Legal

Privacy Notice

Last updated: 26 December 2025

This Privacy Notice explains how Taxat ("Taxat", "we", "us", "our") collects, uses, shares and protects personal data.

Taxat is an AI-driven defence and evidence-linking layer for UK accountants. It can reconcile client-authorised data across bookkeeping ledgers, bank feeds (via Open Banking), receipts/invoices, and (where authorised) HMRC APIs, and generates evidence-linked outputs such as a "Defence Graph", "Defence Score" and related discrepancy flags to support pre-filing review. (Taxat is not affiliated with HMRC.)

This notice covers:

  • Visitors to our website (taxat.co.uk)
  • People who request beta access, a demo, or join our updates list
  • Users of the Taxat platform (e.g., accounting firm team members)
  • Individuals whose data may be processed within the Taxat platform by an accounting firm (e.g., the accounting firm's end-clients)

If you are an end-client of an accountant using Taxat: Your accountant is usually the organisation responsible for deciding why and how your personal data is used in the Taxat platform (the "controller"). Taxat generally acts as the accountant's service provider and processes personal data on the accountant's instructions (a "processor"). See Section 3 (Our role).

If you have questions about this notice or our data practices, contact us using the details in Section 2.

1) Key definitions

  • "Personal data" means information that relates to an identified or identifiable individual.
  • "Controller" means the organisation that decides why and how personal data is processed.
  • "Processor" means the organisation that processes personal data on behalf of a controller.
  • "Platform" means the Taxat web application, related services, and integrations.

2) Who we are (controller details)

Taxat is the trading name of:

  • Legal name: [Taxat Ltd / full legal entity name]
  • Company number: [TBD]
  • Registered office: London, United Kingdom
  • Main address (if different): London, United Kingdom
  • Email: admin@taxat.co.uk

If you are a regulated firm performing due diligence, we can provide security and governance materials on request (e.g., data flow summary, policy outlines, and controls), subject to appropriate confidentiality terms.

Data Protection Officer (DPO):

A) We have not appointed a DPO. Please direct privacy queries to admin@taxat.co.uk.

UK supervisory authority:

The Information Commissioner's Office (ICO) is the UK regulator for data protection. You can complain to the ICO if you are unhappy with how we handle your personal data (see Section 14).

3) Our role: when we are a controller vs a processor

A) When Taxat is a controller

We are a controller for personal data we process:

  • to operate and secure our website,
  • to respond to enquiries, beta requests and demo requests,
  • to manage our relationship with business contacts and platform users at accounting firms,
  • to administer accounts, billing, and platform access for firm users,
  • to market to business contacts where permitted, and
  • to comply with our legal obligations.

B) When Taxat is a processor

When an accounting firm uses Taxat in connection with its end-clients (taxpayers), the firm typically determines:

  • what client data to upload/connect,
  • the purpose for using Taxat (e.g., preparing/defending a Self Assessment filing),
  • who can access outputs,
  • how long data should be retained,

and Taxat processes that data on the firm's instructions under a Data Processing Agreement (DPA).

C) When Taxat may be an independent controller for limited purposes

In limited circumstances, we may act as an independent controller for:

  • security monitoring and preventing abuse (e.g., detecting fraud or unauthorised access),
  • maintaining audit logs necessary to protect the service and meet legal obligations,
  • creating aggregated, de-identified statistics (where feasible) for product performance and improvement.

Where such data remains personal data (e.g., still identifiable), we apply safeguards and lawful bases as described below.

4) Personal data we collect

We collect different types of personal data depending on how you interact with us.

4.1 Website visitors (taxat.co.uk)

We may collect:

  • Device and usage data: IP address, device identifiers, browser type, operating system, referral/source pages, pages viewed, time spent, and similar analytics information.
  • Cookie and similar technology data (see Section 15).

4.2 Beta access / demo / updates list

If you submit a form on our website (e.g., "Request beta access", "Book a demo", "Join updates"), we may collect:

  • Identity and contact data: name, work email, company/firm name (if provided).
  • Professional context: firm size, approximate number of Self Assessment clients per year, your current software stack, and any notes you provide.
  • Scheduling details: your availability or preferred contact time.
  • Communications: messages you send us and our responses.

4.3 Platform users (people at accounting firms)

When your firm creates or administers your user account, we may collect:

  • Account details: name, work email, job title/role (if provided), firm affiliation, user ID.
  • Authentication and security data: login timestamps, IP addresses, MFA settings (if enabled), password reset tokens (where applicable), and security events.
  • Activity logs: actions in the platform (e.g., access to a client file, export actions, permission changes), to maintain security and provide auditability.

