MTD
MTDFile

Privacy Policy

Last updated: 30 March 2026

1. Who we are

MTDFile is an online tax filing service that submits Income Tax (ITSA) and VAT returns to HMRC on your behalf. For the purposes of UK data protection law, MTDFile is the data controller.

Contact: support@mtdfile.co.uk

2. What data we collect

We collect and process the following personal data:

  • Account information — your name, email address, and password (hashed).
  • Tax information — income figures, expense records, VAT box values, UTR number, and VAT registration number that you enter into the service.
  • HMRC authorisation tokens — OAuth 2.0 access and refresh tokens issued by HMRC when you connect your account.
  • Payment information — processed by Stripe. We do not store your card details.
  • Usage data — pages visited, features used, and anonymised analytics collected via Vercel Analytics.

3. Why we collect it (lawful basis)

  • Contract — to provide the tax filing service you have signed up for.
  • Legal obligation — to comply with UK tax and anti-money laundering regulations.
  • Legitimate interest — to improve the service, prevent fraud, and provide customer support.
  • Consent — for optional marketing communications (you can withdraw at any time).

4. How we store your data

Your data is stored in an encrypted SQLite database on a UK-based server (Hetzner, Falkenstein/Nuremberg data centres within the EU). All data in transit is encrypted using TLS 1.3. HMRC tokens are encrypted at rest using AES-256.

We retain your data for as long as your account is active. If you delete your account, we remove personal data within 30 days, except where we are legally required to retain records (e.g. tax filing submissions are kept for 7 years per HMRC requirements).

5. Who we share data with

  • HMRC — your tax return data is submitted directly to HMRC via their Making Tax Digital API. This is the core purpose of the service.
  • Stripe — processes your subscription payments. Subject to Stripe's Privacy Policy.
  • Vercel — hosts the application and collects anonymised analytics.

We do not sell your data to third parties. We do not share your tax data with anyone other than HMRC.

6. Cookies

We use the following cookies:

CookiePurposeDuration
Session cookieKeeps you logged inSession / 30 days
Vercel AnalyticsAnonymised page view analyticsSession

We do not use advertising or tracking cookies.

7. Your rights under UK GDPR

You have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data (subject to legal retention requirements).
  • Portability — receive your data in a structured, machine-readable format (JSON/CSV).
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — for marketing communications, at any time.

To exercise any of these rights, email support@mtdfile.co.uk. We will respond within 30 days.

8. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

9. Changes to this policy

We may update this policy from time to time. We will notify you of any significant changes by email or by displaying a notice within the service.

← Back to MTDFile