VaultMTD logo VaultMTD
Privacy Policy Terms of Service Contact Refund Policy Back to Login

Privacy Policy

Last updated: April 2026  ·  Effective from: April 2026  ·  Jurisdiction: United Kingdom

This Privacy Policy explains how VaultMTD Ltd ("we", "us", "our") collects, uses, stores, and protects personal data when you use VaultMTD (the "Platform"). We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller: VaultMTD Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, Company No. 17210976.   Contact: legal@vaultmtd.uk

1. What Data We Collect

1.1 Account and Identity Data

  • Your name, email address, and username
  • Your password (stored as a one-way bcrypt hash — we cannot read it)
  • Two-factor authentication secrets (stored encrypted at rest)
  • Your role within your organisation (owner, accountant, or client)
  • Date of account creation and last login

1.2 Business and Financial Data

  • Your business name, business type, and UTR/VAT numbers (if provided)
  • Income and expense journal entries you create on the Platform
  • Bank transaction data imported via Open Banking (TrueLayer)
  • HMRC submission records and tax calculation results
  • Property and tenancy records (if you use the property module)

1.3 Technical and Usage Data

  • Your IP address (captured in server logs and HMRC fraud prevention headers)
  • Browser type, screen resolution, and device timezone (used for HMRC fraud prevention headers as required by HMRC's Transaction Monitoring programme)
  • Pages visited and actions performed on the Platform (activity audit log)

1.4 Communications Data

  • Emails sent to you by the Platform (welcome, password reset, reminders)
  • We retain a log of emails sent including subject, template, status, and timestamp

2. How and Why We Use Your Data

We process your personal data on the following legal bases:

  • Contract performance (Article 6(1)(b) UK GDPR): To provide the accounting, tax submission, and financial management services you have signed up for.
  • Legal obligation (Article 6(1)(c) UK GDPR): HMRC requires that all software submitting via Making Tax Digital APIs collects and transmits specific fraud prevention headers, including device and IP data, on every API call.
  • Legitimate interests (Article 6(1)(f) UK GDPR): To maintain platform security, prevent fraud, send service-critical notifications, and improve the Platform.

3. HMRC Making Tax Digital (MTD) Integration

When you connect your HMRC account to the Platform, we request OAuth 2.0 authorisation scopes to submit tax data on your behalf. Your HMRC access tokens are stored encrypted using Fernet symmetric encryption and are never stored in plain text. Tokens are used solely to perform the MTD actions you have authorised and are revoked when you disconnect your HMRC account.

As a condition of HMRC's Developer Programme, we are required to submit fraud prevention headers with every API call. These headers include your originating IP address, browser fingerprint data, and device timezone. This is a legal requirement for all MTD-compliant software — not optional — and constitutes lawful processing under Article 6(1)(c) UK GDPR.

4. Open Banking (TrueLayer)

If you connect a bank account via Open Banking, we use TrueLayer as our regulated Open Banking provider. Your bank OAuth tokens are stored encrypted at rest and used only to fetch transactions you have explicitly requested. We do not initiate payments on your behalf. Bank connections can be disconnected at any time from your settings page.

5. Data Retention

We retain personal data for as long as your account is active. If you request erasure of your account, your personal identity data (username, email, password, authentication credentials) will be permanently anonymised.

Important — HMRC 7-Year Carve-Out: Financial records (journal entries, tax submission logs, HMRC API logs) must be retained for a minimum of 7 years under the Taxes Management Act 1970. These records cannot be erased even on request, as we have a legal obligation to retain them. Upon account erasure, all financial data is retained in anonymised form — no personal identifiers remain attached to it.

6. Data Sharing

We do not sell your personal data. We share data only with:

  • HMRC: Tax data and fraud prevention headers, as required by Making Tax Digital
  • TrueLayer: OAuth tokens and transaction requests for Open Banking (UK regulated)
  • AI providers (optional): If you use the AI assistant, your financial summary data is sent to your chosen provider (Anthropic, OpenAI, or DeepSeek) via API. No data is stored by these providers beyond their standard API retention policies
  • Infrastructure providers: Our hosting, database, and email providers, under data processing agreements

7. Data Security

  • All data is stored in the United Kingdom
  • All connections use TLS encryption in transit
  • HMRC tokens, bank tokens, and AI API keys are stored encrypted at rest using Fernet symmetric encryption
  • Passwords are hashed with bcrypt (cost factor 12) — they cannot be reversed or read by us
  • Two-factor authentication is available and strongly recommended
  • Admin access to production systems is protected by mandatory 2FA and full audit logging

8. Your Rights Under UK GDPR

Right of Access
Download a copy of your personal data from your Settings page at any time.
Right to Rectification
Update your profile, email, and business details from your Settings page.
Right to Erasure
Request deletion of your personal data from Settings. HMRC financial records are retained as required by law.
Right to Portability
Export your personal data as a machine-readable JSON file from Settings.
Right to Object
Object to processing based on legitimate interests by contacting us.
Right to Restrict
Request restriction of processing while a dispute is under review.

To exercise any of these rights, contact us at legal@vaultmtd.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time.

9. Cookies

The Platform uses a single session cookie to maintain your login state. This cookie is strictly necessary for the service to function and does not require consent under the UK Privacy and Electronic Communications Regulations (PECR). We do not use tracking, advertising, or analytics cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of the Platform after changes constitutes acceptance of the revised policy.

11. Contact Us

For any privacy-related questions, data requests, or complaints:

  • Email: legal@vaultmtd.uk
  • Post: VaultMTD Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
© 2026 VaultMTD Ltd. All rights reserved. Privacy Policy Terms of Service Log In