TaxBridgeUK
Making Tax Digital
Sign inTry free for 3 months

Privacy Policy

Last updated: 21 May 2026

1. Who We Are

TaxBridge UK Ltd ("we", "us") is the data controller for personal data processed through the TaxBridge service. We are registered in England and Wales.

Contact: hello@mytaxbridge.uk

We are registered with the Information Commissioner's Office (ICO) under registration reference ZC100000. You can verify this at ico.org.uk/ESDWebPages/Search.

2. Data We Collect

We collect and process the following personal data:

Account Data

  • Name and email address
  • Hashed password (if using email/password authentication)
  • Google account identifier (if using Google sign-in)

HMRC Connection Data

  • National Insurance Number (encrypted at rest)
  • HMRC OAuth tokens (encrypted at rest)
  • Business details retrieved from HMRC

Financial Data

  • Income and expense figures you submit
  • Uploaded spreadsheets (processed in memory, not stored)
  • Expense records and receipt images
  • Invoice details
  • Mileage logs

Open Banking Data (optional)

If you choose to connect a bank account, TrueLayer Ltd (an FCA-regulated Account Information Service Provider, registration number 901096) acts as the technical intermediary between your bank and TaxBridge under the Payment Services Regulations 2017. We collect:

  • Account name, sort code, and account number identifiers (last four digits stored)
  • Transaction history for the last 90 days at connection, refreshed daily
  • Encrypted access and refresh tokens issued by your bank to TrueLayer

You can disconnect your bank at any time from Settings — Bank connections, which immediately revokes the consent and stops further data fetching. We never see your bank login credentials; the OAuth-style consent flow happens entirely between your bank and TrueLayer.

AI Processing Data

  • Receipt and book scan images are processed by Mindee SAS (French OCR provider) — images are sent to Mindee's servers, processed for text extraction, and not retained for training
  • Bank transaction descriptions, categorisation prompts, and tax-advice queries are processed by OpenAI (LLM provider). The TaxBridge OpenAI account is configured with zero data retention and no model training
  • Personal identifiers (NINO, full name) are stripped before any AI request

Technical Data

  • IP address, browser type, and device information (required by HMRC fraud prevention headers)
  • Usage data and session information

3. How We Use Your Data

  • Service delivery: Submitting quarterly updates to HMRC on your behalf
  • Tax estimates: Calculating estimated tax liability based on your submissions
  • Communications: Deadline reminders, submission confirmations, account notifications
  • Legal compliance: HMRC fraud prevention header requirements
  • Service improvement: Anonymised usage analytics

4. Legal Basis

  • Contract: Processing necessary to provide the Service you signed up for
  • Legal obligation: HMRC fraud prevention header collection
  • Legitimate interest: Service improvement and security
  • Consent: Marketing communications (you can opt out at any time)

5. Data Security

We take the security of your data seriously:

  • HMRC tokens and NINOs are encrypted at rest using AES-256-GCM
  • Passwords are hashed using bcrypt
  • All data is transmitted over HTTPS/TLS
  • Database hosted on encrypted infrastructure in the EU
  • Access controls and audit logging

6. Data Sharing

We share your data only with:

  • HMRC: Quarterly updates and fraud prevention data (as authorised by you)
  • Stripe: Payment processing (they are a PCI-DSS compliant processor)
  • Resend: Transactional email delivery
  • TrueLayer Ltd: FCA-regulated Open Banking AISP (only when you connect a bank)
  • Mindee SAS: Receipt and book scan OCR (only when you upload an image)
  • OpenAI: AI categorisation, AI tax advice, and AI receipt category inference. Zero data retention configured. No model training.
  • Neon (Postgres) and Vercel: Application hosting and database (data resident in EU)

We never sell your personal data to third parties.

7. Data Retention

  • Account data: Retained while your account is active, deleted within 30 days of account closure
  • Submission records: Retained for 7 years (HMRC record-keeping requirements)
  • Payment records: Retained for 6 years (UK financial regulations)

8. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data (subject to legal retention requirements)
  • Portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interest
  • Withdraw consent — for any consent-based processing

To exercise these rights, contact hello@mytaxbridge.uk.

9. Cookies

We use essential cookies for authentication and session management. See our Cookie Policy for full details.

10. Changes

We may update this Privacy Policy from time to time. We will notify you of material changes via email.

11. Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.