Privacy Policy

Last updated: 3 June 2026

TaxBot ("we", "us") is a Making Tax Digital (MTD) assistant for UK sole traders, CIS subcontractors, and landlords, delivered via Telegram and operated by TaxBot. This policy explains what personal data we collect, why, and how we protect it.

1. Who we are

TaxBot is a UK-based service. For data protection enquiries contact: privacy@tax-bot.co.uk

2. What data we collect

• Telegram user ID — to identify you in our system
• Name and business name — provided by you during setup
• Email address — provided by you during setup; used to send reports and receipt ZIP downloads
• National Insurance number and UTR — stored AES-256-GCM encrypted; used only to submit to HMRC on your behalf
• Financial transactions — income and expense records you enter or photograph
• Receipt images — only stored if you explicitly opt in to receipt storage during setup; stored in Supabase cloud storage; not retained otherwise
• HMRC access tokens — stored AES-256-GCM encrypted; used to submit your MTD returns
• Stripe customer ID — used for subscription billing; we do not store card details
• Consent record — the date and time you accepted these terms, and the version of the terms accepted, are stored to demonstrate GDPR compliance
• IP address — logged transiently for fraud prevention and audit purposes

3. Legal basis for processing

• Contract — processing is necessary to provide the TaxBot service you have subscribed to
• Legal obligation — to support your compliance with HMRC Making Tax Digital requirements, and to retain financial records as required by law
• Consent — captured explicitly during onboarding; you may withdraw consent at any time by requesting account deletion

4. How we use your data

We use your data exclusively to: submit quarterly MTD updates to HMRC on your behalf; generate tax summaries and Excel reports for you; send report and receipt ZIP downloads to your email address; process subscription payments via Stripe.

We never sell, share, or use your data for marketing.

5. Data retention

We retain your data for as long as your account is active. You may request deletion at any time by contacting privacy@tax-bot.co.uk; we will delete your data within 30 days, except where retention is required by law (financial records must be retained for 6 years under HMRC rules).

6. Your rights

Under UK GDPR you have the right to: access your data; correct inaccurate data; request erasure; restrict or object to processing; data portability. Contact privacy@tax-bot.co.uk to exercise any right.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

7. Security

Sensitive fields (NI number, UTR, HMRC tokens) are encrypted at rest using AES-256-GCM. All data is transmitted over HTTPS. Access is restricted to the minimum necessary.

8. Third-party processors

• Telegram (messaging platform) — messages pass through their servers; governed by Telegram's privacy policy
• Supabase (database and file storage) — EU-West servers
• Anthropic Claude (AI receipt parsing) — receipt images are processed in memory to extract transaction data; not stored or used for training by the AI provider
• Stripe (payment processing) — governed by Stripe's privacy policy
• HMRC (tax submission via Making Tax Digital API)
• Railway (application hosting) — EU-West servers

9. Cookies

TaxBot is a messaging-based service and does not use cookies or tracking pixels on its website.

10. Changes to this policy

We may update this policy from time to time. Significant changes will be notified via the bot. Continued use of TaxBot after notification constitutes acceptance. Where required by law, we will ask you to re-accept the updated policy in the bot.