Privacy Policy
Last updated: 25 April 2026
1. Introduction
This Privacy Policy explains how TaxMTD ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the TaxMTD platform ("Service"). We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller: CLIQER LTD trading as TaxMTD (Company No. 15955878), a private limited company registered in England.
Privacy contact: privacy@taxmtd.uk for all data-protection matters (access requests, erasure, rectification, complaints). For general support, use support@taxmtd.uk.
2. Data We Collect
2.1 Personal Information
- Full name, email address, and contact details
- Business name, type, and registration details (UTR, Company Number, VAT Number, NINO)
- Login credentials (passwords are hashed and never stored in plain text)
2.2 Financial Data
- Bank transactions imported via Open Banking (Plaid), direct API connections (Stripe, PayPal, Wise, Revolut, GoCardless, Square), e-commerce platforms (Shopify, WooCommerce, Amazon Seller Central), accounting platform migration (FreeAgent), or manual CSV upload
- Time tracking data imported from Timing or entered manually
- Invoices, bills, estimates, credit notes, and purchase orders
- Expense categories, receipts, and merchant information
- Payroll data, employee records, and pension contributions
- Tax returns, HMRC submission data, and filing history
- UC statements and assessment period data
2.3 Usage Data
- Pages visited, features used, and session duration
- Browser type, operating system, and device information
- IP address and approximate geographic location
- Error logs and performance metrics
- Pseudonymised session identifiers derived from one-way hashing of IP addresses (raw IP addresses are never stored)
2.4 HMRC Fraud Prevention Data
HMRC's Making Tax Digital rules (Transaction Risking specification) legally require us to collect and transmit a defined set of device and connection metadata with every tax submission or query. This is not optional - it is a condition of using HMRC's APIs. We collect:
- A stable device identifier (random UUID stored in a long-lived cookie on your browser, not linked to any personal data)
- Your public IP address and the timestamp it was observed
- Your browser user-agent, installed plug-in list, and Do Not Track setting
- Your screen size, window size, timezone offset, and colour depth
- Local network IP addresses (gathered via WebRTC) - these never leave the UK and are only sent to HMRC
- A one-way hash of your account ID (so HMRC can link repeat submissions without us disclosing your email or name)
This data is sent only to HMRC and only at the moment you submit a return or query an obligation. We do not use it for marketing, profiling, or sharing with anyone else.
2.5 Data From Third Parties
- Bank account and transaction data via Plaid (FCA-regulated Open Banking AISP)
- Payment and payout data from Stripe, PayPal, Wise, Revolut, GoCardless, and Square
- E-commerce order, settlement, and finance data from Amazon Seller Central, Shopify, and WooCommerce
- Accounting data imported from FreeAgent (via OAuth)
- Time tracking data from Timing (via API)
- Company information and officer data from Companies House
- HMRC authentication tokens, obligation data, and submission responses
3. Open Banking (Plaid)
TaxMTD uses Plaid Financial Ltd as our Open Banking provider. Plaid is authorised and regulated by the Financial Conduct Authority (FCA) as an Account Information Service Provider (AISP) under the Payment Services Regulations 2017 (FCA firm reference 804718).
3.1 What Plaid does
When you choose to connect a bank account, you are redirected to your bank's secure login page. Your bank credentials are never shared with TaxMTD or Plaid - authentication happens entirely inside your bank. Plaid then provides us with a read-only token that lets us fetch transaction data on your behalf.
3.2 What we receive
- Account name, type, currency, and account number mask (last 4 digits)
- Current and available balances
- Transaction history (date, amount, merchant description, payment reference)
We never receive your bank password, PIN, or any ability to move money.
3.3 Consent duration and revocation
Under Open Banking rules, your consent to share bank data lasts for 90 days. After 90 days you must reauthorise through your bank, otherwise the connection expires automatically.
You can revoke access at any time by either:
- Disconnecting the account in TaxMTD (Banking → Connected Accounts → Disconnect). This calls Plaid's
/item/removeendpoint and terminates data sharing immediately. - Revoking the consent directly with your bank in its mobile app or online banking Open Banking / Third-Party Access section.
Revoking consent stops new data from being received. Transactions already imported are retained under the schedule in Section 4.
3.4 Webhook notifications
Plaid sends us webhook notifications about the status of your connection (e.g. if your consent is about to expire, if re-authentication is needed, or if new transactions are available). These webhooks contain no personal data beyond the Plaid-assigned item identifier.
