TaxFolioBack to Home

Privacy Policy

Last updated: 30 December 2024

1. Introduction

TaxFolio ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered UK self-assessment tax tool.

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (UK DPA 2018). This policy applies to all users of our services.

2. Data Controller

TaxFolio is the data controller responsible for your personal data. For any questions about this policy or our data practices, contact us at:

Email: privacy@taxfolio.uk

3. Information We Collect

3.1 Information You Provide

  • Account information (name, email address, password)
  • Tax-related information you manually enter
  • Communication preferences
  • Support correspondence

3.2 Financial Data via Open Banking (Plaid)

When you connect your bank accounts through our Open Banking integration powered by Plaid, we access:

  • Account information (account type, institution name, account balances)
  • Transaction data (date, amount, merchant name, category)
  • Account holder name for verification purposes

We only access data necessary to provide our tax categorisation services. We do not access your bank login credentials - Plaid handles authentication securely. You can revoke access at any time through your TaxFolio settings or directly with your bank.

3.3 Payment Information (Stripe)

Payment processing is handled by Stripe. We do not store your full payment card details. Stripe provides us with:

  • Last four digits of your card
  • Card type and expiry date
  • Billing address
  • Transaction history with TaxFolio

3.4 Automatically Collected Information

  • Device information (browser type, operating system)
  • IP address and approximate location
  • Usage data (pages visited, features used, time spent)
  • Cookies and similar technologies (see our Cookie Policy)

4. How We Use Your Information

We use your information for the following purposes:

4.1 To Provide Our Services (Legal Basis: Contract)

  • Create and manage your account
  • Connect to your bank accounts via Open Banking
  • Categorise transactions for tax purposes using AI
  • Generate tax summaries and reports
  • Process payments for premium features

4.2 To Improve Our Services (Legal Basis: Legitimate Interest)

  • Analyse usage patterns to improve features
  • Train and improve our AI categorisation models (using anonymised data only)
  • Troubleshoot technical issues
  • Conduct research and development

4.3 To Communicate With You (Legal Basis: Contract/Consent)

  • Send service-related notifications
  • Provide customer support
  • Send marketing communications (with your consent)
  • Notify you of changes to our services or policies

4.4 For Legal and Security Purposes (Legal Basis: Legal Obligation/Legitimate Interest)

  • Comply with legal obligations
  • Prevent fraud and abuse
  • Enforce our terms of service
  • Protect the rights and safety of users

5. Data Sharing and Third Parties

We share your data with the following categories of recipients:

5.1 Service Providers

  • Plaid Inc. - Open Banking connectivity (processes bank connection data)
  • Stripe Inc. - Payment processing (processes payment data)
  • Supabase Inc. - Database and authentication services
  • Anthropic - AI processing for transaction categorisation (anonymised data only)
  • Vercel Inc. - Hosting and infrastructure

All service providers are bound by data processing agreements and are required to protect your data in accordance with GDPR requirements.

5.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change and your choices regarding your data.

6. International Data Transfers

Some of our service providers are based outside the UK. When we transfer your data internationally, we ensure appropriate safeguards are in place:

  • Transfers to countries with an adequacy decision from the UK Government
  • Standard Contractual Clauses approved by the UK ICO
  • Binding Corporate Rules where applicable

7. Data Retention

We retain your data for as long as necessary to:

  • Provide our services to you
  • Comply with legal obligations (tax records must be kept for 6 years)
  • Resolve disputes and enforce agreements

Specific retention periods:

  • Account data: Until account deletion, plus 30 days for backups
  • Transaction data: 6 years from the relevant tax year end (HMRC requirement)
  • Payment records: 7 years (legal requirement)
  • Usage analytics: 26 months

8. Your Rights

Under UK GDPR, you have the following rights:

  • Right of Access - Request a copy of your personal data
  • Right to Rectification - Request correction of inaccurate data
  • Right to Erasure - Request deletion of your data (subject to legal retention requirements)
  • Right to Restrict Processing - Request limitation of how we use your data
  • Right to Data Portability - Receive your data in a machine-readable format
  • Right to Object - Object to processing based on legitimate interests or for marketing
  • Right to Withdraw Consent - Withdraw consent at any time for processing based on consent

To exercise any of these rights, contact us at privacy@taxfolio.uk. We will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

9. Data Security

We implement appropriate technical and organisational measures to protect your data:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Secure authentication with password hashing and optional two-factor authentication
  • Regular security assessments and penetration testing
  • Access controls and employee training
  • Incident response procedures

10. Children's Privacy

TaxFolio is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on our website. Your continued use of TaxFolio after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: privacy@taxfolio.uk