Privacy Policy

Last updated: 26 April 2026

TaxBot ("we", "us") is a Making Tax Digital (MTD) assistant for UK sole traders and subcontractors, operated by TaxBot. This policy explains what personal data we collect, why, and how we protect it.

1. Who we are

TaxBot is a UK-based service. For data protection enquiries contact: support@tax-bot.co.uk

2. What data we collect

• Telegram user ID — to identify you in our system
• Name and business name — provided by you during setup
• National Insurance number and UTR — stored AES-256-GCM encrypted; used only to submit to HMRC on your behalf
• Financial transactions — income and expense records you enter or photograph
• Receipt images — stored privately in Supabase cloud storage
• HMRC access tokens — stored AES-256-GCM encrypted; used to submit your MTD returns
• Stripe customer ID — used for subscription billing; we do not store card details

3. Legal basis for processing

• Contract — processing is necessary to provide the TaxBot service you have subscribed to
• Legal obligation — to support your compliance with HMRC Making Tax Digital requirements
• Consent — captured explicitly during onboarding

4. How we use your data

We use your data exclusively to: submit quarterly MTD updates to HMRC on your behalf; generate tax summaries and PDF reports for you; process subscription payments via Stripe.

We never sell, share, or use your data for marketing.

5. Data retention

We retain your data for as long as your account is active. You may request deletion at any time by contacting us; we will delete your data within 30 days, except where retention is required by law (e.g. financial records for 6 years under HMRC rules).

6. Your rights

Under UK GDPR you have the right to: access your data; correct inaccurate data; request erasure; restrict or object to processing; data portability. Contact support@tax-bot.co.uk to exercise any right.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

7. Security

Sensitive fields (NI number, UTR, HMRC tokens) are encrypted at rest using AES-256-GCM. All data is transmitted over HTTPS. Access is restricted to the minimum necessary.

8. Third-party processors

• Supabase (database and file storage) — EU-West servers
• Anthropic (Claude AI for receipt parsing) — data processed transiently, not retained
• Stripe (payment processing)
• HMRC (tax submission)
• Railway (application hosting) — EU-West servers

9. Changes

We may update this policy. Significant changes will be notified via the bot.