Privacy Policy
1. About this policy
This privacy policy explains how Ashcourt Group (“Ashcourt”, “we”, “us” or “our”) collects and uses personal data when you use the Ashcourt Portal at ashcourt.app and the business systems hosted on it. It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and follows guidance issued by the Information Commissioner’s Office (ICO).
This policy applies to employees of Ashcourt Group companies, contractors, and authorised partner users of the portal. It does not apply to the public marketing website at ashcourt.com, which has its own separate privacy policy.
2. Data controller and contact details
The data controller for the Ashcourt Portal is Ashcourt Group, comprising its operating companies. The relevant Ashcourt Group company that employs you, contracts with you, or with whom your employer has a partnership, is the controller for your personal data processed through the portal.
Registered address:
Ashcourt Group, Foster Street, Hull, HU8 8BT, United Kingdom
Privacy contact:
Email: info@ashcourt.com
Telephone: 01482 442288
If you have a concern about how we are handling your personal data, please contact us first. You also have the right to lodge a complaint with the Information Commissioner’s Office at any time:
ICO: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113 · Web: ico.org.uk
3. Personal data we collect
We collect and process the following categories of personal data when you use the portal:
| Category | Examples |
|---|---|
| Identity | First name, last name, job title, employer, internal user ID |
| Contact | Business email address, business telephone number |
| Authentication | Hashed password, multi-factor authentication tokens, password reset tokens, session identifiers, last sign-in timestamp |
| Access & entitlements | Roles, permissions, group memberships, the systems you are authorised to use |
| Technical | IP address, browser type and version, operating system, device identifiers, language preference, time zone |
| Usage & audit | Pages and systems accessed, actions performed, records viewed or modified, timestamps, success/failure of operations, audit log entries |
| System content | Records you create, view or process within hosted systems (for example intercompany matches, cashflow entries, month-end tasks). This may include personal data about other individuals. |
| Communications | Support requests, feedback and any correspondence with us about the portal |
We do not intentionally collect special category data (information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation) or criminal offence data through the portal. If you believe such data has been included in error, please contact us so we can remove it.
The portal is not directed at children and we do not knowingly collect personal data from anyone under 18.
4. How we collect personal data
We collect personal data:
- Directly from you when you sign in, use a hosted system, submit forms, or contact us.
- From your employer or an Ashcourt administrator when an account is created for you or your permissions are updated.
- Automatically through cookies, server logs and security telemetry when you interact with the portal — see our Cookie Policy for details.
- From other systems within Ashcourt Group where data is legitimately shared for the operation of business processes (for example HR or finance systems).
5. Purposes and lawful bases
Under the UK GDPR we must have a lawful basis for processing personal data. The table below sets out what we use your data for and the lawful basis we rely on.
| Purpose | Data used | Lawful basis |
|---|---|---|
| Provide you with access to the portal and the systems you are entitled to use | Identity, Contact, Authentication, Access | Performance of a contract; Legitimate interests (operating our business) |
| Authenticate you and keep your account secure (including MFA, password resets and rate limiting) | Authentication, Technical | Legitimate interests (information security); Legal obligation (Article 32 UK GDPR) |
| Operate hosted business systems (intercompany matching, cashflow processing, month end controller and others) | Identity, Access, System content | Performance of a contract; Legitimate interests (running our business) |
| Maintain audit logs of activity within the portal for accountability and investigations | Identity, Technical, Usage & audit | Legitimate interests (governance, fraud prevention); Legal obligation (accounting and tax recordkeeping) |
| Detect, prevent and respond to security incidents and abuse | Technical, Usage & audit, Authentication | Legitimate interests (information security); Legal obligation |
| Comply with legal, regulatory, tax and accounting obligations | All categories as relevant | Legal obligation |
| Improve the portal and the systems hosted on it | Technical, Usage & audit (aggregated where possible) | Legitimate interests (improving our services) |
| Respond to your queries and support requests | Identity, Contact, Communications | Legitimate interests; Performance of a contract |
Where we rely on legitimate interests, we have carried out a balancing assessment to make sure your rights and freedoms are not overridden by those interests. You can ask for more information about that assessment by contacting us.
We do not use the portal for marketing and we do not sell personal data to third parties.