4. How We Use Your Data
We use your data for the following purposes:
- Service Provision: Processing transactions, generating invoices, calculating tax, filing returns, and providing the core accounting functionality
- AI Categorisation: Automatically categorising transactions using AI models to reduce manual bookkeeping effort
- HMRC Submissions: Submitting Self Assessment, VAT, and other tax returns to HMRC on your behalf via Making Tax Digital APIs, including the legally required fraud prevention metadata described in Section 2.4
- Communication: Sending account notifications, billing receipts, and service updates
- Security: Detecting and preventing fraud, unauthorised access, and abuse
- Improvement: Analysing usage patterns to improve the Service (using anonymised, aggregated data only)
5. Data Retention Periods
We retain your data for the following periods:
| Data Type | Retention Period | Basis |
|---|---|---|
| Active account data | While subscription is active | Contract performance |
| Post-cancellation financial records | 7 years from cancellation (read-only) | Legal obligation (Finance Act 1998, Companies Act 2006) |
| Post-deletion request | 30-day grace period, then PII is anonymised | Consent withdrawal + legal obligation |
| Anonymised financial records | 7 years from original creation | Legal obligation (HMRC record-keeping) |
| Audit logs | 7 years | Legal obligation and legitimate interest |
| Analytics and usage data | 2 years | Legitimate interest |
| Marketing preferences | Until consent is withdrawn | Consent |
5.1 Active Accounts
While your subscription is active, all data is retained and fully accessible. You may export your data at any time from your account settings.
5.2 Post-Cancellation
When you cancel your subscription, your data is retained in read-only mode for 7 years. This ensures you can access historical records and satisfies HMRC record-keeping obligations. You may reactivate your subscription at any time during this period.
5.3 Account Deletion
If you request account deletion:
- A 30-day grace period applies, during which you may reverse the request
- After the grace period, all personally identifiable information is anonymised (names, email addresses, and contact details are replaced with anonymised identifiers)
- Financial records are retained in anonymised form for 7 years to comply with HMRC legal requirements
- Anonymised records cannot be traced back to you
5.4 Automatic Purging
Data that has exceeded its retention period is automatically purged from our systems, including backups, within 90 days of the retention period ending.
6. Legal Basis for Processing
We process your personal data under the following legal bases as defined by UK GDPR Article 6:
- Contract (Article 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including transaction processing, invoicing, and tax calculations
- Legal Obligation (Article 6(1)(c)): Retaining financial records as required by HMRC under the Finance Act 1998 and Companies Act 2006; complying with anti-money laundering regulations; transmitting fraud prevention metadata as required by HMRC's MTD Transaction Risking specification
- Legitimate Interest (Article 6(1)(f)): Improving the Service, preventing fraud, ensuring security, and maintaining audit logs. We have conducted a Legitimate Interest Assessment for these purposes
- Consent (Article 6(1)(a)): Where applicable, for optional marketing communications, optional AI features, and Open Banking connections
7. Third-Party Data Sharing
We share your data with the following categories of third parties, strictly as necessary to provide the Service:
| Third Party | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing, subscription billing, and merchant transaction import | Payment card details, billing address, subscription status, payout data |
| Plaid | Open Banking - bank account connections and transaction imports (FCA-regulated AISP, FRN 804718) | Bank account identifiers, transaction data |
| PayPal | Payment and transaction import | Transaction data, payout details |
| Wise | Multi-currency transaction import | Transaction data, account balances |
| Revolut | Business transaction import | Transaction data, account details |
| GoCardless | Direct debit payment import | Mandate data, payment transactions |
| Square | Point-of-sale transaction import | Transaction data, payment details |
| Amazon | Seller Central - order, settlement, and finance data import | Order data, settlement reports, finance events |
| Shopify | E-commerce order and payment import | Order data, transaction details |
| WooCommerce | E-commerce order import | Order data, payment details |
| FreeAgent | Accounting data migration (OAuth) | Contacts, invoices, bills, bank transactions |
| Timing | Time tracking data import | Projects, time entries, app usage |
| HMRC | Making Tax Digital - tax return submissions and fraud prevention metadata | Tax return data, UTR, NINO, VAT number, business details, device fingerprint (see Section 2.4) |
| Companies House | Company lookup and officer verification | Company number, registered details |
| Google Gemini | AI transaction categorisation, receipt OCR, UC statement OCR, AI assistant | Transaction descriptions, amounts, and categories; receipt images; business entity details; contact names; inventory data; and financial summaries |
| Anthropic Claude | AI assistant (optional, user-selectable) | Conversation context, financial summaries |
| OpenAI | AI assistant (optional, user-selectable) | Conversation context, financial summaries |
| Cloudflare | Hosting, CDN, edge compute, and DDoS protection | IP addresses, request metadata |
We do not sell your personal data to any third party. We do not share your data with advertisers.
