Legal

Privacy Notice

Issued under Articles 13 and 14 of the UK General Data Protection Regulation.

Last updated: 13 May 2026

This Privacy Notice explains how Ideal Creations Ltd (“TrueBooks”, “we”, “us”) collects, uses, shares and protects your personal data when you use the TrueBooks service at app.truebooks.co.uk and the related marketing, support and live-chat surfaces (the “Service”). We are committed to handling your data lawfully, fairly and transparently in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Who we are (Data Controller)

The data controller for the personal data described in this Notice is:

  • Ideal Creations Ltd (trading as “TrueBooks”)
  • Company number: 13234121 (England & Wales)
  • Registered office: Princes Road, Buckhurst Hill, Essex, IG9 5DZ, United Kingdom
  • Contact for privacy matters: support@truebooks.co.uk

We are not required to appoint a statutory Data Protection Officer under Article 37 of the UK GDPR. Privacy matters are handled by the company directors, who you can reach at the email above.

For personal data within the financial settlement information you process through the Service (for example, references to your end-customers’ orders), you are the controller and we are the processor acting on your instructions. See our Data Handling Policy for the Data Processing Addendum.

2. What personal data we collect

We collect the following categories of personal data:

2.1 You provide it directly

  • Account identity — name, email address, phone number (where verified), country.
  • Authentication credentials — your password, stored only as a non-reversible bcrypt hash; TOTP secret, encrypted at rest; SMS-2FA enrolment flag; recovery codes (hashed); trusted-device tokens (hashed).
  • Business profile — company name, registration number, VAT number, contact full name, billing address.
  • Billing details — last four digits of card, card brand, expiry month/year, payment provider customer reference. We do not store full card numbers or CVV; these are tokenised by our payment processor (Stripe) under their PCI-DSS certification.
  • Support communications — the contents of any email, live-chat conversation or ticket you send us.

2.2 We collect it automatically when you use the Service

  • Login + session metadata — IP address, user-agent string, login timestamp, device-trust state.
  • Audit log — security-relevant actions you take (sign-in, password change, MFA toggle, payment events, destructive operations, billing consent). Retained for twelve (12) months.
  • Website analytics — for public marketing pages only, we record path, referrer, browser user-agent and a hashed IP. Retained for ninety (90) days. We do not use third-party analytics or behavioural tracking.
  • Strictly necessary cookies — see our Cookie Policy.

2.3 We receive it from third parties you authorise

  • Amazon Selling Partner API — settlement reports, financial event summaries, marketplace participations, and (with the “Inventory and Order Tracking” role) ship-to country at order level for VAT classification.
  • Xero — your tenant ID, base currency, organisation type, and tax/account chart metadata required to post invoices and journals.
  • Sign-in providers (Xero OIDC, Google OIDC) — your email, display name and profile picture, when you elect to sign in via these providers.
  • HMRC — VAT-number validation responses (consultation number, registered business name and address), retrieved only when you request validation.
  • Alibaba.com Open Platform, eBay Marketplace — where you connect those platforms, identity profile fields and order/transaction metadata under the scopes you grant.

2.4 Special category data

We do not knowingly collect special category data (e.g. health data, racial or ethnic origin, biometric or genetic data, political opinions). Please do not submit such data to the Service.

3. How we use your personal data, and our lawful basis

We process personal data only where we have a lawful basis under Article 6 of the UK GDPR. The basis for each purpose is set out below.

  • To provide and operate the Service. Includes account creation, retrieving your Amazon settlements, classifying transactions, posting invoices to Xero, processing payments, generating invoices and notifications. Lawful basis: Contract (UK GDPR Art. 6(1)(b)) — necessary to perform the contract under our Terms of Service.
  • To bill you and process payments. Includes recurring monthly charges, coupon/discount redemption, refund handling and invoice issuing. Lawful basis: Contract and Legal Obligation (UK GDPR Art. 6(1)(b) and (c)) — record-keeping under the Companies Act 2006 and HMRC Notice 700/21.
  • To send service messages. Account verification, password reset, billing receipts, settlement notifications, security alerts. Lawful basis: Contract and Legitimate Interests (Art. 6(1)(b) and (f)) — our interest in delivering a functioning, secure Service.
  • To secure the platform and prevent fraud. Includes login-failure tracking, IP-based rate limiting, account-takeover detection and security-audit logging. Lawful basis: Legitimate Interests (Art. 6(1)(f)) — protecting our users, our infrastructure and our business.
  • To comply with legal obligations. Tax reporting, regulator requests, court orders, anti-money-laundering checks where applicable. Lawful basis: Legal Obligation (Art. 6(1)(c)).
  • To send marketing communications. Product updates, new-feature announcements and offers, where you have opted in. Lawful basis: Consent (Art. 6(1)(a)) — you may withdraw consent at any time from Settings → Notifications without affecting any prior processing.

We do not use your data for any automated decision-making that has legal or similarly significant effects on you (Art. 22 of the UK GDPR).

4. Who we share your personal data with

We share personal data only with the recipients listed below, and only to the minimum extent necessary to deliver the Service. The full list of sub-processors, the country in which each operates and the transfer safeguard in place is set out in our Data Handling Policy.

  • Stripe (payment processing, billing).
  • Postmark / ActiveCampaign (transactional email delivery).
  • MSG91 (SMS one-time-passcodes for phone verification and SMS two-factor authentication).
  • Chatwoot (live-chat support, when you initiate a conversation).
  • Cloud hosting provider (compute and storage; UK region).
  • Xero, Amazon, Alibaba, eBay, Google — only when you elect to connect those services. Data flows are at your instruction.

