Privacy Policy

Codat Global Privacy Notice

This Privacy Notice was last updated in October 2020




Thank you for visiting the Codat website. The aim of this privacy notice (“Privacy Notice”) is to clearly explain what, how and why we collect the information about you and what we do with that information. This Privacy Notice also explains how you can exercise your privacy rights.

This Privacy Notice applies to information that we use as a controller. This may include, for example, any information that we collect via our marketing website, any personal information that we collect when you communicate with us, or any information that we collect if you transact with us to use our products and services. In a few instances, we may also act as a controller in relation to personal information that is collected through our product.

Our Services are designed for businesses and are not intended for personal or household use. Accordingly, we treat all personal information covered by this Privacy Notice, including information about any visitors to our website, as pertaining to individuals acting as business representatives, rather than in their personal capacity.

We recognise that when you provide us with information about yourself that you trust us to act in a responsible manner; and we are committed to making sure we earn that trust. We take your privacy extremely seriously, and we will not sell any information we collect about you (nor will we share it with third party organisations) unless you provide us with a clear consent, we have a legitimate interest to do this as set out in this Privacy Notice, or where required by applicable laws.

If you have any questions or concerns about our use of your personal information, then please contact us using the contact details provided at the bottom of this Privacy Notice.


What is Codat?

Codat is focused on making financial integrations as simple as a click of a button. We build developer-friendly infrastructure that give businesses the ability to create their own next- generation products.

Having experienced the pain of managing integrations with multiple accounting and financial software providers we decided to build a product to make this process as quick and easy as possible.


What personal information do we collect?


Website visitors

We collect personal information when you use our website, make an inquiry or communicate with us in relation to our website. This includes:

Information that you provide voluntarily:
  • Information that you provide to us directly, for example if you provide your contact details in order to subscribe to marketing communications from us. In particular:
    • If you choose to submit a CV or business plan to us, you are voluntarily giving us information that may include personal information. We will use the information you provide to respond to you in the context in which you have contacted us about.
    • Information provided when you communicate with us by phone, email, webform or chat, including records of your contact, your country and language, your email address or other contact information, and other information about the reasons for the communication.
    • Marketing preferences, such as whether you have agreed to receive marketing information or newsletters about our services or whether you have opted out, and the types of services that may interest you.

The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be clear at the point we ask you to provide your personal information.

Information that we collect automatically:
  • Information about your use of our online content and emails, such as how you came to our website, which pages you visit, how long you remain on a page or view content, and whether you opened an email or clicked a link. To collect this data, we use cookies and other tracking technologies.
  • Other automatically collected content, such as information like your IP address, device type, unique device identification numbers, browser-type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our website, including the pages accessed and links clicked.

In some countries, including countries in the European Economic Area, this information may be considered personal information under applicable data protection laws. Collecting this information allows us to better understand the visitors who come to our website, where they come from, and what content on our website is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our website to our visitors.

Information that we obtain from third party sources:

From time to time, we may receive personal information about you from third party sources, such as:

  • Business information that tells us more about our prospective customers and businesses, from introducers, third party companies and other data enrichment sources, and from public sources like Companies House, LinkedIn or Twitter.

We will only receive and use this information where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.

Codat’s clients

With regard to our clients, we sometimes collect personal information about our client’s employees; for example when our clients enquire about a Codat account, or where we receive this information in order to manage our contract with the client. This may include the following information:

Information that you provide voluntarily:
  • Identification information, such as your name, company name, company email address, company phone number and company address details. We use this information to enable us to manage the contract with your employer.
Information that we collect automatically:

Device and connection information, such as the type of device you use to access our services, operating system and version, device identifiers, network information, login records, IP address and location derived from it.

End-users of the Codat product

The Codat product works by enabling Codat’s clients to access financial information about the client’s customers (“companies”). This information is held on third party applications. The specific information that is made available by companies to the client via the Codat product is determined by the client. In some cases (for example where companies are sole traders), this may constitute personal information; and Codat will use this information as a controller:

Information that you (or your company) provides voluntarily:
  • Identification information, such as name, company name, company email address, company phone number.
  • Financial information, such as bank account details, general company information, financial reports, bank statements, credit notes, invoices, and any other personal and financial details that are recorded in the third-party applications that companies have authorised clients to access.
  • Transaction information, details of transactions made by the company; such as the names of transacting parties, a transaction description, payment amounts, billing and the devices and payment methods used to complete the transactions.
Information that we collect automatically:
  • Device and connection information, such as the type of device the company uses to access our services, operating system and version, device identifiers, network information, login records, IP address and location derived from it.

We may use this information to satisfy our legal obligations, to help us to resolve disputes, for security reasons and for enforcing our agreements with our clients.


How do we use personal information?

Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. In addition to the purposes described above, we may also use your personal information for the following purposes:

Using personal information to respond to your (or your employer’s) requests

We use personal information where it is necessary to respond to your (or your employer’s) requests. For example:

  • We use personal information to communicate with you or your employer, like sending system notifications or alerting you to changes in the service.

