Legal
GDPR & Data Retention
A plain-English summary of how we comply with the General Data Protection Regulation, including our retention schedule and how to make a rights request.
Last updated: 16 May 2026 · Governing law: Republic of Ireland
1. Our GDPR programme
- Records of processing under Article 30, maintained for controller and processor activities.
- DPIAs performed for high-risk processing such as new AI features and large-scale automated decisioning.
- Data Protection Officer: dpo@accelbooks.io.
- EU representative: Accel Books is established in Ireland and acts as its own EU representative.
- UK representative: appointed where required under Article 27 UK GDPR (contactable via dpo@accelbooks.io).
- Lead supervisory authority: Irish Data Protection Commission.
2. Retention schedule
| Data category | Retention period | Reason |
|---|---|---|
| Account profile | Life of account + 30 days | Service delivery |
| Customer Data (invoices, ledgers, transactions) | Life of subscription + 90 days; exportable for 30 days after termination | Contract performance and customer control |
| Accounting / tax records (our own books) | 6 years (Ireland) / 6 years (UK) | Tax Consolidation Act 1997, Companies Act 2014, UK HMRC rules |
| Payment / billing metadata | 7 years | PCI-DSS audit + statutory retention |
| Security and audit logs | 12 months (extended for investigations) | Security, fraud prevention |
| Support tickets and correspondence | 3 years from closure | Service quality, dispute handling |
| Marketing contacts and preferences | Until consent withdrawn or 24 months of inactivity | Marketing |
| Cookies (non-essential) | Up to 12 months | Analytics / marketing |
| Backups | Rolling 35 days | Business continuity |
| CCTV / office access logs (where applicable) | 30 days | Physical security |
Where data is retained for legal reasons after account deletion, it is access-restricted and used only for the original purpose.
3. Lawful bases summary
- Performance of a contract — providing the Service, billing, support.
- Legal obligation — tax, anti-money laundering, court orders, sanctions screening.
- Legitimate interests — security, product analytics, fraud prevention, B2B marketing to existing customers.
- Consent — non-essential cookies, prospect marketing, optional features.
- Vital interests — only in rare emergencies.
4. Automated decision-making and AI
Some features use machine learning (e.g. transaction categorisation, AI copilot). These are decision-support tools — they do not produce legal or similarly significant effects without human review. We do not use Customer Data to train third-party generative AI models. Where AI features are powered by third-party model providers, requests are processed under contractual zero-retention or short-retention terms.
5. Your rights
- Access, rectification, erasure, restriction, portability, objection, withdrawal of consent.
- Right not to be subject to solely automated decisions producing legal effects.
- Right to lodge a complaint with a supervisory authority — the Irish Data Protection Commission (dataprotection.ie) or the UK ICO (ico.org.uk).
Submit a request through our data subject request form or email privacy@accelbooks.io. We verify identity proportionately to the sensitivity of the request and respond within one month (extendable by two further months for complex requests, with notice).
Ready to make a request?
Use our secure intake form — it routes directly to our privacy team and gives you a reference number.
Open the request form →6. Personal data breaches
We maintain a 24×7 incident response programme. Breaches affecting Customer Personal Data are notified to the Customer within 72 hours of becoming aware. Where required, we notify supervisory authorities and affected individuals in accordance with Articles 33–34 GDPR.