Privacy Policy
Last updated: March 2026 · Version 1.0
1. Who We Are
Tax Amigo is a cloud-based accounting and tax compliance platform operated by Tax Amigo Ltd (“we”, “us”, “our”). We are the data controller for personal data processed through this service. Our registered address and company registration details are provided in the Settings section of your account.
We are registered with the Information Commissioner’s Office (ICO) as a data controller. If you have any questions about this policy, please contact our Data Protection Officer at: [email protected]
2. Personal Data We Process
We process the following categories of personal data when you use Tax Amigo:
| Category | Examples | Purpose | Lawful Basis |
|---|---|---|---|
| Identity data | Name, email address, username | Account creation and authentication | Contract performance |
| Tax identifiers | UTR, NINO, VAT registration number | HMRC MTD API submissions | Legal obligation / contract |
| Financial data | Invoices, transactions, bank data | Bookkeeping and tax reporting | Contract performance |
| HMRC OAuth tokens | Access and refresh tokens | Authorised HMRC API access | Consent / contract |
| Technical data | IP address, browser type, device ID | Fraud prevention (HMRC legal requirement) | Legal obligation |
| Usage data | Pages visited, features used | Service improvement | Legitimate interests |
3. HMRC Fraud Prevention Data
When you use Tax Amigo to submit data to HMRC via the Making Tax Digital (MTD) APIs, we are legally required to send fraud prevention headers to HMRC with every API call. These headers include technical data about your device and browser session, such as:
- Your device’s public IP address and local IP addresses
- A persistent device identifier (randomly generated, stored locally)
- Your browser’s user agent string and installed plugins
- Screen resolution and window size
- Your local timezone
- Your Tax Amigo username (not your HMRC Government Gateway credentials)
This is a statutory requirement under Schedule 9 of the Finance Act 2020 and the Value Added Tax (Amendment) Regulations 2019. HMRC uses this data to detect and prevent tax fraud. We do not control how HMRC processes this data — please refer to HMRC’s own privacy notice atgov.uk.
4. HMRC OAuth Authorisation
Tax Amigo uses the HMRC OAuth 2.0 authorisation framework. When you connect your HMRC account, you are redirected to HMRC’s own Government Gateway login page. We never see or store your Government Gateway username or password. HMRC issues us with short-lived access tokens and refresh tokens, which we store in encrypted form in our database. These tokens allow us to submit data to HMRC on your behalf only for the scopes you explicitly authorise.
You can revoke Tax Amigo’s access to your HMRC data at any time by visiting your HMRC online account and removing Tax Amigo from your authorised applications, or by disconnecting from within Tax Amigo’s Settings → HMRC Integration page.
5. Who We Share Your Data With
We share your personal data only where necessary:
| Recipient | Reason | Safeguard |
|---|---|---|
| HMRC | MTD tax submissions (legal obligation) | UK statutory authority |
| Cloud infrastructure provider | Hosting and database services | Data Processing Agreement, UK/EEA servers |
| Your authorised accountant | Accountant access you grant | Role-based access control, your consent |
| Payment processor (Stripe) | Subscription billing | PCI-DSS compliant, Data Processing Agreement |
We will never sell your personal data or share it for third-party marketing without your explicit consent.
6. How Long We Keep Your Data
We retain your financial records (invoices, transactions, VAT returns) for a minimum of 6 years from the end of the relevant tax year, as required by HMRC record-keeping obligations. Account data is retained for the duration of your subscription plus 12 months. You may request earlier deletion of non-statutory data at any time (see Section 8).
7. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of HMRC OAuth tokens and sensitive identifiers at rest
- Role-based access control (RBAC) for all staff accessing customer data
- Regular penetration testing by independent third parties
- Audit logging of all access to customer financial data
If you discover a security vulnerability, please report it immediately to [email protected]. We will acknowledge your report within 24 hours and aim to resolve critical issues within 72 hours. In the event of a personal data breach, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR Article 33.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
Right of access
Request a copy of all personal data we hold about you (Subject Access Request)
Right to rectification
Correct inaccurate or incomplete personal data
Right to erasure
Request deletion of your data (subject to legal retention obligations)
Right to portability
Export your financial data in a machine-readable format (CSV/JSON)
Right to restrict processing
Limit how we use your data in certain circumstances
Right to object
Object to processing based on legitimate interests
To exercise any of these rights, contact us at [email protected] or use the data export/deletion tools in Settings → Account. We will respond within 30 days. You also have the right to lodge a complaint with the ICO atico.org.uk.
9. Cookies
We use essential cookies to maintain your login session and security. We use analytics cookies (with your consent) to understand how the service is used and improve it. You can manage your cookie preferences at any time via the cookie banner or Settings → Privacy.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the application at least 30 days before the change takes effect. Continued use of Tax Amigo after that date constitutes acceptance of the updated policy.
Contact Our Data Protection Officer
Security issues
Post
Tax Amigo Ltd, Data Protection Officer, United Kingdom