Privacy Policy
SIMA Practice Management System
1. Data Controller
SIMA PMS is a practice management platform operated by SIMA Technologies Ltd, a subsidiary of Ascendant Group Holdings Ltd, registered in England and Wales.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:
Part of Ascendant Group Holdings Ltd
Data Protection Officer: info@simaglobal.co
2. Data We Collect
In accordance with GDPR Articles 13 and 14, we inform you that we collect and process the following categories of personal data:
2.1 Data you provide directly
- Identity data: Full name, job title, company name
- Contact data: Email address, telephone number, business address
- Financial data: Bank account details, VAT registration number, company registration number, invoices, payment records
- Tax data: HMRC MTD submissions, VAT returns, Self Assessment data, Corporation Tax returns
- KYC/AML data: Identity verification documents, proof of address, beneficial ownership information
2.2 Data collected automatically
- Usage data: Pages visited, features used, session duration, timestamps
- Device data: Browser type, operating system, screen resolution (via Sentry error tracking)
- Authentication tokens: HMRC OAuth tokens, Xero integration tokens (encrypted at rest)
2.3 Legal basis for processing
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing the SIMA PMS platform | Performance of contract (Art. 6(1)(b)) |
| HMRC MTD submissions | Legal obligation (Art. 6(1)(c)) |
| KYC/AML compliance | Legal obligation (Art. 6(1)(c)) |
| Error tracking and debugging | Legitimate interest (Art. 6(1)(f)) |
| Service notifications | Legitimate interest (Art. 6(1)(f)) |
| AI-powered financial analysis | Consent / Performance of contract |
3. How We Use Your Data
- Operate the SIMA PMS platform and provide accounting practice management services
- Submit VAT returns, Self Assessments, and Corporation Tax returns to HMRC on your behalf
- Generate financial reports, invoices, and client analytics
- Process payments via Stripe for subscription billing and client invoice payments
- Send transactional emails (password resets, invoice reminders, onboarding forms) via Resend
- Provide AI-powered features including copilot, risk assessment, and receipt scanning via Anthropic
- Monitor application performance and resolve errors via Sentry
- Comply with legal obligations including anti-money laundering regulations
We do not sell your personal data to third parties. We do not use your data for advertising.
4. Data Sharing & Third Parties
We share data with the following processors, all of whom are contractually bound under GDPR-compliant Data Processing Agreements:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | EU (Frankfurt) |
| Vercel | Application hosting, edge functions | Global CDN (primary: EU) |
| Stripe | Payment processing, subscription billing | EU |
| Resend | Transactional email delivery | US (SCCs in place) |
| Anthropic | AI analysis (copilot, risk scoring, receipt OCR) | US (SCCs in place) |
| Sentry | Error monitoring and performance tracking | EU (Frankfurt) |
| HMRC | Making Tax Digital submissions (with your authorisation) | UK |
5. Data Retention Periods
We retain data for the minimum period necessary to fulfil our obligations:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account profile | Duration of account + 30 days | Service provision |
| Financial records & invoices | 7 years from creation | HMRC record-keeping requirements |
| Tax submissions | 7 years from submission | HMRC statutory requirement |
| KYC/AML documents | 5 years after business relationship ends | Money Laundering Regulations 2017 |
| Audit logs | 3 years | Security and compliance |
| HMRC OAuth tokens | Until revoked or expired | Active MTD connection |
| Error logs (Sentry) | 90 days | Debugging and performance |
6. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Right of access (Art. 15): Request a copy of all data we hold about you. Use the "Export My Data" feature in Settings, or contact us.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data via your profile settings or by contacting us.
- Right to erasure (Art. 17): Request deletion of your account and data. Use the "Delete My Account" feature in Settings. Note: financial records may be retained for 7 years per HMRC requirements.
- Right to restrict processing (Art. 18): Request that we limit how we use your data while a complaint is being resolved.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON). Available via the Export feature.
- Right to object (Art. 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling grounds.
- Right to withdraw consent: Where processing is based on consent, you may withdraw at any time without affecting prior processing.
To exercise any of these rights, contact our Data Protection Officer at info@simaglobal.co. We will respond within 30 days.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Security Measures
- All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Row-Level Security (RLS) on all database tables ensuring tenant isolation
- Authentication via Supabase Auth with session-based tokens
- Rate limiting on all API endpoints to prevent abuse
- HMRC fraud prevention headers compliant with MTD specifications
- Regular security audits and penetration testing
- Strict Content Security Policy (CSP) headers
8. Cookies
We use only essential cookies necessary for the operation of the platform:
- Authentication cookies: Supabase session tokens to maintain your login state
- Preference cookies: Language selection, theme preferences (stored in localStorage)
We do not use advertising, analytics, or tracking cookies. We do not use Google Analytics.
9. International Data Transfers
Some of our processors are based outside the UK. Where data is transferred internationally, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the ICO
- UK adequacy decisions where applicable
- Supplementary technical measures including encryption
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes via email or an in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised.
Contact Our Data Protection Officer
If you have any questions about this privacy policy, your personal data, or wish to exercise your rights, please contact:
SIMA Technologies Ltd
Part of Ascendant Group Holdings Ltd
Email: info@simaglobal.co
Website: simaglobal.co