Using personal information for our legitimate interests

We use personal information for our legitimate business interests if this processing is not overridden by your rights. When we rely on legitimate business interests, we make sure to consider (and work to minimise) any privacy impact this activity could have on you. For example, we limit the information we collect to only what is necessary, we control access to the information, and where we can, we aggregate or de-identify the data. We will also make it clear to you at the relevant time what our legitimate interests are. We rely on our legitimate interests in the following circumstances:

  • We use personal information to prevent unauthorised use of our services. We may block access to users if we believe their use will violate our terms.
  • We use personal information to develop and improve our products and services. For example, we might use information to:
    • Analyse how people engage with our website and services so that we can develop new products or features.
  • Where permitted by law, we use personal information to promote our services, communicate news and industry updates, and host or participate in events.
  • Where we believe it is necessary to protect our legal rights and interests or the interests of others, we use personal information in connection with legal claims, compliance, regulatory and audit functions, and in connection with the acquisition, merger or sale of a business.

Using personal information where required by law

We use personal information to comply with the requirements of law we operate under, and as required in other exceptional circumstances.

  • Under exceptional circumstances, we may be required by law to provide personal information to law enforcement agencies, regulatory body, government agencies, courts or others in connection with claims and other litigation.

Using personal information on the basis of your consent

We may use personal information for any other purposes, where we have your consent to do so.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How To Contact Us” heading below.


How is personal information shared?

Codat may disclose your personal information to the following categories of recipient:

  • to third parties who integrate our software services into their applications.
  • If ownership or control of all or part of our business or assets changes (or potentially changes), we may transfer personal information to the new owner or potential owner (and its agents and advisors). We will inform the new owner that it must use your personal information only for the purposes disclosed in this Privacy Notice.
  • We may work with service providers who provide data processing services to use (for example, technical infrastructure, web and app development, and marketing, analytics and survey tools), or who otherwise processing personal information for purposes that are described in this Privacy Notice or notified to you when we collect your personal information. We impose strict restrictions on how service providers store, use and share data on our behalf. We also work with companies who provide identity verification, background screening, due diligence, consulting and other regulatory services for us.
  • In exceptional circumstances, we share personal information with any competent law enforcement body, regulatory body, government agencies, court or other third parties if we believe it is reasonably necessary to comply with law, regulation, legal process or governmental request; to exercise, establish and defend our legal rights; or to protect your vital interests of those of any other person.
  • To any other person with your consent to the disclosure.


International data transfers

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).

Specifically, our Website servers are located in the United Kingdom, but our third party service providers and partners operate around the world. This means that when we collect your personal information we may process it in any of these countries.

However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice. This includes ensuring that the data recipient is located in an adequate territory approved by the EU Commission, or that it has Binding Corporate Rules or an EU-US Privacy Shield certification. If not, we will implement the European Commission’s Standard Contractual Clauses for transfers of personal information between our third party service providers and partners, which require all data recipients to protect personal information they process from the EEA in accordance with European Union data protection law.

Our Standard Contractual Clauses can be provided on request.


How does Codat keep my personal information secure?

We use appropriate technical and organisational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. In particular, we impose access controls, encrypt your personal information in transit and at rest and we are certified to the ISO 27001 certification.


List of Sub-Processors


Entity nameSubprocessing activitiesEntity country
Microsoft AzureCloud service providerUnited Kingdom


No responsibility for third party websites

Please be aware that our website may contain links to and from other sites,which are not controller or operated by us (“Third Party Sites”). As such, please note that we have no control over the content, policies or actions of these Third Party Sites. Your use of these Third Party Sites is at your own risk and we do not accept any responsibility or liability for the privacy practices of these Third Party Sites. We encourage you to read the privacy policies and terms of use of each Third Party Site to which you link from our website.


Your data protection rights and choices

You have the following data protection rights:

  • If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided under the “How to contact us” heading below.
  • In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below.
  • You have the right to opt-out of marketing communicationswe send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided under the “How to contact us” heading below.
  • Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
  • You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority (further details below).

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

Exercise your data protection rights

We would like it that you came to us in the first instance with any form of complaint. However, if you have unresolved concerns, you have the right to complain to an EU data protection authority where you live or work, or where you believe a breach may have occurred. In the UK that will be:

Information Commissioner’s Office
Wycliffe House
Water Lane

ICO website:


How long do we keep personal information?

Codat will retain the personal information that we collect from you where we have an ongoing legitimate business need to do so, such as complying with our legal obligations, resolving disputes, security reasons, and enforcing our agreements. Because these needs can vary for different data types used for different purposes, retention times will also vary. All personal information will be destroyed or deleted at the end of its retention period in accordance with our retention and secure disposal policy. However, no data will be stored for longer than 10 years.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.


Updates to this Privacy Notice

We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.

You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.


Codat as a processor

We primarily act as a processor in relation to our product. If you have any questions or concerns about how we use your personal information in this context, we may have to refer you to the relevant client that we have contracted with, as our client will be the controller of your personal information. As such, if you have questions about how a controller handles your personal information in relation to our product, or if you wish to exercise your rights in relation to the personal information they hold, its usually best to contact that controller directly.


How to contact us

Our contact details are:

Codat Limited
301 Ink Rooms
28 Easton Street
London WC1X 0BE
[email protected]

Please contact us if you have any questions or concerns, or to exercise your data protection rights (including your right to object)

The data controller of your personal information is Codat Limited.