Privacy Policy

AimTax is a Making Tax Digital software service operated from the United Kingdom. Our service helps sole traders and landlords keep digital tax records and submit quarterly updates to HM Revenue and Customs (HMRC) as required by law. You can contact us at: hello@aimtax.co.uk

When you create an account and use AimTax, we collect: Account information: your name, email address, and password (stored as an encrypted hash — we never see your actual password). Business information: your business type (sole trader or landlord), Unique Taxpayer Reference (UTR), and National Insurance number — required to connect to HMRC. Financial records: income and expense transactions you enter into AimTax, including dates, amounts, and categories. HMRC connection: an encrypted access token that allows AimTax to submit data to HMRC on your behalf. This token is stored using AES-256 encryption and is never stored in plain text. Technical data: your IP address, device identifier, browser type, and screen information — collected automatically and required by HMRC for fraud prevention on every submission. Communication data: emails we send you, including submission confirmations and your HMRC Correlation ID.

We use your information to: - Provide the AimTax service — storing your records and submitting them to HMRC on your instruction - Send you confirmation emails after each quarterly submission, including your HMRC Correlation ID - Show you an estimated tax figure based on your submissions - Comply with HMRC fraud prevention requirements on every API call - Respond to your support requests - Improve and maintain the AimTax service We do not use your information for advertising. We do not sell your data to any third party. We do not share your data with anyone except HMRC (on your instruction) and the service providers listed in section 5.

We process your data under the following legal bases under UK GDPR: Contract: processing is necessary to provide the AimTax service you have signed up for. Legal obligation: HMRC requires software providers to collect and transmit fraud prevention headers on every submission. We are legally required to do this. Legitimate interests: we process technical data to maintain security, prevent fraud, and improve the service.

We share your data only with the following parties, all of whom are bound by strict data processing agreements: HMRC (HM Revenue and Customs): your financial records are submitted to HMRC on your instruction when you click Submit. This is the core purpose of the service. Supabase: our database provider, hosting your data on Amazon Web Services servers located in London, United Kingdom (eu-west-2 region). Your data never leaves the UK. Fly.io: our API server provider, running on servers located in London, United Kingdom. Vercel: our website hosting provider, serving the AimTax application from London (lhr1 region). Resend: our email delivery provider, used to send you submission confirmation emails. We do not share your data with any other third party.

All your financial data is stored in the United Kingdom. Our database runs on Amazon Web Services in the eu-west-2 (London) region. This means your data is subject to UK law, including UK GDPR and the Data Protection Act 2018. We do not transfer your personal data outside the United Kingdom.

HMRC requires taxpayers to keep digital records for a minimum of 5 years after the 31 January submission deadline for the relevant tax year. To comply with this legal obligation, AimTax retains your financial records for 5 years. Your account information is retained for as long as your account is active. If you close your account, we will delete your account information within 30 days, subject to the 5-year retention requirement for financial records. We retain HMRC Correlation IDs permanently as proof of filing.

Under UK GDPR, you have the following rights: Right to access: you can request a copy of all personal data we hold about you. Right to rectification: you can ask us to correct any inaccurate information. Right to erasure: you can ask us to delete your personal data. Note that we cannot delete financial records during the 5-year HMRC retention period — this is a legal obligation that overrides the right to erasure. Right to restrict processing: you can ask us to stop using your data in certain ways. Right to data portability: you can ask for your data in a machine-readable format. Right to object: you can object to our processing of your data in certain circumstances. To exercise any of these rights, email us at: hello@aimtax.co.uk You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have handled your data incorrectly.

We take security seriously. Your data is protected by: - AES-256 encryption for all HMRC OAuth tokens stored in our database - HTTPS encryption for all data in transit - Bcrypt hashing for all passwords — we never store your actual password - Schema-level database isolation — your data is physically separated from other users' data - UK data residency — all servers are in the United Kingdom We conduct regular security reviews and follow OWASP security best practices.

AimTax uses only essential cookies required for the service to function, including your login session cookie. We do not use tracking cookies or advertising cookies. We do not use Google Analytics or any third-party tracking tools.

We may update this privacy policy from time to time. When we make significant changes, we will email you at the address on your account. The date at the top of this page shows when the policy was last updated. Continued use of AimTax after a policy update constitutes acceptance of the updated policy.

If you have any questions about this privacy policy or how we handle your data, please contact us: Email: hello@aimtax.co.uk Website: www.aimtax.co.uk We aim to respond to all privacy queries within 5 working days.