Privacy Policy

Last updated: February 2026

1. Who we are

Quartax ("we", "us") is responsible for protecting your personal data. We process your data in accordance with the UK General Data Protection Regulation (UK GDPR).

2. What personal data we process and why

  • Account data: Email, name (optional), password hash - to create and secure your account.
  • HMRC connection: OAuth tokens (encrypted), NINO, UTR - to submit your quarterly updates to HMRC on your behalf. We do not store your HMRC sign-in credentials.
  • Transaction data: Bank transaction descriptions (anonymised before AI processing), amounts, categories - to prepare your MTD returns. Anonymised transaction descriptions are processed by OpenAI for categorisation purposes; OpenAI's data processing agreement covers this.
  • Submissions: Period dates, income and expense totals - to file returns and show your history.
  • Payment data: Stripe customer ID - to manage your subscription. Payment details are held by Stripe, not by us.

3. Lawful basis

We process your data on the basis of contract (to provide the service you signed up for) and legal obligation (where we must retain data for tax or regulatory purposes).

4. Your rights

You can request to access, correct, export, or delete your data at any time. Use the Export and Delete account options in Settings, or contact us at team@quartax.co.uk.

5. Security and encryption

We encrypt access tokens and personally identifiable data when stored. Data in transit is protected by TLS (HTTPS). Each customer's data is isolated and cannot be accessed by other users.

6. Security incidents and breach notification

If you become aware of a security risk or incident, please contact us immediately at team@quartax.co.uk. We will investigate and, where required, notify HMRC (SDSTeam@hmrc.gov.uk) and the ICO within 72 hours of becoming aware of a personal data breach.

7. Data retention

We retain your data for as long as your account is active and as required for legal or tax purposes. When you delete your account, we remove your data within 30 days, except where we must retain it for legal obligations.

8. Contact

For privacy, data requests, or security issues: team@quartax.co.uk

← Back to home