.g. AML obligations under the Money Laundering Regulations 2017).

d. Right to Restriction of Processing (Article 18 UK GDPR): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while a rectification request is being resolved or an objection is being considered.

e. Right to Data Portability (Article 20 UK GDPR): Where processing is based on your consent or the performance of a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

f. Right to Object (Article 21 UK GDPR): You have the right to object at any time to processing of your personal data where we rely on Legitimate Interests as our lawful basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is for the establishment, exercise, or defence of legal claims. You have an absolute right to object to direct marketing.

g. Rights in Relation to Automated Decision-Making and Profiling (Article 22 UK GDPR): You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects. FigsFlow does not currently make such decisions. If this changes, we will update this Privacy Policy and put appropriate safeguards in place.

h. Right to Withdraw Consent (Article 7 UK GDPR): Where we rely on your consent as our lawful basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal. To withdraw consent, please contact us at or use the unsubscribe link in any marketing communication.

8.2 How to Exercise Your Rights

To exercise any of the above rights, please submit a request in writing in the details provided in Section 14. We will verify your identity before acting on your request. We will respond within one calendar month of receipt. If we are unable to comply, we will explain why.

8.3 Right to Lodge a Complaint (Article 77 UK GDPR)

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the UK’s supervisory authority, Information Commissioner’s Office (ICO).

We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us at details provided in Section 14.

9. Cookies Policy

9.1 FigsFlow uses cookies and similar tracking technologies to operate and improve its website and platform. These include:

a. Strictly necessary cookies that are essential for core functions such as secure login, session management, and AML verification workflows.

b. Performance cookies (such as Google Analytics) that help us understand how users interact with our Service.

c. Functional cookies that remember your preferences and firm settings; and, where applicable,

d. Advertising or marketing cookies from third parties such as Google Ads and Meta to support our advertising campaigns.

9.2 No personally identifiable client data or AML compliance records are ever stored in cookies; all such information is held securely within the platform. You can manage your cookie preferences at any time through the cookie consent banner on our website or through your browser settings, though disabling certain cookies may affect platform functionality. For full details, please refer to our Cookies Policy.

10. FigsFlow as a Data Processor

10.1 FigsFlow plays two distinct roles under data protection law, and it is important to be transparent about both.

10.2 When you visit our website or enter into a direct relationship with us as a client, FigsFlow acts as a Data Controller, meaning we determine how and why your personal data is processed, and we are responsible for it. However, when accountancy firms use our Platform to manage their own client relationships, issue engagement letters, build proposals, set pricing, or carry out Anti-Money Laundering and Know Your Client due diligence, FigsFlow acts as a Data Processor on their behalf. In this capacity, we are acting on the instructions of the accountancy firm, not for our own purposes.

10.3 Where FigsFlow acts as a Data Processor, the accountancy firm using our Platform is the Data Controller and retains full responsibility for determining why and how that data is used. Our role is to process it securely, competently, and strictly in accordance with their instructions.

10.4 FigsFlow takes obligations seriously when it comes to supporting the accountancy firms we work with. If one of their end-clients submits a data subject request, for example: asking to see the data held about them or requesting its deletion, we will assist the accountancy firm in responding to that request promptly and in accordance with applicable law. Similarly, if we become aware of a personal data breach affecting data processed on a firm’s behalf, we will notify them without undue delay so that they can take appropriate action and meet their own reporting obligations.

10.5 If you are an individual whose personal data has been entered into the FigsFlow Platform by an accountancy firm, your primary point of contact for data protection matters is that firm, not FigsFlow. We recommend referring to the privacy policy of the accountancy firm you work with, as they are the Data Controller in relation to that data.

11. Data Security

11.1 Protecting the personal data entrusted to us is something we take seriously at every level of our business from the infrastructure we build on, to the way our teams are trained, to the processes we follow when something goes wrong.

11.2 We have put in place a range of technical and organisational measures designed to protect your personal data against unauthorised access, accidental loss, unlawful alteration, inadvertent disclosure, or destruction. Data transmitted between your device and our Platform is encrypted in transit, and data stored on our systems is encrypted at rest. Access to personal data is strictly controlled on a need-to-know basis, with role-based permissions ensuring that individuals can only access the information necessary for their specific responsibilities. Multi-factor authentication is required for access to both the Platform and our internal administrative systems, adding a further layer of protection against unauthorised entry.

