We connect to inboxes read-only — we cannot send, delete or change anything. We look only for invoices and receipts. We don't store your other email. Once a document is captured and passed to your accounting software, we delete the document and keep only a short record that it was processed.
Cysoni ("we", "us") provides software that finds invoices and receipts in connected email inboxes and passes them to accounting software on behalf of accountancy practices and their clients. This policy explains what data we handle and how. For any privacy question, contact us at privacy@cysoni.co.uk.
Cysoni is operated from the United Kingdom. For our full registered business details, or our registration with the Information Commissioner's Office (ICO), please contact us at privacy@cysoni.co.uk.
Where a practice connects its clients' inboxes and routes data to accounting software, the practice is the data controller and Cysoni acts as a data processor, handling that information only on the practice's instructions under our data processing terms.
For information about the practice's own account (login details, billing, usage), Cysoni is the controller.
Inboxes are connected through the email provider's own secure sign-in (OAuth) or, where applicable, IMAP. We receive a revocable access token, never a password. The access granted is read-only. Cysoni cannot send, reply to, delete, move, archive, label or otherwise modify any email or mailbox setting.
Access can be revoked at any time by the practice, or by the inbox owner directly through their email provider's security settings. Revoking access stops all processing of that inbox immediately.
Emails that are not invoices or receipts are ignored and are never copied to or retained on our systems. We do not store the contents of your personal or non-accounting email, and we never receive or store email account passwords.
Captured documents are held only as long as needed to process them and pass them to the accounting software, after which they are deleted (following a short grace period to confirm successful delivery). The audit record — the metadata showing what was processed — is retained for the period agreed with the practice, so the trail remains complete and verifiable. It is removed on disconnection or on request, subject to any retention the practice is itself legally required to keep.
We process this data to provide the service under our contract with the practice, and on the basis of the legitimate interests of the practice and its clients in automating bookkeeping. Where a practice or client requires it, processing proceeds on the consent obtained at the point an inbox is connected.
We pass captured invoice and receipt data only to the accounting software destination the practice configures (such as Xero). We use a limited set of trusted infrastructure providers (hosting, processing) to run the service; these act as sub-processors under appropriate data protection terms. A current list is available on request. We do not sell personal data, and we do not use your email content to train third-party models.
Captured accounting data is hosted in the United Kingdom. Some sub-processors (for example, AI processing and email delivery) may process data outside the UK; where that happens, it is covered by appropriate safeguards such as the UK International Data Transfer Agreement or equivalent.
Access is via revocable tokens rather than stored passwords. Data is encrypted in transit and at rest, access is restricted on a need-to-know basis, and processing is logged. No system is perfectly secure, but we take reasonable and appropriate measures to protect the data we handle.
Individuals have rights under applicable data protection law, including the right to access, correct, or request deletion of personal data, and to object to or restrict processing. As we usually act as processor for the practice, requests from a practice's clients are normally directed to the practice as controller; we will assist the practice in responding. You also have the right to complain to your data protection regulator.
An inbox can be disconnected at any time, stopping all processing immediately. On disconnection or on a valid deletion request, we remove the associated data we hold, subject to limited records we are required to retain.
We may update this policy and will post the revised version here with a new effective date. Questions or requests: privacy@cysoni.co.uk.