Skip to main content
Tax QTax Q
Log inGet free MTD software
Legal

Privacy Policy

Last updated: 6 April 2026 · Version 1.1 · Applies to taxq.co.uk

Contents

  1. Who we are
  2. What personal data we collect
  3. Lawful basis for processing
  4. How we use your HMRC data
  5. Who we share your data with
  6. Retention periods
  7. Your rights under UK GDPR
  8. Security
  9. International data transfers
  10. Cookies
  11. ICO registration
  12. Data processors
  13. Changes to this policy

1. Who we are

TAX Q is a Making Tax Digital (MTD) software service that allows UK landlords and sole traders to submit quarterly income and expense updates to HMRC under MTD for Income Tax Self Assessment (MTD ITSA). TAX Q Ltd is the data controller for UK data protection law purposes.

Contact: privacy@taxq.co.uk

2. What personal data we collect

  • Account data: name, email address, hashed password.
  • National Insurance Number (NINO): required to submit MTD updates to HMRC on your behalf. Encrypted at rest.
  • HMRC OAuth tokens: access and refresh tokens issued by HMRC when you authorise TAX Q. We never store your Government Gateway username or password.
  • Tax submission data: income and expense figures you enter and submit to HMRC (financial records).
  • TOTP / 2FA data: a time-based one-time password secret used to secure your account before HMRC submissions. Encrypted at rest.
  • Payment data: subscription billing records processed by Stripe. We do not store card numbers.
  • Device data for HMRC fraud prevention: screen size, IP address, browser user agent, window size, timezone, and a persistent device identifier. This data is collected at the point of HMRC API submission and sent directly to HMRC as legally required fraud prevention headers. It is not stored by TAX Q.
  • Usage data: IP address, browser type, and pages visited.

3. Lawful basis for processing

We process your data under the following lawful bases, by category:

Data categoryLawful basisWhy
National Insurance Number (NINO)Contractual necessity — Art. 6(1)(b)Required to submit MTD updates to HMRC on your behalf
Tax and financial dataContractual necessity — Art. 6(1)(b)Core service: recording and submitting your income and expenses
Email address (account)Contractual necessity — Art. 6(1)(b)Required for account creation, authentication, and submission confirmations
Email address (service emails)Legitimate interests — Art. 6(1)(f)Deadline reminders and product updates. You can opt out at any time
TOTP / 2FA secretsContractual necessity — Art. 6(1)(b)Required for secure authentication before HMRC submissions
HMRC OAuth tokensContractual necessity — Art. 6(1)(b)Required to authenticate with HMRC on your behalf
Device data (fraud prevention headers)Legal obligation — Art. 6(1)(c)HMRC legally requires all MTD software to collect and transmit fraud prevention headers
Payment / subscription dataContractual necessity — Art. 6(1)(b)Required to manage your subscription via Stripe
Marketing communicationsConsent — Art. 6(1)(a)Optional. You may withdraw consent at any time via account settings

4. How we use your HMRC data

HMRC OAuth tokens are used solely to submit your MTD updates to HMRC on your behalf. They are not shared with any third party and are not used for any other purpose. This processing complies with the HMRC Developer Hub Terms of Use.

5. Who we share your data with

  • HMRC: submission data and fraud prevention headers sent via MTD APIs as required by law.
  • Supabase: database provider, data hosted in EU (Ireland, eu-west-2 region).
  • Stripe: payment processor, PCI-DSS Level 1 certified.
  • Vercel: application hosting and edge network.
  • Resend: transactional email delivery (submission confirmations, deadline reminders).
  • Sentry: error monitoring and performance tracking. PII is scrubbed before transmission.

We do not sell your personal data.

6. Retention periods

  • NINO: duration of account + 30 days after deletion.
  • Tax submissions and financial records: 7 years from submission date (HMRC record-keeping requirements).
  • Email address: duration of account + 30 days after deletion.
  • TOTP / 2FA secrets: deleted immediately on account deletion.
  • HMRC tokens: deleted on disconnection or account deletion.
  • Payment records: 7 years (Companies Act 2006).
  • Fraud prevention header data: not stored by TAX Q — sent directly to HMRC per API request.
  • Server logs: 90 days (operational necessity).

Full retention policy details are maintained internally at docs/retention-policy.md.

7. Your rights under UK GDPR

Under UK GDPR, you have the following rights:

  • Right of access (Art. 15) — request a copy of your personal data.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure (Art. 17) — request deletion of your account and data. You can do this from Dashboard > Settings > Delete account, or by emailing us. Note: data already submitted to HMRC cannot be deleted from HMRC's systems, and financial records are retained anonymised for 7 years per HMRC requirements.
  • Right to data portability (Art. 20) — export your data in machine-readable JSON format from Dashboard > Settings.
  • Right to restriction of processing (Art. 18) — request that we limit how we use your data.
  • Right to object (Art. 21) — object to processing based on legitimate interests.

To exercise any right, email privacy@taxq.co.uk. We will respond within one calendar month.

You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We use HTTPS, bcrypt password hashing, and access controls. We apply appropriate technical and organisational measures under UK GDPR Article 32.

9. International data transfers

Some of our sub-processors are based outside the UK. We ensure appropriate safeguards are in place for each transfer:

  • Stripe processes payment data in the United States.
  • Vercel hosts the application and may process data in the United States.
  • Supabase processes data in the EU (Ireland), covered by the UK adequacy decision for the EEA.
  • Resend processes email data in the United States.
  • Sentry processes error monitoring data in the United States.

For transfers to the United States, safeguards include Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (UK IDTA) as applicable.

You may request details of the specific safeguards in place by contacting privacy@taxq.co.uk.

10. Cookies

We use strictly necessary session cookies only. We do not use advertising or tracking cookies.

Cookie namePurposeDurationStrictly necessary
taxq_device_idHMRC fraud prevention device tracking365 daysYes
next-auth.session-tokenAuthentication sessionSessionYes
taxq_cookie_consentRecords your cookie preference365 daysNo

11. ICO registration

TAX Q Ltd is registered with the Information Commissioner's Office (ICO) as a data controller.

ICO Registration Number: [INSERT_ICO_REG]

12. Data processors

A register of our data processors is maintained internally in accordance with UK GDPR Article 28.

13. Changes to this policy

We will notify you of material changes by email or in-app notice. The date above reflects the latest update.

← Back to home