11.3 We conduct regular security testing and vulnerability assessments to identify and address weaknesses before they can be exploited. Our teams also receive ongoing training in data protection and information security, because we recognise that good security is as much about people and process as it is about technology.

11.4 We also maintain an internal formal incident response and breach notification procedure. In the unlikely event that a personal data breach occurs that is likely to pose a risk to your rights and freedoms, we will report it to the Information Commissioner’s Office within 72 hours of becoming aware of it, as required by Article 33 UK GDPR. Where a breach is considered likely to result in a high risk to you personally, for example: where it could lead to identity theft, financial loss, or significant distress, we will also contact you directly without undue delay and provide clear guidance on the steps you may wish to take to protect yourself.

12. Children’s Privacy

Our Website and Platform are intended for use by business professionals and are not directed at children under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us using the details provided in section 14 and we will take steps to delete such data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will post the updated Privacy Policy on our Website with a revised ‘Last Reviewed’ date at the top of this document.

Your continued use of the Website or Platform after any changes have been posted constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the Website and contact us to close your account.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our Data Protection practices, please contact us:

Email: info@figsflow.com

Telephone: +44 20 4591 1950

Address: 809 Salisbury House, 29 Finsbury Circus, London, EC2M 7AQ

  • Solutions
    Sectors We Cover

    Proposal Software

    FigsFlow simplifies proposal drafting for accountants.

    AML Software for Accountants

    FigsFlow simplifies AML verification for accountants.

    Engagement Letter Software

    FigsFlow helps accountants track the success of their engagement letters.

    Pricing Software

    FigsFlow enables accountants to set consistent prices for their services.

    Proposal Software

    FigsFlow develops winning proposals for bookkeepers.

    AML Software for Bookkeepers

    FigsFlow simplifies AML verification for bookkeepers.

    Engagement Letter Software

    FigsFlow allows bookkeepers to automate engagement letter process.

    Pricing Software

    FigsFlow allows bookkeepers to set consistent prices for their services.

    Proposal Software

    Tax advisers get to draft professional proposals easily with FigsFlow.

    Engagement Letter Software

    FigsFlow simplifies engagement letter development for tax advisers. 

    Pricing Software

    FigsFlow allows tax advisers to set consistent prices for their services.

    AML Software for Tax Advisers

    FigsFlow simplifies AML verification for tax advisers.

    Templates

    Engagement Letter Templates

    Guide & Help Centre is available!

    Explore Now
  • Product

    Proposal Management

    Engagement Letter Management

    Pricing Solutions

    Team Management

    Automation Tools

    Reporting and Analytics

    See All Features

    Integrations

    Additional Information

    Guide & Help Center

    Introductory guides for new users.

    Learning Centre

    Introductory video guides for new users.

    Coming Soon!

    Release Updates

    Have a glance at FigsFlow’s latest updates.

    Coming Soon!
    Templates

    Engagement Letter Templates

    Guide & Help Centre is available!

    Explore Now
  • Pricing
  • Resources

    Blogs

    Trending blog posts about accounting, tax, and bookkeeping.

    Guide & Help Center

    Introductory guides for new users.

    AML Essentials Kit

    The AML Essentials Kit by FigsFlow gives you practical, actionable guidance to meet every requirement under UK Money Laundering Regulations.

    Documents

    Agreement Documents

    Secure and professional contracts

    Meeting Minutes

    Record discussions and decisions

    Resolutions

    Formal corporate decisions

    Templates

    Proposal Templates

    Customisable templates for proposals.

    Engagement Letter Templates

    Pre-built templates for engagement letters.

    Pricing Templates

    Templates to simplify billing.

    Break Even Calculator

    Corporation Tax Calculator UK

    Profit Margin Calculator

    VAT Calculator UK

    Billable Rate Calculator USA

    Charge Out Rate Calculator UK

    Charge Out Rate Calculator AU

    Making Tax Digital Calculator

    Contact Support

    Get help from our team.

    FAQs

    Commonly asked questions about features, pricing, and more.

Log In
Book a Demo
Start 30-day free trial