PocketReceipt Data Processing Agreement

"Personal Data" means any information relating to an identified or identifiable natural person processed through the PocketReceipt platform, including but not limited to names, email addresses, receipt data, mileage records, financial figures, and receipt images.

"Data Subjects" means the individuals whose Personal Data is processed, primarily being the clients of the Controller who use the PocketReceipt mobile application.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Services" means the PocketReceipt Accountant Dashboard and related features provided under your subscription.

2.1 Purpose

The Processor processes Personal Data solely for the purpose of providing the Services to the Controller, specifically: enabling accountancy practices to view, review, correct, and export their clients' expense, income, and mileage records as submitted through the PocketReceipt mobile application; to review quarterly periods (including requesting corrections and marking quarters as reviewed); to send structured messages to clients; to request and receive financial documents; and to view and download receipt images.

2.2 Types of Personal Data

• Client names and email addresses
• Receipt data: store names, amounts, dates, categories (HMRC SA103F aligned), VAT details, payment methods, capital item status, business purpose notes
• Receipt images (where client has enabled accountant access), viewable and downloadable by the accountant via the Dashboard
• Mileage records: journey dates, locations, purposes, distances, vehicle details
• Income records: amounts, dates, source labels, and linked quarter
• Financial summaries and aggregated data
• Business settings: VAT status, business type, accounting basis
• Scan usage data (monthly and daily counts)
• CIS (Construction Industry Scheme) data: contractor names, gross amounts, materials, deductions, net payments, and statement references (where applicable)
• Document transfer data: document type, month/year, notes, and transfer status. Document images are stored temporarily in Firebase Storage (auto-deleted after 30 days) and accessed by the accountant via time-limited signed URLs only.
• Onboarding situation data: employment status, cash income indicator, bank account type, vehicle ownership
• Accountant messages: message text, category, priority, timestamps, acknowledgement status
• Accountant corrections: pending edits to receipt categories or mileage purposes, stored temporarily until applied to the client's local data

2.3 Data Subjects

The Data Subjects are the Controller's clients who use the PocketReceipt mobile application and who have actively consented to link their account to the Controller's Dashboard.

2.4 Duration

Processing continues for the duration of the Controller's active Dashboard subscription. Upon termination, Section 10 applies.

The Controller shall:

• Ensure that it has a lawful basis for sharing its clients' data with PocketReceipt (typically: legitimate interest in providing accountancy services, or client consent).
• Only access client data through the Dashboard when the client has explicitly approved the link from within the PocketReceipt app.
• Inform its clients that their data will be accessible to the Controller through the PocketReceipt Dashboard.
• Immediately cease using any previously exported data from a client who revokes access, unless required for the Controller's own regulatory or legal obligations.
• Not attempt to access, export, or retain data beyond what is reasonably necessary for providing accountancy services to the relevant client.

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by UK law.
• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality.
• Implement appropriate technical and organisational security measures (see Section 5).
• Engage Sub-processors only in accordance with Section 6.
• Assist the Controller in responding to Data Subject rights requests (see Section 7).
• Assist the Controller in ensuring compliance with data breach notification obligations (see Section 8).
• Delete or return all Personal Data upon termination of the Services (see Section 10).
• Make available to the Controller all information necessary to demonstrate compliance with this DPA.

The Processor implements the following technical and organisational measures:

• Encryption in transit: All data transmitted between the mobile app, Dashboard, and servers uses TLS 1.2 or higher.
• Encryption at rest: Data stored in Firebase/Google Cloud is encrypted at rest using AES-256.
• Authentication: Firebase Authentication with email/password. Cloud Function endpoints require valid authentication tokens.
• Access control: Firestore security rules ensure accountants can only access data from clients who have explicitly linked to them.
• Client consent: Clients must actively approve each accountant link from within the app. Clients can revoke access at any time.
• Image compression: Receipt images shared with accountants are compressed thumbnails (not full resolution) to minimise data exposure.
• Data minimisation: Only data necessary for accountancy review is synced to the Dashboard.
• Crash log sanitisation: All crash logs are automatically stripped of personally identifiable information before storage.
• Document transfer security: Documents uploaded by clients are stored in isolated Firebase Storage paths. No direct read access is permitted. Downloads are only available via Cloud Function-generated signed URLs (valid for 30 minutes) that verify the accountant link is active. Documents are automatically deleted from the server after 30 days.

The Controller provides general authorisation for the Processor to engage the following Sub-processors for Dashboard-related processing:

Note: The PocketReceipt website uses Google Analytics 4 and Microsoft Clarity for website analytics. These services do not process Dashboard or client data and are therefore outside the scope of this DPA. See the Privacy Policy for details.

The Processor shall notify the Controller at least 14 days before engaging any new Sub-processor. The Controller may object to a new Sub-processor within 14 days of notification. If a reasonable objection cannot be resolved, either party may terminate the affected Services.

If the Processor receives a request from a Data Subject (a client of the Controller) to exercise their rights under UK GDPR (access, rectification, erasure, restriction, portability, or objection), the Processor shall:

• Promptly notify the Controller of the request.
• Not respond directly to the Data Subject unless instructed by the Controller or required by law.
• Assist the Controller in fulfilling the request, including providing relevant data exports where technically feasible.

Data Subjects (clients) can also exercise their rights directly through the PocketReceipt app: they can view, export, and delete their own data at any time without requiring the Controller's involvement.

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach.
• Provide sufficient information to enable the Controller to meet its obligation to notify the ICO within 72 hours (where required).
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
• Document all breaches, including the facts, effects, and remedial actions taken.

Notification shall include, where possible: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall:

• Make available all information reasonably necessary to demonstrate compliance.
• Allow and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
• Audits shall be conducted with reasonable notice (minimum 14 days), during normal business hours, and no more than once per calendar year unless a breach has occurred.

Where possible, the Processor will satisfy audit requests by providing written evidence of compliance (such as security documentation, infrastructure certifications, and processing records) rather than on-site inspections.

Upon termination or expiry of the Controller's Dashboard subscription:

• The Processor will retain synced client data in Firestore for 90 days to allow the Controller to export any required records or resubscribe.
• After 90 days, the Processor will permanently delete all synced client data from the Dashboard (Firestore accountant_views collection).
• Client data stored locally on the client's own device is not affected by the Controller's subscription status.
• The Controller is responsible for exporting any data they need (via CSV, PDF, or ZIP export) before the 90-day window expires.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the PocketReceipt Terms of Service.

The Processor shall not be liable for any loss, damage, or regulatory action arising from the Controller's failure to comply with its obligations under this DPA, including but not limited to: failure to obtain appropriate consent from clients, or continued use of exported data after a client has revoked access.

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

PocketReceipt (United Kingdom)

Email: hello@pocketreceipt.co.uk

Website: pocketreceipt.co.uk