Privacy policy

AATAX (“we”, “us”, or “our”) provides a Making Tax Digital (MTD) platform that enables accounting agencies, tax agents, and their clients (together with sole traders and landlords using the platform directly) to prepare and submit tax information to HM Revenue and Customs (“HMRC”). We are committed to protecting your privacy and handling your personal data in a transparent, lawful, and secure manner in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).

This Privacy Policy explains what information we collect, how we use it, who we share it with, where it is stored, how long we keep it, and what rights you have in relation to your personal data.

The Services are not intended for individuals under the age of 18, and we do not knowingly collect personal data from children.

AATAX [full legal entity name, company number, registered address] is the data controller or data processor of your personal data depending on how you use the Services:

For all privacy-related enquiries, contact us at privacy@aatax.ai.

Data Protection Officer

We are not required under UK GDPR Article 37 to appoint a Data Protection Officer, but our privacy lead can be contacted at privacy@aatax.ai for all data protection matters.

We collect and process the following categories of information:

Account information

Name, email address, telephone number, agency name, job role, professional body membership (where relevant), and password credentials.

Sensitive tax identifiers

Information uploaded or entered to enable tax submissions, including:

• National Insurance numbers, Unique Taxpayer References (UTRs), and VAT registration numbers — these are sensitive identifiers subject to heightened safeguards (access controls, encryption, audit logging);
• Names, addresses, dates of birth;
• Income, expense, and transaction data;
• Supporting documents uploaded (receipts, invoices, bank statements).

We do not intentionally collect special category data under UK GDPR Article 9 (such as health data, religious beliefs, or biometric data). Where such data might appear incidentally in an expense document (for example, a medical receipt), you should redact it before uploading, and we apply the same heightened safeguards to any such data we do hold.

HMRC integration data

OAuth access tokens, refresh tokens, fraud prevention headers required by HMRC, and metadata necessary to connect to HMRC’s MTD APIs on your behalf.

Billing information

Subscription details, invoicing data, and transaction records processed via our payment provider. We do not store full payment card details on our systems.

Technical and usage data

IP address, browser type and version, device identifiers, operating system, referral URL, session logs, pages visited, features used, and diagnostic data.

Communications

Emails, support tickets, chat messages, phone call notes, and feedback you send us.

We use the information we collect to:

• Provide, maintain, and improve the AATAX platform;
• Facilitate tax preparation, review, and submission to HMRC;
• Authenticate users, manage access, and secure accounts (including multi-factor authentication);
• Process subscriptions, invoices, and payments;
• Provide customer support and respond to enquiries;
• Send service-related communications (security alerts, billing notices, product updates, maintenance notifications) — these are not marketing and you cannot opt out of essential service messages while your account is active;
• Send marketing communications where you have opted in — you can unsubscribe at any time using the link in each message;
• Detect, prevent, and investigate fraud, abuse, or security incidents;
• Comply with legal, tax, and regulatory obligations, including responding to lawful HMRC or law-enforcement requests.

Use of your data for product improvement and AI

We do not use your tax data or your clients’ tax data to train third-party AI models. Where AI features are used within the platform (for example, document parsing or expense categorisation), they operate on your data solely to provide the feature to you, under contractual terms that prohibit the AI provider from using your data for their own training. See §06 for the specific providers involved.

Automated decision-making

The Services do not make automated decisions that produce legal or similarly significant effects on you within the meaning of UK GDPR Article 22. Where the platform uses AI to suggest categorisations or flag anomalies, these are suggestions only and a human (you or your agent) remains responsible for the final submission.

We rely on the following lawful bases under UK GDPR:

Where we rely on legitimate interests, we carry out balancing assessments to ensure your rights are not overridden. You can request details of these assessments by contacting privacy@aatax.ai.

We share your information with the following categories of recipients, each under appropriate contractual and security safeguards (including Data Processing Agreements where required):

HMRC

For the purpose of submitting tax returns, obligations, and related information as authorised by you or your agent.

