Privacy Policy
Last updated: April 2026 ·
Effective from: April 2026 ·
Jurisdiction: United Kingdom
This Privacy Policy explains how VaultMTD Ltd
("we", "us", "our")
collects, uses, stores, and protects personal data when you use
VaultMTD (the "Platform"). We are committed to
protecting your privacy and complying with the UK General Data
Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller: VaultMTD Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ,
Company No. 17210976.
Contact: legal@vaultmtd.uk
1. What Data We Collect
1.1 Account and Identity Data
- Your name, email address, and username
- Your password (stored as a one-way bcrypt hash — we cannot read it)
- Two-factor authentication secrets (stored encrypted at rest)
- Your role within your organisation (owner, accountant, or client)
- Date of account creation and last login
1.2 Business and Financial Data
- Your business name, business type, and UTR/VAT numbers (if provided)
- Income and expense journal entries you create on the Platform
- Bank transaction data imported via Open Banking (TrueLayer)
- HMRC submission records and tax calculation results
- Property and tenancy records (if you use the property module)
1.3 Technical and Usage Data
- Your IP address (captured in server logs and HMRC fraud prevention headers)
- Browser type, screen resolution, and device timezone (used for HMRC fraud prevention headers as required by HMRC's Transaction Monitoring programme)
- Pages visited and actions performed on the Platform (activity audit log)
1.4 Communications Data
- Emails sent to you by the Platform (welcome, password reset, reminders)
- We retain a log of emails sent including subject, template, status, and timestamp
2. How and Why We Use Your Data
We process your personal data on the following legal bases:
-
Contract performance (Article 6(1)(b) UK GDPR):
To provide the accounting, tax submission, and financial management
services you have signed up for.
-
Legal obligation (Article 6(1)(c) UK GDPR):
HMRC requires that all software submitting via Making Tax Digital APIs
collects and transmits specific fraud prevention headers, including
device and IP data, on every API call.
-
Legitimate interests (Article 6(1)(f) UK GDPR):
To maintain platform security, prevent fraud, send service-critical
notifications, and improve the Platform.
3. HMRC Making Tax Digital (MTD) Integration
When you connect your HMRC account to the Platform, we request OAuth 2.0
authorisation scopes to submit tax data on your behalf. Your HMRC
access tokens are stored encrypted using Fernet symmetric encryption
and are never stored in plain text. Tokens are used solely to perform
the MTD actions you have authorised and are revoked when you disconnect
your HMRC account.
As a condition of HMRC's Developer Programme, we are required to submit
fraud prevention headers with every API call. These headers include
your originating IP address, browser fingerprint data, and device
timezone. This is a legal requirement for all MTD-compliant software —
not optional — and constitutes lawful processing under Article 6(1)(c)
UK GDPR.
4. Open Banking (TrueLayer)
If you connect a bank account via Open Banking, we use TrueLayer as
our regulated Open Banking provider. Your bank OAuth tokens are stored
encrypted at rest and used only to fetch transactions you have explicitly
requested. We do not initiate payments on your behalf. Bank connections
can be disconnected at any time from your settings page.
5. Data Retention
We retain personal data for as long as your account is active. If you
request erasure of your account, your personal identity data
(username, email, password, authentication credentials) will be
permanently anonymised.
Important — HMRC 7-Year Carve-Out: Financial records
(journal entries, tax submission logs, HMRC API logs) must be retained
for a minimum of 7 years under the Taxes Management Act 1970. These
records cannot be erased even on request, as we have a legal obligation
to retain them. Upon account erasure, all financial data is retained in
anonymised form — no personal identifiers remain attached to it.
6. Data Sharing
We do not sell your personal data. We share data only with:
- HMRC: Tax data and fraud prevention headers, as required by Making Tax Digital
- TrueLayer: OAuth tokens and transaction requests for Open Banking (UK regulated)
- AI providers (optional): If you use the AI assistant, your financial summary data is sent to your chosen provider (Anthropic, OpenAI, or DeepSeek) via API. No data is stored by these providers beyond their standard API retention policies
- Infrastructure providers: Our hosting, database, and email providers, under data processing agreements
7. Data Security
- All data is stored in the United Kingdom
- All connections use TLS encryption in transit
- HMRC tokens, bank tokens, and AI API keys are stored encrypted at rest using Fernet symmetric encryption
- Passwords are hashed with bcrypt (cost factor 12) — they cannot be reversed or read by us
- Two-factor authentication is available and strongly recommended
- Admin access to production systems is protected by mandatory 2FA and full audit logging
8. Your Rights Under UK GDPR
Right of Access
Download a copy of your personal data from your Settings page at any time.
Right to Rectification
Update your profile, email, and business details from your Settings page.
Right to Erasure
Request deletion of your personal data from Settings. HMRC financial records are retained as required by law.
Right to Portability
Export your personal data as a machine-readable JSON file from Settings.
Right to Object
Object to processing based on legitimate interests by contacting us.
Right to Restrict
Request restriction of processing while a dispute is under review.
To exercise any of these rights, contact us at
legal@vaultmtd.uk.
We will respond within 30 days. You also have the right to lodge a
complaint with the
Information Commissioner's Office (ICO)
at any time.
9. Cookies
The Platform uses a single session cookie to maintain your login state.
This cookie is strictly necessary for the service to function and does
not require consent under the UK Privacy and Electronic Communications
Regulations (PECR). We do not use tracking, advertising, or analytics
cookies.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we
will update the "Last updated" date at the top of this page. Continued
use of the Platform after changes constitutes acceptance of the
revised policy.
11. Contact Us
For any privacy-related questions, data requests, or complaints:
- Email: legal@vaultmtd.uk
- Post: VaultMTD Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