We do not sell, rent or barter your personal data. We do not share your data with advertisers or behavioural-tracking networks.

We may disclose personal data where we are legally compelled to do so (court order, regulator request, statutory power) or where disclosure is necessary to protect the vital interests of any person or to defend our legal rights.

5. International data transfers

Some of our sub-processors are based outside the United Kingdom. When personal data is transferred outside the UK, we rely on an appropriate transfer mechanism recognised under UK GDPR Articles 44–49:

  • UK Adequacy Decision — for transfers to countries the UK Government has designated as providing an adequate level of protection (the EEA, Switzerland and others).
  • International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum — for transfers to other jurisdictions, including the United States (Stripe, Postmark) and India (MSG91).

A copy of the transfer agreement we rely on for any specific sub-processor is available on request to support@truebooks.co.uk.

6. How long we keep your personal data

We retain personal data only for as long as necessary for the purposes set out in this Notice. The retention periods we apply are:

  • Account profile — for the lifetime of your account; deleted within 30 days of account closure.
  • Authentication credentials — for the lifetime of your account; deleted on account closure.
  • Login + session metadata — thirty (30) days after the session ends.
  • Audit log — twelve (12) months from the recorded event.
  • Billing records — six (6) years from the end of the relevant accounting period (HMRC requirement under the VAT Regulations 1995 and Companies Act 2006).
  • Settlement / transaction data — six (6) years from the end of the tax period (HMRC requirement). Held in archived form post-account-closure; not accessible through the application after closure.
  • Raw third-party data captured for integrity verification — thirty (30) days (encrypted at rest), then deleted.
  • Marketing email opt-in records — until you withdraw consent, plus thirty (30) days for processing the unsubscribe.
  • Website-visit analytics — ninety (90) days.
  • Support / live-chat conversations — twelve (12) months from the last message.
  • Personal data we are required by law to retain — for the period required by the relevant law (commonly six years).

At the end of the applicable retention period, personal data is either deleted or anonymised so that it can no longer be associated with you.

7. Your rights under the UK GDPR

You have the following rights in respect of personal data we hold about you:

  • Right of access (Art. 15) — to be told what personal data we hold and to receive a copy.
  • Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected.
  • Right to erasure / “right to be forgotten” (Art. 17) — to have your personal data deleted, subject to legal-retention exceptions.
  • Right to restrict processing (Art. 18) — to limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
  • Right to object (Art. 21) — in particular to processing based on legitimate interests, and to direct marketing at any time.
  • Right to withdraw consent (Art. 7(3)) — where processing relies on consent; withdrawal does not affect prior lawful processing.
  • Right not to be subject to automated decision-making (Art. 22) — not applicable to us, as we do not perform such processing.

To exercise any of these rights, email support@truebooks.co.uk with sufficient information to verify your identity. We will respond within one (1) month of receiving a valid request, in line with Article 12(3) of the UK GDPR. Where a request is manifestly unfounded or excessive we may charge a reasonable fee or refuse it; we will explain our reasoning.

You also have the right to lodge a complaint with the supervisory authority — the Information Commissioner’s Office (“ICO”):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the chance to address any concerns directly first.

8. Marketing communications

We send marketing communications (product news, feature announcements, offers) only where you have explicitly opted in — at registration or in Settings → Notifications. You can withdraw consent at any time by unticking the option in Settings → Notifications or by clicking the unsubscribe link in any marketing email. Service messages (password reset, billing receipts, settlement notifications) are sent on the basis of contract and cannot be unsubscribed while your account is active.

9. Cookies

We use only strictly-necessary cookies to operate the Service (session, authentication, two-factor “remember-this-device”, theme preference, OAuth state and CSRF protection). We do not use advertising, behavioural or third-party-analytics cookies. Full details are in our Cookie Policy.

10. Children

The Service is not directed at children and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact us and we will delete the data.

11. Security

We apply technical and organisational security measures appropriate to the risk, in accordance with Article 32 of the UK GDPR. These include encryption of credentials at rest using AES-256-GCM, encryption in transit using TLS, hashed passwords using bcrypt, per-user audit logging, role-based access controls, two-factor authentication, periodic security reviews and an internal incident-response procedure. Details are in our Security Notice.

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the ICO within 72 hours of becoming aware of the breach, in accordance with Article 33. Where the breach is likely to result in a high risk, we will also notify you without undue delay, in accordance with Article 34.

12. Changes to this Notice

We may update this Notice from time to time. When we make material changes that affect how we process your data, we will notify you by email and update the “Last updated” date above at least thirty (30) days before the change takes effect. Continued use of the Service after that date constitutes acknowledgement of the revised Notice.

13. Contact us

Privacy questions, complaints, or requests to exercise your rights should be addressed to:

  • Email: support@truebooks.co.uk
  • Post: Ideal Creations Ltd, Princes Road, Buckhurst Hill, Essex, IG9 5DZ, United Kingdom

Trademarks and non-affiliation

TrueBooks is an independent third-party solution. TrueBooks is not affiliated with, endorsed by, sponsored by, or otherwise associated with Amazon.com, Inc. or any of its subsidiaries. Amazon, Amazon Seller Central, Selling Partner API, FBA, and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates. Xero is a registered trademark of Xero Limited. All other trademarks are the property of their respective owners. See our Amazon disclaimer for more detail.

Privacy Notice — TrueBooks | TrueBooks