Legal

Privacy Policy

Last updated: 18 June 2026

This policy explains what personal data SimpleTaxLink collects, why we collect it, and how we protect it — in plain English.

1. Who we are

SimpleTaxLink ("we", "us", "our") is a Making Tax Digital (MTD) bridging software service operated in the United Kingdom. We act as the data controller for personal data collected through simpletaxlink.co.uk.

If you have any questions about this policy or how we handle your data, contact us at simpletaxlink@gmail.com.

2. What data we collect

We collect and store the following personal data:

Account data — your email address and display name, provided when you sign up.
HMRC OAuth tokens — access and refresh tokens issued by HMRC when you authorise our app. These allow us to submit MTD quarterly updates on your behalf.
HMRC identifiers — your National Insurance Number (NINO) and self-employment business ID, which you provide during the submission setup.
Google OAuth tokens — access and refresh tokens issued by Google when you connect a Google Sheet, plus the email address of the Google account. We request read-only access to the specific sheets you select — we never write to your spreadsheet.
Google Sheet metadata — the sheet ID, sheet name, and column mapping you configure. We do not store the raw contents of your spreadsheet; data is read at submission time only and then discarded.
Submission records — income, expenses, period dates, HMRC reference numbers, and submission timestamps for each quarterly update you make.
Payment and billing data — your email address and name are shared with Stripe to create and manage your subscription. We store a Stripe customer ID and subscription ID in our database to identify your plan. We do not store or have access to your payment card details — these are handled exclusively by Stripe and stored subject to PCI-DSS requirements.
Technical data — server logs, IP addresses, and device identifiers processed transiently for security and fraud prevention purposes required by HMRC.

3. Why we process your data

We process your data under the following legal bases (UK GDPR Art. 6):

Contract performance (Art. 6(1)(b)) — to provide the MTD submission service you signed up for, including authenticating your account, submitting quarterly updates to HMRC on your behalf, reading your Google Sheets, and processing your subscription payment.
Legal obligation (Art. 6(1)(c)) — HMRC requires fraud prevention headers containing device and connection data on every API call. We are also required to retain submission records for tax purposes.
Legitimate interests (Art. 6(1)(f)) — to operate, improve and secure the service, communicate service updates, and detect abuse.

We do not use your data for automated decision-making or profiling.

4. How we store your data

Database: Your account data, tokens, submission records, and preferences are stored in Supabase (PostgreSQL), hosted on AWS infrastructure in the EU (eu-west-2 / Ireland region). Authentication is handled by Supabase Auth. HMRC OAuth tokens and Google OAuth tokens are stored encrypted at rest.

Payments: Subscription and billing data is processed and stored by Stripe, Inc. Stripe stores payment card details on PCI-DSS-compliant infrastructure. We store only a Stripe customer ID and subscription ID.

Hosting: The application is hosted on Vercel's edge network. Request logs are retained by Vercel subject to their data retention policies.

5. Data retention

We retain personal data only for as long as necessary:

Account and profile data — held for as long as your account is active. Deleted within 30 days of account deletion request.
HMRC OAuth tokens — held until you disconnect your HMRC account or delete your account, whichever is sooner.
Google OAuth tokens — held until you disconnect your Google account or delete your account, whichever is sooner.
Submission records — retained for 7 years in line with HMRC record-keeping requirements (even after account deletion).
Payment records (Stripe) — Stripe retains transaction records for up to 7 years for legal and fraud prevention purposes, subject to Stripe's own privacy policy.
Server and application logs — retained for up to 90 days.

To request deletion of your account and associated data, email simpletaxlink@gmail.com. We will action deletion requests within 30 days, subject to the legal retention obligations above.

6. Who we share your data with

We do not sell your data. We share it only with the following processors, each under a data processing agreement:

HMRC — submission data (income, expenses, period dates) and fraud prevention headers are transmitted to HMRC's API to submit your MTD quarterly updates. HMRC is an independent data controller for data it receives.
Google — OAuth tokens are used to read the Google Sheets you explicitly connect. We request the minimum read-only scope required. No data is written to your sheets.
Stripe, Inc. — your email address and name are shared with Stripe to create a customer record and process your subscription. Stripe acts as a data processor for billing and, where applicable, an independent controller for fraud prevention. See Stripe's privacy policy at stripe.com/gb/privacy.
Supabase, Inc. — our database and authentication provider. Data is stored in the EU (Ireland). See Supabase's privacy policy at supabase.com/privacy.
Vercel, Inc. — our hosting provider. Requests pass through Vercel's edge network. See Vercel's privacy policy at vercel.com/legal/privacy-policy.

7. Your rights under UK GDPR

As a UK data subject you have the following rights:

Right of access — request a copy of all personal data we hold about you.
Right to rectification — ask us to correct inaccurate or incomplete data.
Right to erasure (deletion) — ask us to delete your personal data. We will do so within 30 days except where we are legally required to retain it (e.g. 7-year submission records for HMRC compliance).
Right to restriction — ask us to pause processing of your data in certain circumstances.
Right to data portability — receive your data in a structured, machine-readable format (JSON or CSV on request).
Right to object — object to processing carried out under legitimate interests.
Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing.

To exercise any of these rights, email simpletaxlink@gmail.com with the subject line "Data Request". We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

8. Cookies

We use a single session cookie (set by Supabase Auth) that is strictly necessary to keep you signed in. We do not use advertising, analytics, or tracking cookies.

9. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a notice in the app at least 14 days before the change takes effect. The "last updated" date at the top of this page reflects the most recent version.

Continued use of SimpleTaxLink after a change takes effect constitutes acceptance of the updated policy.

10. Contact

For any privacy-related questions or to exercise your data rights:

Email: simpletaxlink@gmail.com

Subject line: "Data Request" or "Privacy Enquiry"

We aim to respond within 30 days. For security-related concerns, see our responsible disclosure policy at simpletaxlink.co.uk/security.