Home Individuals Accountants Features Pricing Firm Pricing Blog FAQ Contact
🏠 Landlord / Sole Trader Login 🏢 Accountancy Firm Login Get Started →
Legal

Privacy
Policy

How we collect, use, store, and protect your personal data. Your privacy matters to us.

Home Privacy Policy
Summary. We collect only the information needed to provide your MTD tax service. We never sell your data. All financial data is stored securely and processed only as required for HMRC Making Tax Digital compliance.

1. Who We Are

File MTD ITSA is a Making Tax Digital compliance service for UK landlords and sole traders. For data protection purposes, we are the Data Controller of your personal information.

Contact: privacy@filemtditsa.co.uk

2. What Data We Collect

  • Identity data: Full name, date of birth, National Insurance Number (NINO), Unique Taxpayer Reference (UTR)
  • Contact data: Email address, phone number
  • Financial data: Rental income, allowable expenses, tax calculations, payment information (handled by Stripe)
  • Technical data: IP address, browser type, session information, login timestamps
  • Usage data: HMRC submissions made through the portal, audit log entries

3. How We Use Your Data

  • Providing and operating the MTD portal service
  • Submitting quarterly updates and year-end declarations to HMRC on your behalf
  • Processing your subscription payment via Stripe
  • Sending service emails (submission confirmations, account notifications)
  • Providing customer support
  • Complying with legal obligations under HMRC Making Tax Digital regulations
  • Fraud prevention and platform security

4. Legal Basis for Processing

  • Contract performance: To provide the services you have paid for
  • Legal obligation: To comply with HMRC MTD regulations and tax law
  • Legitimate interests: Platform security, fraud prevention, service improvement
  • Consent: For optional communications and functional cookies

5. Data Sharing

  • HMRC: Quarterly updates, annual adjustments, and year-end declarations submitted as required by Making Tax Digital legislation
  • Stripe: Payment processing. Stripe is a PCI-DSS Level 1 certified processor. We do not store your card details
  • Google reCAPTCHA v2: “I'm not a robot” checkbox bot protection on registration and contact forms (Google Privacy Policy)

We do not sell, rent, or share your data with third-party marketers or advertisers.

6. Data Retention

We retain your data for as long as your account is active, plus 7 years after account closure to comply with HMRC record-keeping requirements (Finance Act 2008, s.29). Payment records are retained for 6 years in line with statutory accounting requirements.

7. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — request deletion (subject to legal retention obligations)
  • Restriction — ask us to limit how we process your data
  • Portability — receive your data in a portable format
  • Object — object to processing based on legitimate interests

To exercise any of these rights, contact privacy@filemtditsa.co.uk. We will respond within 30 days.

8. Security

  • HTTPS/TLS encryption for all data in transit
  • Bcrypt password hashing (plaintext passwords are never stored)
  • Session-based authentication with automatic expiry
  • Full audit logging of all account activity
  • Access controls limiting data to authorised personnel only

9. Cookies

We use essential cookies to operate the portal and optional functional cookies to remember your preferences. For full details, see our Cookie Policy.

10. Complaints

If you have concerns about how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ICO: ico.org.uk | Helpline: 0303 123 1113

11. Changes

We may update this Privacy Policy from time to time. Material changes will be notified to you by email. The current version is always available on this page.

FAQ

Privacy — FAQ

Questions about how we handle your data.

Do you sell my data?
No. We never sell, rent, or share your personal or financial data with third-party marketers or advertisers. Data is shared only with HMRC (for submissions) and Stripe (for payments).
How long do you keep my data?
We retain data while your account is active plus 7 years after closure to comply with HMRC record-keeping requirements under the Finance Act 2008.
Can I request deletion of my data?
Yes. Under UK GDPR you can request erasure of your data, subject to our legal obligation to retain certain records for HMRC compliance.
Where is my data stored?
Exclusively on UK-based servers. We never transfer data outside the UK and do not use overseas hosting or cloud infrastructure for customer data.