AccountantUK
Log inGet started

Privacy policy

Effective: 26 May 2026

This privacy policy explains how AccountantUK (www.accountantuk.app) collects, uses, stores and protects your personal data. We're a UK-based service for managing UK tax obligations.

We're committed to GDPR and the UK Data Protection Act 2018. If anything here isn't clear, email us — contact details are at the bottom.

What we collect

We collect data you give us directly to provide the service:

  • Account: name, email, password (hashed), preferences.
  • Tax identity: NINO, UTR, VRN, Companies House CRN, PAYE references — encrypted at rest (AES-256-GCM) and only used to submit to HMRC / Companies House on your behalf.
  • Business records: invoices, expenses, payslips, VAT returns, ITSA quarterly updates, payment data, scanned receipts.
  • Government Gateway credentials (for RTI payroll / CIS submissions) — encrypted at rest, only sent to HMRC at submission time.
  • Technical: IP address + user agent on every audit-logged action.

Why we collect it

Each category has a clear, lawful basis:

  • Provide the service: build invoices, compute tax, file returns. Lawful basis: contract.
  • Meet tax obligations: keep records for HMRC's mandated 6-year retention. Lawful basis: legal obligation.
  • Audit trail: log significant actions for compliance + fraud prevention. Lawful basis: legitimate interest.
  • Email notifications + receipts: confirmation of submissions you make. Lawful basis: contract.

Who we share with

We never sell your data. We use a small number of sub-processors, each with their own privacy policy:

  • HMRCsubmission of VAT, ITSA, RTI and CIS data when you authorise it (OAuth or Government Gateway credentials).
  • Companies Housecompany-profile lookup and annual-accounts filing (when enabled).
  • Stripesubscription billing.
  • Resendtransactional email delivery.
  • Vercel / Vercel Blobhosting and immutable receipt storage.
  • Neon (PostgreSQL)encrypted PostgreSQL hosting.
  • Anthropic / Google AIreceipt-image parsing only — never trained on your data.

How long we keep it

Retention is driven by what the data is for:

  • Tax records (invoices, expenses, VAT returns, ITSA updates, RTI submissions, CIS returns, receipts): minimum 6 years from end of accounting period (HMRC Notice 700/22 + s.386 Companies Act 2006).
  • Audit log: 6 years for tax-related events; non-tax entries retained indefinitely with personal identifiers anonymised on account deletion.
  • Account profile + non-tax records: until you delete your account, then erased.

Your rights

Under UK GDPR you have the right to:

  • Access — a copy of the personal data we hold about you.
  • Rectification — correct anything that's wrong.
  • Erasure — delete your account (Settings → Danger zone → Delete my account, which sends an email confirmation). Tax records subject to the 6-year retention rule above are kept anonymised.
  • Portability — receive your data in a machine-readable format.
  • Complain — to the Information Commissioner's Office (ico.org.uk) if you think we've mishandled your data.

To exercise any of these, email privacy@www.accountantuk.app.

Cookies + tracking

We use a session cookie for authentication. No third-party tracking, no advertising cookies, no analytics scripts that profile users.

On Vercel-hosted domains a small number of operational cookies set by Vercel for routing + DDoS protection. None are used for advertising or cross-site tracking.

International transfers

All data is processed in the UK and EU. Our sub-processors (Vercel, Neon, Stripe, Resend, Anthropic, Google AI) may transfer data to the US under standard contractual clauses or adequacy decisions. We don't use sub-processors that lack a lawful UK→US transfer mechanism.

Contact

Privacy queries, data-subject access requests, and complaints:

privacy@www.accountantuk.app