Policies
Last updated: 13 July 2026
Privacy Policy
Calceum Limited (“Calceum”, “we”, “us”) is the controller of the personal data described in this notice and handles it lawfully under the UK GDPR and the Data Protection Act 2018.
- Registered: Calceum Limited, company no. 17240312, Red Gables, West Common, Harpenden, AL5 2JQ
- Contact: privacy@calceum.com
- ICO registration: ZC156359
Where the Calceum service includes open-banking features, those regulated services are provided through [ ] (authorised and regulated by the Financial Conduct Authority, FRN [ ]) and Calceum acts as its agent under the Payment Services Regulations 2017.
When we are a controller and when we are a processor
Calceum acts in two capacities, and it matters which applies to you:
- As controller - for the personal data in this notice: visitors to calceum.com, people who enquire or correspond with us, and the contacts and users at the accounting practices we contract with. We decide how and why this data is used.
- As processor - when an accounting practice uses Calceum to handle its own clients’ personal data. This includes client contact and financial records, documents, and - where the practice uses recording features - audio recordings of client meetings and their AI-generated transcripts and summaries, captured with consent gathered at the point of recording. Here the practice is the controller, and Calceum processes that data only on the practice’s instructions under our data-processing terms. The practice is responsible for informing its clients. This notice does not govern that processing - see the practice’s own privacy notice and our Data Processing Agreement.
1. Personal data we collect
| Category | Data | Source |
|---|---|---|
| Website & usage | IP address, device/browser type, pages viewed, interactions, cookie identifiers | Automatically, when you visit calceum.com |
| Enquiries & correspondence | Name, email, phone, practice/company name, message content | You, via contact form, email, phone or social |
| Practice customer & users | Contact details, job role, account login details, billing contact, support correspondence | The practice, and individuals when they use their account |
| Marketing | Contact details and preferences | You, or the practice contact |
We do not collect end clients’ tax data (National Insurance numbers, income, HMRC submissions) as a controller - that data is processed for the practice as processor (see above).
2. How we collect it
- Directly from you (enquiries, sign-up, correspondence).
- Automatically (cookies and analytics - see the Cookie Policy).
- From the accounting practice, to set up and administer its account and users.
3. Purposes and lawful basis
| Purpose | Lawful basis |
|---|---|
| Operate, secure and improve calceum.com | Legitimate interests |
| Respond to enquiries and take steps before a contract | Legitimate interests / pre-contract steps |
| Provide and administer the service to the practice (accounts, billing, support) | Performance of our contract with the practice |
| Send B2B marketing about our services | Legitimate interests (with opt-out), in line with PECR |
| Analytics / non-essential cookies | Consent |
| Meet legal and regulatory obligations (accounting, tax, AML / financial crime) | Legal obligation |
4. Marketing and communications
We may send you marketing about our services where we have a lawful basis. For business contacts we rely on legitimate interests (with the ability to opt out at any time); where required we rely on your consent, in line with PECR. We do not sell your data, and we do not share it with third parties for their own marketing.
You can opt out of marketing at any time using the unsubscribe link in any marketing email, or by contacting privacy@calceum.com. Separately, we may send service communications (service updates, security notices, billing). These are not marketing and cannot be opted out of while you hold an account.
5. Cookies
calceum.com uses essential cookies for core functionality, and non-essential analytics cookies (Google Analytics) only with your consent via our cookie banner, in line with PECR. See the Cookie Policy.
6. The Calceum Practice mobile app
Practice staff may use our iOS app. With the participants’ consent, captured in the app before recording starts, the app can record client meetings using the device microphone; recordings and their transcripts are processed for the practice as described above and stored encrypted in our UK hosting (AWS eu-west-2, London). The app’s optional biometric lock (Face ID / Touch ID) is performed on-device by Apple’s operating system - biometric data never leaves the device and is never received by Calceum. The app contains no advertising and no third-party analytics or tracking.
7. Who we share data with
We never sell your personal data. We share it only:
- with service providers who process it on our instructions to run our business and platform;
- with integrations you choose to connect;
- where required by law, or with a regulator or authority; and
- in connection with a business sale or reorganisation (with notice).
Service providers. We use a set of providers, under written data-protection terms: cloud hosting and infrastructure (in the UK, managed for us by an IT partner under an Article 28 agreement); business email, documents and productivity tools; website analytics (only with your consent); email marketing; scheduling; and payment processing. The current, named list of every provider we use is in our Sub-Processor List.
Integrations you connect. Where you connect a third-party service to Calceum - for example HMRC, Companies House, your accounting software, your email or calendar, or a payment provider - you authorise that connection, and the third party handles your data under its own terms. We facilitate the connection but are not responsible for those services.
8. International transfers
Personal data is hosted in the UK (AWS eu-west-2, London). Where any provider processes personal data outside the UK, we put in place a valid UK transfer mechanism - UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses - with a transfer risk assessment. See the Sub-Processor List for each provider’s safeguards.
9. Data retention
| Data | Retention |
|---|---|
| Website analytics / cookies | Up to 14 months |
| Server / application logs | 90 days |
| Enquiries (no contract) | Up to 24 months |
| Practice customer account & contacts | Duration of the contract, then up to 7 years for accounting, tax and AML record-keeping |
| Marketing data | Until you opt out |
Retention of an accounting practice’s client data is set by the practice (controller) and the client contract, not by this notice.
10. Your rights
Under UK GDPR you have the rights to: access; rectification; erasure; restriction; portability; and to object (including to direct marketing at any time). Where processing is based on consent, you may withdraw it at any time.
To exercise a right, contact privacy@calceum.com; we respond within one calendar month. You can also complain to the ICO (ico.org.uk).
11. Automated processing and AI
Calceum uses automation and AI to help deliver and improve its services. We do not make decisions producing legal or similarly significant effects about website visitors or enquirers by solely automated means. Where AI is used within the platform on a practice’s behalf, it operates under the practice’s instructions and human oversight, and is covered by our data-processing terms. Within the platform this includes AI transcription and summarisation of recorded client meetings, performed on the practice’s instructions.
12. Security
Personal data is encrypted at rest (AES-256-GCM, with additional field-level encryption for the most sensitive fields) and in transit (TLS 1.2+). We apply role-based access control, MFA on production systems, and documented security policies. See our Information Security Policy.
13. Children
calceum.com and our services are intended for businesses and are not directed at children.
14. Changes
We may update this notice; material changes will be notified with at least 14 days’ notice, and the current version is always at calceum.com/policies/privacy-policy.
15. Contact
Questions or requests: privacy@calceum.com.