6. Automated decision-making and profiling
We do not use the portal to make decisions about you that produce legal or similarly significant effects based solely on automated processing.
7. Who we share personal data with
We share personal data only where necessary, and only with recipients who are bound by appropriate confidentiality and data protection obligations. Recipients may include:
- Other Ashcourt Group companies for the operation of shared business processes.
- IT and infrastructure providers who host or maintain the portal under written contracts that meet Article 28 UK GDPR (for example our VPS provider).
- Professional advisers such as auditors, lawyers and insurers, where reasonably necessary.
- Authorised partners where you are a partner user and we have agreed in writing how data is shared.
- Regulators, law enforcement and other public authorities where we are required or permitted by law to do so.
- An acquirer or successor in the event of a sale, merger, restructuring or transfer of all or part of our business.
Where a recipient acts as our processor, we put a written contract in place that requires them to process personal data only on our documented instructions and to apply appropriate security measures.
8. International transfers
The Ashcourt Portal is hosted on infrastructure located in the United Kingdom. We do not routinely transfer personal data outside the UK.
If, in future, a sub-processor is engaged that is based outside the UK, we will only do so where an adequacy regulation applies or where appropriate safeguards (such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another mechanism recognised under Article 46 UK GDPR) are in place. You can ask us for a copy of the safeguards used.
9. Data security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures, in line with Article 32 UK GDPR, including:
- HTTPS/TLS encryption in transit, with HSTS enforced.
- Hashed and salted password storage, and support for multi-factor authentication on systems that require it.
- Role-based access control, with the principle of least privilege.
- Audit logging of access and significant actions.
- Regular patching of operating system and application dependencies.
- Restricted administrative access, protected by strong authentication.
- Backups and incident response procedures.
If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours where required, and notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms, in line with Articles 33 and 34 UK GDPR.
10. How long we keep personal data
We keep personal data only for as long as necessary for the purposes set out above, taking into account legal, regulatory, tax, accounting and operational requirements. Indicative retention periods are:
| Data type | Indicative retention |
|---|---|
| Active user account data | For as long as your account is active |
| Inactive user account data | Up to 12 months after deactivation, then deleted or anonymised |
| Authentication logs and security events | Up to 12 months |
| Audit logs of activity within hosted systems | Typically 6–7 years to meet financial recordkeeping obligations |
| Financial records held in hosted systems | At least 6 years from the end of the relevant accounting period (Companies Act 2006, HMRC requirements) |
| Backups | Rolling backups retained on a defined schedule and overwritten in due course |
| Support correspondence | Up to 24 months after the matter is closed |
Where personal data is no longer needed, we delete or anonymise it.
11. Your rights
Subject to certain conditions and exceptions, the UK GDPR gives you the following rights in relation to your personal data:
- Right of access — to obtain a copy of the personal data we hold about you.
- Right to rectification — to have inaccurate or incomplete personal data corrected.
- Right to erasure (“right to be forgotten”) — to have your personal data deleted in certain circumstances.
- Right to restriction — to ask us to restrict the processing of your personal data.
- Right to object — to object to processing carried out on the basis of legitimate interests.
- Right to data portability — to receive personal data you have provided to us in a structured, commonly used and machine-readable format, where processing is based on consent or contract and is carried out by automated means.
- Right to withdraw consent — where we rely on consent (which is rare in the portal), you can withdraw it at any time.
- Right not to be subject to solely automated decisions with legal or similarly significant effects.
To exercise any of these rights, please contact info@ashcourt.com. We will respond within one month of receiving your request, although this period may be extended by a further two months for complex or numerous requests, in which case we will let you know within the first month.
We may need to ask you for proof of identity before responding, to make sure that personal data is not disclosed to the wrong person. There is normally no fee, but we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.
12. Cookies
The portal uses only the cookies necessary to operate it. For full details please see our Cookie Policy.
13. Third-party links
The portal may contain links to third-party websites. We are not responsible for the privacy practices of those sites and recommend you read their own privacy policies before submitting personal data to them.
14. Changes to this policy
We may update this privacy policy from time to time to reflect changes in the portal, in the systems hosted on it, or in applicable law. The version number and effective date at the top of this page will always show the latest version. Material changes will be communicated to portal users through the portal or by email.