Back to SimpleTaxFlow

Privacy Policy

Last updated: 26 February 2026

1. Who We Are

SimpleTaxFlow is a trading name of Infuzest Ltd, a company registered in England and Wales.

We provide Making Tax Digital (MTD) compliant tax software for sole traders and landlords.

For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, Infuzest Ltd acts as Data Controller for personal data processed through the SimpleTaxFlow platform.

Contact:

privacy@infuzest.co.uk

2. Categories of Personal Data

2.1 Identity & Account Data

  • Name
  • Email address
  • Authentication records
  • Login activity
  • Communication history

2.2 Tax & Business Data

  • Unique Taxpayer Reference (UTR)
  • National Insurance number (where required)
  • Business details
  • Income and expense records
  • Quarterly updates
  • Final declaration data

2.3 Financial Transaction Data (Open Banking)

If you connect a bank account, we may receive:

  • Transaction date
  • Transaction description
  • Transaction amount
  • Masked account identifiers

We do not:

  • Collect online banking passwords
  • Access PINs or security codes
  • Store banking login credentials

Bank authentication occurs directly between you and your bank via regulated Open Banking redirection.

2.4 HMRC Authorisation Data

To enable authorised submissions:

  • We store HMRC OAuth refresh tokens in encrypted form.
  • Access tokens are short-lived and used only for authorised API calls.
  • Tokens can be revoked at any time via your HMRC account.

2.5 Technical & Security Data

  • IP address
  • Device/browser information
  • Usage logs
  • Security audit logs

Used strictly for security, fraud prevention, and system reliability.

3. How We Use Your Data

We process data to:

  • Provide the platform
  • Maintain digital records
  • Categorise transactions
  • Generate quarterly summaries
  • Submit authorised updates to HMRC
  • Detect fraud or misuse
  • Comply with legal obligations

We do not:

  • Sell personal data
  • Use tax data for advertising
  • Use financial data for credit scoring
  • Share transaction data for marketing

4. Open Banking Data

Where Open Banking is used:

  • Data access is provided via an FCA-regulated Account Information Service Provider (AISP).
  • You provide explicit consent before access.
  • You may revoke access at any time.
  • We use transaction data solely for bookkeeping and tax compliance.

The AISP acts as a regulated entity in the Open Banking ecosystem and may operate as an independent controller for the authentication stage.

5. WhatsApp Communication

If you interact with SimpleTaxFlow via WhatsApp:

  • Messages are transmitted via Meta Platforms’ infrastructure.
  • You should only provide tax or financial information when prompted within official flows.
  • WhatsApp messages may be stored for audit, support, and regulatory purposes.
  • We recommend using secure devices and not sharing access to your WhatsApp account.

6. Lawful Bases

We rely on:

  • Contractual necessity
  • Legal obligation
  • Legitimate interests (security, platform integrity)
  • Consent (Open Banking & HMRC authorisation)

7. Data Sharing & Sub-Processors

We may share data with:

  • HMRC (for authorised submissions)
  • FCA-regulated Open Banking providers
  • Cloud infrastructure providers
  • Hosting and deployment providers
  • Professional advisers
  • Law enforcement where legally required

Our infrastructure providers may include:

  • Google Cloud Platform
  • Supabase (managed database services)
  • Vercel (application hosting)
  • Meta Platforms (WhatsApp infrastructure)

All providers are subject to contractual security and confidentiality obligations.

8. Security Measures

We implement:

  • TLS encryption in transit
  • Encryption at rest
  • Encrypted storage of OAuth tokens
  • Role-based access controls
  • Multi-factor authentication for administrators
  • Least privilege access policies
  • Production environment segregation
  • Audit logging & monitoring

No system can be guaranteed completely secure.

9. Retention

We retain tax records for up to 6 years in line with UK statutory requirements.

Data may be retained longer where required by law or regulatory obligation.

10. International Transfers

Where data is processed outside the UK:

  • We implement UK-approved safeguards.
  • Standard Contractual Clauses or equivalent measures are used.

11. Your Rights

You have the right to:

  • Access your data
  • Rectify inaccuracies
  • Request erasure (subject to legal obligations)
  • Restrict processing
  • Object to legitimate interest processing
  • Data portability

You may complain to the ICO:

Information Commissioner’s Office

https://ico.org.uk

0303 123 1113

12. Complaints

If you have concerns about how we handle your data:

Contact: privacy@infuzest.co.uk

We aim to respond within 30 days.

13. Updates

We may update this policy periodically.

Material changes will be communicated via the platform or email.