ArcTaxBack to home

Privacy Policy

Last updated: 10 May 2026

1. Who we are

ArcTax ("we", "us", "our") is a Making Tax Digital (MTD) software service that enables sole traders, landlords, and tax agents to submit Income Tax updates to HM Revenue & Customs (HMRC) under the MTD for Income Tax Self Assessment (ITSA) regime.

For the purposes of UK GDPR and the Data Protection Act 2018, ArcTax is the data controller of personal data you provide when using this service.

Contact: privacy@arctax.co.uk

2. What data we collect

  • Account information: email address, hashed password, multi-factor authentication status.
  • Identity data: National Insurance Number (NINO), used to identify you to HMRC. This is stored encrypted (AES-256-GCM) at rest and never logged in plain text.
  • Tax data: income and expense figures you enter to prepare quarterly updates and Final Declarations; submission history and HMRC obligation schedules.
  • Agent data: Agent Reference Number (ARN) and client NINOs, if you use ArcTax as a tax agent.
  • Usage data: structured audit logs (login events, submission events) retained for security and compliance purposes. Logs do not contain NINOs or passwords.
  • HMRC OAuth tokens: short-lived access tokens stored only in your encrypted session cookie and never written to our database.

3. How we use your data

  • To authenticate you and provide the ArcTax service.
  • To transmit your tax submissions to HMRC on your behalf via the MTD API.
  • To send you obligation reminder emails (if enabled in Settings).
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations, including HMRC developer programme requirements.

Legal basis: contract performance (Art. 6(1)(b) UK GDPR) for providing the service; legitimate interests (Art. 6(1)(f)) for security logging; legal obligation (Art. 6(1)(c)) for HMRC compliance.

4. Who we share data with

  • HMRC: we transmit your tax data to HMRC via the MTD API using OAuth tokens you explicitly authorise. HMRC's own privacy notice governs data once it reaches them.
  • Neon (database hosting): our PostgreSQL database is hosted on Neon (neon.tech). Data is stored encrypted in transit (TLS) and at rest. Neon is located in the EU/EEA.
  • Vercel (hosting): the application runs on Vercel's edge network.
  • Resend (email delivery): used to deliver OTP and obligation reminder emails.
  • Stripe (billing): subscription and payment processing. Stripe's privacy policy governs payment card data, which we never see or store.

We do not sell your personal data or share it with any third party for marketing purposes.

5. How long we keep your data

  • Account and tax data: retained for the duration of your account plus 7 years after your last submission, as required by HMRC record-keeping rules.
  • Audit logs: retained for 2 years for security and fraud investigation.
  • Deleted accounts: personal identifiers are removed within 30 days of account deletion (subject to statutory retention periods above).

6. Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data (right to be forgotten), subject to statutory retention obligations.
  • Port your data — you can export all your tax submissions and profile data from Settings > Export My Data at any time, in machine-readable JSON format.
  • Object to processing based on legitimate interests.
  • Restrict processing while a complaint is investigated.
  • Withdraw consent where consent is the legal basis (e.g., obligation reminder emails — you can toggle this off in Settings at any time).

To exercise any of these rights, email privacy@arctax.co.uk. We will respond within 30 days. If you are unsatisfied with our response, you may complain to the Information Commissioner's Office (ICO).

7. Data export and portability

We are committed to ensuring you are never locked in. You can change provider, export, or delete your data at any time:

  • Export: go to Settings > Export My Data to download a complete JSON archive of your tax submissions, obligations, and profile.
  • Delete: go to Settings > Delete Account to permanently remove your account and personal data (except where retention is legally required).
  • Change provider: exported JSON is structured so it can be imported into another MTD-compatible application. The HMRC portal (Self Assessment online) is always available as an alternative.

8. Security

We protect your data through:

  • AES-256-GCM encryption of all NINOs stored in the database.
  • bcrypt (cost factor 12) for password hashing.
  • AES-256-GCM encrypted, HTTP-only, Secure session cookies (iron-session).
  • All connections over TLS 1.2+ with HSTS.
  • Structured audit logging of authentication and submission events.
  • Multi-factor authentication (TOTP) available to all users.

In the event of a security breach affecting your personal data, we will notify the ICO within 72 hours and affected users without undue delay, in accordance with UK GDPR Article 33–34.

9. Cookies

ArcTax uses a single, essential HTTP-only session cookie to maintain your login state. No third-party tracking, analytics, or advertising cookies are set. This cookie is strictly necessary for the service to function and does not require consent under PECR.

10. Changes to this policy

We may update this policy when our practices change or when required by law. The "Last updated" date at the top of this page will reflect any changes. We will notify users by email for material changes.

11. Contact

Questions or requests regarding this policy: privacy@arctax.co.uk