Privacy Policy

1. Who we are

Fortium ("we", "us", "our") is a practice management platform for UK accountancy firms. We act as a data processor on behalf of the accountancy firms ("Organisations") that use our platform, and as a data controller for information we collect directly from visitors to this website and from Organisation administrators during registration.

2. Information we collect

2.1 Organisation and staff data

When an Organisation registers, we collect: firm name, business address, email address, phone number, and details of the registering user (name, email, job title). Staff members invited to the platform provide their name, email address, phone number, and job title.

2.2 Client and contact data

Organisations store their own client records on the platform, which may include: client name, business type, company number, addresses, tax dates, contact details (name, email, phone, date of birth, nationality), and any information entered into custom fields. We process this data on behalf of the Organisation.

2.3 Documents and files

Organisations and their clients upload documents to the platform. These are stored in encrypted object storage. We do not access the content of uploaded documents except as necessary to provide the service (for example, AI-powered document categorisation when enabled by the Organisation).

2.4 Financial data

The platform stores invoice records, payment history, time records, and billing information created by Organisations. Payment processing for subscriptions is handled by third-party payment processors; we do not store full payment card details.

2.5 Communications

Messages sent through the in-app messaging system, emails synced from connected email accounts (Microsoft 365, Gmail), and WhatsApp messages sent through the platform are stored to provide the communication features.

2.6 Website visitors

When you visit this website or submit the register interest form, we collect: your name, email address, company name, and standard web server logs (IP address, browser type, pages visited).

2.7 Electronic signatures

When a proposal or document is signed electronically, we capture and store the signature image, signer name, IP address, and timestamp to create a verifiable signing certificate.

3. How we use your information

We use the information we collect to:

• Provide, maintain, and improve the Fortium platform
• Process data on behalf of Organisations as their data processor
• Authenticate users and maintain account security (staff and portal)
• Send transactional communications (verification codes, notifications, invoice emails)
• Facilitate integrations with third-party services when connected by the Organisation
• Provide AI-powered features (document categorisation, practice insights) when enabled
• Generate audit logs for compliance and accountability
• Respond to enquiries submitted through this website
• Detect, prevent, and address technical issues and security threats

4. Legal basis for processing

Under the UK General Data Protection Regulation (UK GDPR), we process personal data on the following bases:

• Contract performance: Processing necessary to provide the platform to Organisations and their users.
• Legitimate interests: Improving our service, maintaining security, and preventing fraud.
• Consent: Where you have opted in to receive communications or submitted a register interest form.
• Legal obligation: Where we are required to retain or disclose data to comply with applicable law.

5. Data retention

We retain Organisation data for the duration of the subscription and for a reasonable period afterwards to allow for reactivation or data export. Organisations can request deletion of their data at any time.

Where Organisations use the platform to store records subject to HMRC retention requirements, they are responsible for configuring appropriate retention periods. The platform supports the standard 6-year HMRC retention period and provides tools for Organisations to manage data lifecycle.

Audit logs are retained for the lifetime of the Organisation account to support regulatory compliance and accountability.

6. Data sharing and third parties

We do not sell personal data. We share data only in the following circumstances:

• Infrastructure providers: We use sub-processors for hosting, database management, object storage, email delivery, and caching. All sub-processors are bound by data processing agreements.
• Organisation-connected integrations: When an Organisation connects a third-party service (Xero, Microsoft 365, Gmail, WhatsApp, HMRC), data is exchanged with that service as directed by the Organisation. We verify webhook authenticity using HMAC-SHA256 signatures.
• Companies House: Company search queries are sent to the UK Companies House public API. No personal data is transmitted in these requests.
• Legal requirements: We may disclose data where required by law, regulation, or valid legal process.

7. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption of sensitive data at rest (AES-256-GCM)
• Encryption of data in transit (TLS) for all connections
• Authentication via secure JWT tokens with httpOnly cookies
• Separation of staff and portal authentication with distinct token issuers
• Organisation-scoped data isolation (multi-tenant architecture)
• Rate limiting on authentication and sensitive endpoints
• Input validation and HTML sanitisation to prevent injection attacks
• Comprehensive audit logging of all data mutations

8. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your data where there is no compelling reason for continued processing.
• Restriction: Request that we limit how we use your data.
• Portability: Request your data in a structured, commonly used, machine-readable format.
• Objection: Object to processing based on legitimate interests.

If your data is held on behalf of an Organisation (as their client or contact), please direct your request to that Organisation in the first instance. The Organisation can use our platform's built-in GDPR data export tools to fulfil subject access requests.

For data we control directly (website visitors, Organisation administrators), contact us using the details in section 12.

9. Client portal users

Portal accounts are created by Organisations for their clients. Portal users can access documents, upload files to document requests, view invoices, sign proposals and documents, send messages, and complete compliance questionnaires. Portal data access is scoped to the individual client record — portal users cannot see other clients' data.

Portal user credentials and access are managed by the Organisation. If you have questions about your portal account, contact your accountancy firm directly.

10. AI features

Fortium includes optional AI-powered features such as document categorisation and practice insights. These features process Organisation data locally and are enabled at the Organisation's discretion. AI usage is logged per user and subject to rate limits. Organisations can disable AI features entirely in their settings.

11. Changes to this policy

We may update this privacy policy from time to time. We will notify registered Organisations of material changes via email. The "last updated" date at the top of this page indicates when this policy was last revised.

12. Contact us

If you have questions about this privacy policy or wish to exercise your data protection rights, contact us at:

Email: privacy@fortium.software

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.