Skip to main content

Privacy Policy

Last updated: March 2026

1. Introduction

filr (“we”, “us”, “our”) operates the website filr.co.uk and provides Making Tax Digital (MTD) for Income Tax Self Assessment (ITSA) compliance software. We are committed to protecting and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy explains what personal data we collect, how we use it, who we share it with, and your rights regarding your data.

2. Data Controller

filr, trading at filr.co.uk, is the data controller for the personal data described in this policy. If you have any questions about how we handle your data, you can contact us at support@filr.co.uk.

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account Information

  • Name and email address (provided during registration)
  • Authentication data (password hash, or Google OAuth credentials if you choose to sign in with Google)

3.2 HMRC Connection Data

  • National Insurance Number (NINO) — encrypted at rest using AES-256 encryption
  • HMRC OAuth2 access and refresh tokens — encrypted at rest using AES-256 encryption
  • HMRC Government Gateway connection status and metadata

3.3 Financial and Tax Data

  • Business information (business name, type, accounting period)
  • Income and expense transactions (amounts, categories, descriptions, dates)
  • Quarterly submission records and HMRC response data

3.4 Billing Data

  • Subscription plan and billing history (payment processing is handled entirely by Stripe — we do not store your full card details)

3.5 Technical Data

  • IP address, browser type, and device information (collected automatically as part of HMRC Fraud Prevention Headers, which are required by HMRC for all MTD API submissions)

4. How We Use Your Data

We use your personal data for the following purposes:

  • Providing our service: connecting to HMRC on your behalf, submitting quarterly updates, and displaying your tax data in your dashboard
  • Account management: creating and maintaining your account, authenticating your identity, and managing your subscription
  • HMRC compliance: transmitting Fraud Prevention Headers as required by HMRC for all MTD API calls
  • Billing: processing subscription payments through Stripe
  • Communication: sending you service-related emails such as submission confirmations, deadline reminders, and important account notifications
  • Legal compliance: meeting our obligations under applicable laws and regulations

We do not use your data for marketing purposes, profiling, or automated decision-making. We do not sell your personal data to third parties.

5. Legal Basis for Processing

We process your personal data under the following legal bases as defined in UK GDPR Article 6(1):

  • Performance of a contract (Article 6(1)(b)): processing your account data, financial data, and HMRC connection data is necessary to provide you with our MTD compliance service
  • Legitimate interests (Article 6(1)(f)): maintaining service security, preventing fraud, and improving our service. Our legitimate interests do not override your fundamental rights and freedoms
  • Legal obligation (Article 6(1)(c)): complying with HMRC requirements to transmit Fraud Prevention Headers and retaining records as required by law
  • Consent (Article 6(1)(a)): where you explicitly consent to a specific use of your data, such as connecting your HMRC Government Gateway account via OAuth2. You may withdraw consent at any time by disconnecting your HMRC account or contacting us

6. Data Storage and Security

We take the security of your data seriously and implement the following measures:

  • Encryption: National Insurance Numbers and HMRC OAuth tokens are encrypted at rest using AES-256 encryption before being stored in our database
  • Row Level Security (RLS): our PostgreSQL database enforces row-level security policies, meaning each user can only access their own data at the database level
  • Transport encryption: all data in transit is protected using TLS 1.2 or higher
  • Hosting: our application is hosted on Vercel (UK/EU data centres) and our database is hosted on Supabase (cloud PostgreSQL with enterprise-grade security)
  • Authentication: user accounts are protected by Supabase Auth with secure password hashing and optional Google OAuth

7. Third-Party Data Processors

We share your personal data with the following third-party processors who act on our behalf and under our instructions:

  • Supabase (Supabase Inc.): database hosting and authentication services. Supabase stores your account data, encrypted HMRC tokens, and financial records. Supabase Privacy Policy
  • Stripe (Stripe Payments Europe, Ltd.): payment processing for subscriptions. Stripe processes your payment card details directly — we do not receive or store your full card number. Stripe Privacy Policy
  • Vercel (Vercel Inc.): web application hosting and content delivery. Vercel Privacy Policy
  • HMRC: we transmit your tax data (income, expenses, and Fraud Prevention Headers) to HMRC via their MTD for ITSA APIs when you authorise and submit quarterly updates. This is the core function of our service

We do not share your data with any other third parties for marketing or advertising purposes.

8. International Data Transfers

Some of our third-party processors (Supabase, Vercel, Stripe) are US companies. Where your data is transferred outside the UK, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or reliance on the UK extension to the EU-US Data Privacy Framework, as applicable. Our hosting infrastructure is configured to use UK and EU data centres where available.

9. Data Retention

We retain your personal data as follows:

  • Account data: retained for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law
  • Financial and tax data: retained for as long as your account is active, plus a minimum of 6 years after account deletion to comply with HMRC record-keeping requirements
  • HMRC tokens: deleted immediately upon account deletion or when you disconnect your HMRC account
  • Billing records: retained for 7 years as required for accounting and tax purposes

10. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: you can request a copy of the personal data we hold about you
  • Right to rectification: you can ask us to correct any inaccurate or incomplete data
  • Right to erasure: you can ask us to delete your personal data, subject to our legal retention obligations (see Section 9)
  • Right to restrict processing: you can ask us to temporarily stop processing your data in certain circumstances
  • Right to data portability: you can request your data in a structured, commonly used, machine-readable format (JSON)
  • Right to object: you can object to processing based on legitimate interests
  • Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at support@filr.co.uk. We will respond to your request within 30 days.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe your data protection rights have been violated: ico.org.uk/make-a-complaint.

11. Cookies

We use only essential cookies required for the functioning of our service. Specifically, we use a session cookie to keep you signed in. We do not use any tracking, analytics, or marketing cookies. For more information, see our Cookie Policy.

12. Children’s Privacy

Our service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by email or by posting a prominent notice on our website. The “Last updated” date at the top of this page indicates when this policy was last revised.

14. Contact Us

If you have any questions about this privacy policy or how we handle your personal data, please contact us at:

Email: support@filr.co.uk