Cloud infrastructure and hosting

• [AWS / Amazon Web Services] — cloud hosting, storage, databases (UK and/or EEA regions)
• [Provider name] — [purpose]

Operational service providers

• [Payment processor, e.g. Stripe] — payment processing
• [Email provider, e.g. Postmark / SendGrid] — transactional email
• [Analytics provider] — usage analytics (anonymised/pseudonymised where possible)
• [Customer support tool] — support ticketing

AI service providers

We use the following AI providers for specific platform features. Each operates under terms that prohibit the use of your data for model training:

• [e.g. Anthropic (Claude)] — [specific feature, e.g. document parsing]
• [e.g. OpenAI] — [specific feature]

Your accounting agency

Where you are a client user of an agency, your information is accessible to the agency managing your account, who is the controller of that data.

Professional advisers and authorities

Lawyers, auditors, regulators, or law-enforcement agencies where required by law, court order, or to establish, exercise, or defend legal claims.

Business transfers

In the event of a merger, acquisition, financing, or sale of assets, your information may be disclosed to the counterparty subject to appropriate confidentiality protections. We will notify you of any change in controller.

We do not sell your personal data to third parties.

Your data is primarily stored in the United Kingdom, with certain processing taking place in the European Economic Area (EEA).

Some of our service providers (including certain AI providers) may process data in the United States or other jurisdictions outside the UK/EEA. Where this occurs, we rely on appropriate safeguards under UK GDPR, including:

• UK-US Data Bridge (for transfers to certified US organisations);
• UK International Data Transfer Agreement (IDTA) or the European Commission’s Standard Contractual Clauses with the UK Addendum;
• Adequacy decisions, where the UK Government has determined the destination country provides an adequate level of protection.

You can request a copy of the safeguards in place for any specific transfer by contacting privacy@aatax.ai.

We retain personal data only as long as necessary for the purposes for which it was collected, taking into account applicable legal retention requirements.

Where you close your account, we retain the minimum data required to meet statutory obligations and securely delete or anonymise the rest.

We implement technical and organisational measures designed to protect your information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
• Access controls based on least-privilege principles, with multi-factor authentication required for administrative access;
• Audit logging of access to sensitive data;
• Regular security reviews, vulnerability scanning, and penetration testing;
• Employee training on data protection and security;
• Contractual safeguards with all sub-processors, including DPAs and confidentiality obligations.

Data breach notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach poses a high risk to you, we will also notify you without undue delay.

Responsible disclosure

If you believe you have identified a security vulnerability in our Services, please report it responsibly to security@aatax.ai.

Under UK GDPR you have the following rights:

• Right of access — to obtain a copy of the personal data we hold about you;
• Right to rectification — to have inaccurate data corrected;
• Right to erasure (“right to be forgotten”) — to have your data deleted in certain circumstances;
• Right to restriction — to limit how we process your data in certain circumstances;
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format;
• Right to object — to processing based on legitimate interests, and to direct marketing at any time;
• Right to withdraw consent — where processing is based on consent, without affecting the lawfulness of processing before withdrawal;
• Right not to be subject to solely automated decision-making producing legal or similarly significant effects;
• Right to be informed about the source of your data where we have not collected it directly from you.

To exercise any of these rights, email privacy@aatax.ai. We will respond within one month, unless the request is complex, in which case we may extend this by up to two further months (and will let you know).

If you are a client user of an agency, AATAX is a processor of your tax data and many requests will need to be directed to your accounting agency as the controller. We will assist your agency in responding where required.

Complaints

You have the right to lodge a complaint with the Information Commissioner’s Office:

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the chance to address your concerns before you contact the ICO, so please do reach out to us first where possible.

We use cookies and similar technologies on our website and platform. You can manage your preferences at any time through our cookie preferences centre or by adjusting your browser settings.

We use the following categories of cookies:

• Strictly necessary — required for the platform to function (authentication, security, session management). These cannot be disabled.
• Functional — remember your preferences (language, UI settings).
• Analytics — help us understand how the platform is used (set only with your consent).
• No third-party advertising or tracking cookies are used.

We may update this Privacy Policy from time to time. Material changes will be notified to you by email or through the platform at least 30 days before they take effect, unless a shorter period is required by law. The latest version will always be available on this page, with the “Last updated” date at the top.

If you have any questions about this Privacy Policy or how we handle your data:

• General privacy enquiries: privacy@aatax.ai
• Data Protection Officer / privacy lead: privacy@aatax.ai
• Security concerns: security@aatax.ai