Tidyflow Tidyflow Logo

Privacy Policy

Last updated April 8, 2026

1. Introduction

Tidyflow provides practice management software for accounting firms and professional service businesses (“Service”).

We respect your privacy and are committed to protecting personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Service or visit our website.

2. Our Role

When you create an account with Tidyflow, we act as the data controller for your account information (such as name, email address, and billing details).

When you use Tidyflow to manage your clients, you act as the data controller of your client data. In that context, Tidyflow acts as a data processor, processing such data solely on your behalf and in accordance with your instructions.

3. Information We Collect

We may collect the following categories of information:

Account Information

  • Name
  • Email address
  • Firm name
  • Billing information

Customer Data

Information you upload or manage within the Service, including client names, contact details, documents, and workflow data.

Email Data (Connected Mailboxes)

If you connect a third-party email account (such as Gmail or Microsoft Outlook/Microsoft 365) to Tidyflow, we access and process email data from that account on your behalf. This may include:

  • Email message content (body text, subject lines)
  • Sender and recipient information (names, email addresses)
  • Email metadata (timestamps, read/unread status, labels or folders)
  • Attachments (where you choose to sync or access them within Tidyflow)

Tidyflow accesses this data via secure OAuth 2.0 connections authorised by you. You may disconnect a linked mailbox at any time through your account settings, which will stop further data syncing from that mailbox.

Usage Information

Information about how the Service is accessed and used, such as:

  • Features accessed
  • Pages visited
  • Device and browser type
  • Log data

Cookies and Similar Technologies

We use cookies and similar technologies to:

  • Maintain session functionality
  • Analyze website traffic
  • Measure marketing performance
  • Improve user experience

You can configure your browser to refuse cookies; however, some parts of the Service may not function properly without them.

4. How We Use Information

We use collected information to:

  • Provide, operate, and maintain the Service
  • Process payments and manage subscriptions
  • Provide customer support
  • Improve product performance and usability
  • Monitor system performance and security
  • Communicate service-related updates
  • Measure the effectiveness of our marketing efforts
  • Power AI Features within the Service, where enabled by you (see below)
  • Sync, display, compose, send, and reply to emails via connected third-party email accounts (see below)

We do not sell personal information.

Email Integration

If you connect a Gmail or Microsoft Outlook/Microsoft 365 account to Tidyflow, we use the authorised connection to sync your email data into the Service. This allows you to view, draft, send, and reply to emails directly within Tidyflow. Email data is processed solely to provide email functionality within the Service and is not used for advertising, market research, or any purpose unrelated to the Service.

You retain full control over which mailboxes are connected and may revoke access at any time through your account settings or through your email provider’s security settings.

AI Features

If you enable AI Features, certain data (such as email content, workflow descriptions, and task information) may be transmitted to a third-party AI provider for processing. Personal identifiers are pseudonymised via tokenisation before transmission. AI data is processed in real time and is not stored by the AI provider after the response is returned. Your data is not used to train AI models. Full details of how AI Features handle your data, your consent rights, and the categories of data involved are set out in our AI Terms of Use.

5. Data Sharing

We may share personal information:

  • With trusted service providers (sub-processors) who support the operation of the Service
  • With third-party email providers (Google and Microsoft) via secure OAuth 2.0 connections authorised by you, solely for the purpose of syncing, sending, and receiving email on your behalf
  • With third-party AI providers (currently OpenAI) for the purpose of delivering AI Features, where you have opted in to AI Features — data shared with AI providers is pseudonymised and processed in real time only
  • To comply with legal obligations
  • To protect our rights, property, or safety
  • In connection with a merger, acquisition, or asset transfer

All service providers, including AI providers, are contractually required to safeguard personal information and use it only for authorised purposes. AI providers are contractually prohibited from using your data to train or improve their models.

A list of current sub-processors is available on our Sub-processors page.

6. Data Hosting and International Transfers

Tidyflow primarily operates using cloud infrastructure located in the United States.

If personal data is transferred outside your jurisdiction, we implement appropriate safeguards in accordance with applicable data protection laws.

7. Data Security

We implement technical and organizational measures designed to protect personal information, including:

  • Encryption in transit (TLS)
  • Encryption of sensitive data at rest
  • Role-based access controls
  • Multi-factor authentication support
  • Restricted internal access to production systems
  • Regular system updates and security monitoring

No method of transmission or storage is completely secure, but we maintain safeguards appropriate to the nature of the data processed.

8. Data Retention

We retain account information for as long as your account remains active and as necessary to comply with legal, accounting, or reporting obligations.

Customer data is retained according to our internal retention policies and may be securely deleted upon request, subject to legal requirements.

Email data from connected mailboxes is synced and cached within the Service for as long as the mailbox remains connected. When you disconnect a mailbox, Tidyflow will cease syncing new data and will delete cached email data from that mailbox in accordance with our internal retention policies. Deletion may take up to 30 days to propagate across all systems, after which no email data from the disconnected mailbox will be retained.

9. User Rights

Depending on your jurisdiction, you may have the right to:

  • Access personal information we hold about you
  • Correct inaccurate or incomplete information
  • Request deletion of personal information
  • Object to or restrict certain processing activities
  • Request transfer of your personal information

To exercise these rights, please contact us using the details below.

Residents of certain jurisdictions, including California, may have additional rights under applicable law.

10. Google API Services — Limited Use Disclosure

Tidyflow’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Tidyflow:

  • Only uses Google user data to provide and improve the email integration functionality you have authorised
  • Does not use Google user data for serving advertisements or for any advertising-related purpose
  • Does not sell, rent, or transfer Google user data to third parties, except as necessary to provide the Service, with your consent, for security purposes, or as required by law
  • Does not use Google user data to train generalised or non-personalised artificial intelligence or machine learning models

Where you have separately enabled AI Features, email data from connected Gmail accounts may be processed by a third-party AI provider solely to deliver the AI functionality you requested (such as email summarisation). This processing occurs only with your consent, is subject to the data minimisation and pseudonymisation measures described in our AI Terms of Use, and is consistent with the Limited Use requirements.

For further details, see our Use of Google API Services page.

11. Third-Party Account Connections

When you connect a third-party account (such as Gmail or Microsoft Outlook/Microsoft 365) to Tidyflow, you authorise Tidyflow to access data from that account via OAuth 2.0. You remain subject to the terms and privacy policies of the third-party provider. Tidyflow does not store your third-party account passwords.

You may revoke Tidyflow’s access to a connected account at any time through your Tidyflow account settings or through the third-party provider’s security or app permissions settings.

12. Children’s Privacy

The Service is intended for business use and is not directed to individuals under the age of 13. We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page.

14. Contact Information

For privacy-related inquiries, please contact [email protected]