4.4 Client/end-client data processed in the Platform (typically as processor)

Depending on what the accounting firm and/or the end-client authorises, Taxat may process (on the firm's instructions):

  • Identification data: name, address, date of birth (where included in client records), UTR and other tax identifiers (where included), and other identifiers required for the accountant's work.
  • Financial and transaction data: bank transactions, bank statements/feeds, income/expense details, ledger entries, invoices, receipts, and supporting documents.
  • Tax and compliance data: Self Assessment figures, computations, obligations/statuses (e.g., where integrated), and evidence links used to support filing figures.
  • Evidence metadata: document titles, dates, suppliers/merchant names, amounts, categories, and links between figures and evidence ("Defence Graph" style lineage).
  • Notes and communications uploaded by the firm: explanations, working papers, internal comments, task/action items (e.g., "obtain missing receipt" workflows).
  • Integration identifiers: IDs from connected accounting software providers and authorised data sources.

4.5 Data from third-party sources

We may receive data from:

  • Accounting/ledger systems (e.g., if your firm connects them or imports exports),
  • Open Banking / banking data providers (if authorised by the end-client and/or the firm),
  • HMRC APIs (only where the taxpayer/agent authorises access using official authorisation flows),
  • Other sources the firm chooses to connect or upload (e.g., CSV imports).

4.6 Special category data and criminal offence data

We do not intentionally require special category data (e.g., health, ethnicity) or data about criminal convictions/offences to provide our service. However, such information could appear in free-text notes or documents uploaded by the firm (for example, a document that references sensitive information). Where this occurs, we expect firms to minimise such uploads and we apply access controls and security measures. If we ever plan to process special category data in a structured way, we will update this notice and ensure an appropriate lawful basis/condition applies.

5) What we use personal data for (purposes) and our lawful bases

UK GDPR requires a lawful basis for processing personal data. The lawful basis depends on the context and whether we act as controller or processor.

5.1 When we act as controller (website, leads, business contacts, platform user admin)

We may process personal data for:

A) Providing the website and handling enquiries

Purpose: operate the website, respond to enquiries, handle demo/beta requests, communicate with you.

Lawful basis: legitimate interests (running our business and responding to enquiries), and/or steps prior to entering into a contract.

B) Providing and administering the Platform for firm users

Purpose: create accounts, authenticate users, provide access and platform functionality, provide customer support, manage billing, and deliver services requested by the firm.

Lawful basis: contract (to provide the service), and legitimate interests (administering a B2B relationship).

C) Security, abuse prevention, and service integrity

Purpose: protect accounts, prevent unauthorised access, monitor for security events, maintain audit logs, troubleshoot issues, and enforce acceptable use.

Lawful basis: legitimate interests (protecting the service and users), and legal obligation where applicable.

D) Improving the Platform (product development, analytics)

Purpose: understand how the Platform is used, diagnose issues, improve performance and features, and develop new capabilities.

Lawful basis: legitimate interests. Where cookies/SDKs require consent (e.g., non-essential cookies), we will ask for consent (see Section 15).

E) Marketing and updates to business contacts

Purpose: send product updates, newsletters, and information about beta availability and new features.

Lawful basis: consent (where required) and/or legitimate interests for B2B marketing where permitted by law. You can opt out at any time (see Section 12).

F) Legal compliance and protecting our rights

Purpose: comply with laws, respond to lawful requests from regulators/law enforcement, handle disputes, and establish/exercise/defend legal claims.

Lawful basis: legal obligation; legitimate interests; and/or legal claims.

5.2 When we act as processor (client/end-client data in the Platform)

When we process end-client data for an accounting firm, the firm determines the lawful basis and provides privacy information to its clients. Taxat processes the data only on documented instructions from the firm, as set out in the DPA and service terms.

6) Automated analysis, profiling, and "AI" features

Taxat may perform automated analysis to produce:

  • discrepancy flags (e.g., cross-source mismatches),
  • evidence linking suggestions (e.g., suggesting which transactions/documents support a figure),
  • risk visibility indicators,
  • a "Defence Score" reflecting evidence completeness/traceability.

Important:

  • These outputs are designed as decision-support tools for qualified professionals.
  • They are not intended to be the sole basis for final decisions about a person.
  • Human review remains essential, and your accounting firm can override or confirm evidence links and decisions.

If you are an end-client and you wish to understand how your accountant uses Taxat outputs in connection with your tax affairs, please contact your accountant directly.

7) Who we share personal data with

We do not sell personal data.

Depending on the context, we may share personal data with:

7.1 Service providers ("subprocessors")

We use trusted third parties to host and operate parts of our service, such as:

  • cloud hosting and storage,
  • database and infrastructure providers,
  • email delivery and customer communications tools,
  • analytics and performance monitoring,
  • customer support tools,
  • identity/authentication services,
  • security monitoring and logging tools,
  • Open Banking connectivity providers,
  • integration partners you choose to connect (e.g., accounting software).

