Privacy policy

1. Purpose

This notice describes how TaxApp UK processes personal data when you use the application to prepare estimates and, where you connect HMRC, to interact with HMRC MTD ITSA services on your behalf.

2. HMRC and tax data

When you connect your HMRC account, we process categories of data needed to operate MTD ITSA features, including: National Insurance number (stored encrypted); HMRC business details and obligations; calculation and declaration status; and payloads and responses for submissions you make through the app. We log HMRC correlation identifiers for support and compliance.

HMRC processing is governed by HMRC and your relationship with HMRC; this notice covers TaxApp UK’s role as software provider and data processor where applicable.

3. Other account and technical data

We process sign-in and account identifiers from our identity provider (Microsoft Entra External ID), application usage data needed to run the service, and technical data (including IP address and device characteristics) required for security and for fraud prevention headers that HMRC mandates we send with MTD API requests.

4. Security

Data in transit uses HTTPS. Selected sensitive fields (including HMRC tokens and your stored NINO) are encrypted at rest using keys held in Azure Key Vault. Infrastructure runs on Microsoft Azure; primary application data is stored in PostgreSQL (Neon).

5. Retention and audit

HMRC MTD submission audit records may be retained for an extended period to meet statutory and regulatory expectations (including up to 13 years for certain submission records). Erasure requests that affect those records are assessed case by case; limitations may apply. The technical retention and archive policy is published here: retention-policy.md (draft until Legal sign-off).

6. MTD mandation and guidance

Government mandation thresholds for MTD ITSA have been announced by income band (including £50,000 from April 2026, £30,000 from April 2027, and £20,000 from April 2028). Users below applicable thresholds may use MTD voluntarily. Penalty and obligation information shown in the app is for general information only and is not tax or legal advice; see GOV.UK: penalties for Making Tax Digital for Income Tax.

7. Your rights

Subject to statutory exceptions (including HMRC audit retention), you may have rights to access, rectify, or erase personal data, and to object or restrict certain processing under UK GDPR. To request account and data deletion, follow the steps on our account deletion page or contact us at the email above. You may complain to the Information Commissioner’s Office (ICO).

8. Personal data breaches and regulatory notification

We maintain internal procedures to detect, assess, and respond to incidents affecting personal data and service security.

Where UK GDPR requires it, we notify the ICO of personal data breaches without undue delay and, where feasible, within 72 hours of becoming aware, using the ICO’s personal data breach reporting process.

Where an incident concerns the security of personal or customer data processed in connection with HMRC MTD ITSA or HMRC APIs, we notify HMRC without delay by raising a ticket through HMRC Developer Hub support within 72 hours, including a designated breach contact name and telephone number as HMRC requires.

9. Cookies

Cookies are small text files stored on your device when you visit a website. They are often used to remember preferences or to understand how a site is used.

We do not currently use non-essential cookies on the web experience. When we do, we will update this notice and ask for your consent before using them.

10. Updates

We will update this page when our processing changes materially. The “last updated” date may be shown in repository history for this document.