If you have discovered a security risk or incident, or if you are a third party with concerns about our systems, please contact us immediately:
We will acknowledge your report promptly and investigate. We do not store your HMRC sign-in credentials - we use OAuth 2.0, so you sign in directly with HMRC and we only receive tokens to submit on your behalf.
In the event of a security breach affecting personal or customer data, we will:
Quartax uses AI to categorise your transactions against HMRC expense categories. Here's exactly what happens:
Before AI processing, we automatically strip your account numbers, sort codes, names, postcodes, and any other confidential data from transaction descriptions. What the AI receives looks like "RENT PMT [NAME] [ACC]" or "B&Q STORES LTD" - not your full bank statement. We send only anonymised descriptions and amounts. No names, no account numbers, no sort codes, no NINOs, nothing HMRC-related.
The HMRC submission itself contains only category totals (e.g. £450 repairs, £200 professional fees), not individual transactions. If you prefer not to use AI at all, use manual entry - your data never leaves your device until you submit.
We encrypt access tokens and personally identifiable data when stored. All data in transit is protected by TLS (HTTPS). Each customer's data is isolated and cannot be accessed by unauthorised users or other customers. We use role-based access control for employees handling customer data.
You can export or delete your data at any time from your account Settings. See our Privacy Policy for full details.