We require service providers to protect personal data and only process it for specified purposes.

[Optional: If you maintain a public subprocessor list, link it here]

Subprocessor list: https://www.taxat.co.uk/subprocessors (or "available on request").

7.2 Your accounting firm and authorised users

If you are an end-client, your data will be accessible to the accounting firm and its authorised users (as the controller). Taxat is not responsible for the firm's internal access policies.

7.3 Professional advisers and corporate transactions

We may share personal data with professional advisers (lawyers, accountants, insurers) and with potential buyers/investors if we are involved in a merger, acquisition, or asset sale, subject to confidentiality protections.

7.4 Legal and regulatory disclosures

We may disclose personal data where required by law or where necessary to protect rights, safety, and security.

8) International transfers

We are UK-based, but some of our service providers (or their support teams) may be located outside the UK.

If we transfer personal data outside the UK:

  • we will ensure appropriate safeguards are in place, such as:
  • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs,
  • adequacy regulations (where applicable),
  • and/or other legally recognised safeguards.

You can contact us to request more information about the safeguards we use.

9) Security: how we protect personal data

We use technical and organisational measures designed to protect personal data, including:

  • encryption in transit (e.g., TLS) and encryption at rest where appropriate,
  • role-based access controls and least-privilege access,
  • tenant/firms separation controls designed to prevent cross-firm data access,
  • audit logging for sensitive actions (e.g., access, export, permission changes),
  • secure development practices and environment separation,
  • incident response processes.

No system is 100% secure. If you suspect any unauthorised access to your account, contact us immediately at admin@taxat.co.uk.

10) How long we keep personal data (retention)

We retain personal data only for as long as needed for the purposes described in this notice, unless a longer retention period is required or permitted by law.

Typical retention periods (guidance - tailor to your actual policy):

  • A) Website logs and security logs: up to [30-180 days] for routine logs, longer if needed for investigating security incidents.
  • B) Beta requests, demo enquiries, and updates list: up to [12-24 months] from our last interaction, unless you become a customer or request deletion sooner (subject to legal retention needs).
  • C) Platform user account data: for the duration of the firm's contract and a short period after termination (e.g., [30-90 days]) to allow data export and account closure, unless longer retention is required for legal claims, security, or compliance.
  • D) Client/end-client data in the Platform (processor data): as instructed by the accounting firm and/or as set out in the DPA. After termination, we will delete or return client data within [X days] (subject to backups and legal obligations).
  • E) Backups: backups may persist for a limited period (e.g., [30-90 days]) before being overwritten, subject to security and continuity requirements.

11) Your rights

Depending on the context and applicable law, you may have rights including:

  • the right to be informed,
  • the right of access,
  • the right to rectification,
  • the right to erasure,
  • the right to restrict processing,
  • the right to data portability,
  • the right to object (including to direct marketing),
  • the right to withdraw consent (where we rely on consent),
  • rights related to automated decision-making/profiling (where applicable).

How these rights work depends on whether Taxat is acting as controller or processor:

If Taxat is the controller (e.g., your beta enquiry or your platform user account): Contact us at admin@taxat.co.uk.

If Taxat is a processor for your accountant (end-client data): Please contact your accountant first. They are the controller and can instruct us where appropriate.

We may ask you to verify your identity before fulfilling a request.

12) Marketing preferences

If you receive marketing emails from us, you can opt out at any time by:

Opting out will not affect service communications (e.g., security notices, contractual notices).

13) Cookies and similar technologies

We use cookies and similar technologies on our website to:

  • ensure the site works properly,
  • maintain security and prevent abuse,
  • understand usage and improve performance (analytics),
  • (if used) support marketing.

Where required, we will ask for your consent before placing non-essential cookies. You can manage cookie preferences via our cookie banner. If JavaScript is disabled, you can still manage cookies through your browser settings.

Cookie Policy: https://www.taxat.co.uk/cookies

14) Complaints

If you have concerns, please contact us first at admin@taxat.co.uk and we will try to resolve the issue.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

  • Website: https://ico.org.uk/
  • Telephone: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

15) Children

Taxat is intended for use by professionals (accounting firms) and is not directed at children. We do not knowingly collect personal data from children via our website forms.

16) Changes to this privacy notice

We may update this notice from time to time. We will post the updated version on our website and change the "Last updated" date. If changes are material, we may provide additional notice.

17) Contact

For all privacy enquiries (including rights requests), contact:

  • Email: admin@taxat.co.uk
  • Post: INAMD96903, Wivenhoe park, Colchester, United KIngdom, CO4 3SQ
Cookies on Taxat

We use cookies and similar technologies to make our site work. With your permission, we also use analytics to understand how the site is used and to improve it, and marketing cookies to measure campaigns. You can accept all cookies, reject non-essential cookies, or manage your choices.

Read our Cookie Policy