7.1 Sub-Processor List
For a complete and current list of sub-processors, including service description and Data Processing Agreement, see /legal/sub-processors. We notify you at least 30 days before adding a new sub-processor.
8. Your Rights Under GDPR
Under UK GDPR, you have the following rights:
- Right of Access (Article 15): Request a copy of all personal data we hold about you. TaxMTD provides a one-click data export in Settings that downloads all your financial data in JSON format - no need to email us or wait.
- Right to Rectification (Article 16): Request correction of inaccurate personal data. You can update most information directly in your account.
- Right to Erasure (Article 17): Request deletion of your personal data. This right is subject to the limitations described below.
- Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format. TaxMTD provides a data export feature in JSON format.
- Right to Restriction of Processing (Article 18): Request that we limit processing of your data while a dispute is resolved.
- Right to Object (Article 21): Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. For Open Banking connections specifically, see Section 3.3.
8.1 Limitations on the Right to Erasure
In accordance with GDPR Article 17(3)(b), we may retain personal data where processing is necessary for compliance with a legal obligation. Specifically:
- Financial records must be retained for 7 years under HMRC requirements
- After an erasure request, PII is anonymised but financial records are preserved in anonymised form
- Audit logs relating to HMRC submissions are retained for regulatory compliance
To exercise any of these rights, contact us at privacy@taxmtd.uk. We will respond within 30 days.
9. Data Security
We implement appropriate technical and organisational measures to protect your data:
- All data is encrypted in transit using TLS 1.2 or higher
- All sensitive credentials (HMRC tokens, bank-feed access tokens, NINOs, gateway passwords) are encrypted at rest using AES-256-GCM
- Passwords are hashed using industry-standard algorithms
- Two-factor authentication is available (and encouraged) for all accounts
- Role-based access controls limit internal access to data
- Security audits and penetration testing
- Rate limiting and CSRF protection on all API endpoints
- Content Security Policy headers to prevent XSS attacks
10. Data Location and Hosting
Application delivery and edge compute are provided by Cloudflare, Inc. via their global Workers network, with UK edge nodes preferred for UK users. Cloudflare maintains compliance with the EU-US Data Privacy Framework and UK Extension.
The TaxMTD application database (Directus) and file storage are hosted by an EU-based sub-processor regulated under EU GDPR. The operator's identity is available on request via privacy@taxmtd.uk.
When using third-party AI services (see Section 7), data may be processed in the United States under Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework. Apart from those AI calls, your application data does not leave the UK / EU.
11. Cookies
TaxMTD uses only essential cookies required for the Service to function, plus HMRC-mandated cookies for tax fraud prevention. See our Cookie Policy for the full list. We do not use advertising or tracking cookies. As all cookies used are strictly necessary for the Service or required by law, no consent banner is required under the Privacy and Electronic Communications Regulations 2003 (PECR), Regulation 6(4).
12. Children
TaxMTD is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.
13. Automated Decision-Making and AI Categorisation
Under UK GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you.
TaxMTD's AI features (transaction categorisation, receipt OCR, AI assistant) produce suggestions only. You must review and confirm them before they affect your books or your tax position. Specifically:
- AI-suggested categories are presented as proposals; you can accept, override, or ignore each one.
- No tax return is filed with HMRC without your explicit click on the "Submit" button on the relevant return preview.
- You may disable AI features entirely from Settings → AI.
- You may switch the AI provider (Google Gemini, Anthropic, OpenAI) or turn the assistant off.
Accordingly, TaxMTD does not make solely-automated decisions that produce legal effects under Article 22.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
15. Contact and Complaints
- Data-protection contact: privacy@taxmtd.uk (access, erasure, rectification, complaints)
- General support: support@taxmtd.uk
- Website: taxmtd.uk
- Registered office: CLIQER LTD, Quadrant House, 20 Broad Street Mall, Reading, England, RG1 7QE
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113