Privacy Policy and Your Data Rights
Last updated 9th February 2026
This section provides a clear explanation of how My Tax Digital handles your data, focusing on transparency, security, and your legal rights as a user. Our commitment is to provide a free, secure MTD service while strictly adhering to UK tax law and data protection legislation (GDPR).
Your Ownership and Control
- You Own Your Data: You, the user, maintain full ownership and continuous access to all financial records, tax documents, client information, and personal data you enter into My Tax Digital. We simply provide the secure software to manage it.
- Data Export (Portability): You have the right to easily download and export most of your data. Use the Export CSV functions in the Transactions and Contacts sections to create secure backups at any time.
Information We Collect
We only collect information strictly necessary to provide the free MTD service, maintain your account security, and comply with UK tax legislation.
| Data Type | What We Collect | Why We Collect It |
|---|---|---|
| Identity Data | Name, email address, encrypted password, and your chosen Two-Factor Authentication (2FA) method. | Required for registration, maintaining login security, and verifying your identity. |
| Tax & Financial Data | VAT Registration Number (VRN), National Insurance Number (NINO), Unique Taxpayer Reference (UTR), all transaction records, invoice details, and calculated bank account balances. | Required for MTD compliance, accurate record-keeping, and enabling tax submissions to HMRC. We do not store your bank login credentials. |
| HMRC Records | VAT obligations and liabilities, and ITSA quarterly/annual summaries pulled securely from HMRC. | Required for displaying your deadlines, current tax status, and calculating estimated tax liabilities. |
| Usage Data | Activity logs (log-in times, submission records) and Google Analytics data (if consented to). | Required for security auditing, troubleshooting errors, improving app performance, and protecting against fraudulent activity. |
Security Measures and Data Sharing
We implement multiple layers of security to protect your sensitive financial data:
- Encryption: All data exchanged is secured using HTTPS (TLS) encryption. Your stored financial data is also secured with encryption at rest.
- Mandatory 2FA: Two-Factor Authentication is mandatory for all accounts, adding a critical second step to the sign-in process.
- Sharing with HMRC: We only transmit the required summary figures (e.g., VAT boxes, ITSA totals) to HMRC when you explicitly click the 'Submit' button, granting us permission to act on your behalf.
- AIsha Tax Assistant: When you use the AIsha feature, your query is securely processed to generate a tax guidance response. Your input is not retained or used to train the AI model.
- Support Verification: Our support staff will not discuss account-specific data unless you provide a unique, temporary Support Token that you generate while logged into your profile. This is a strict policy implemented for your protection.
Data Retention and Deletion Rights
- Tax Records Retention: We are legally required to retain your core financial transaction data and tax submission history for a minimum of seven (7) years from the end of the last tax period they relate to.
- Dormant Accounts: If your account is inactive for one year (12 consecutive months), we will notify you before deleting all associated data.
- Account Deletion: If you request to close your account, your data is marked for permanent deletion. The data may remain on our secure systems for up to 35 days before it is completely purged.
Change of Control (Merger or Acquisition)
In the event that Open Answers Ltd (the Provider) undergoes a business transition, such as a merger, acquisition by another company, or sale of all or a portion of its assets, your Personal Data and Tax Records will likely be among the assets transferred.
Notification: You will be notified via email or a prominent notice on the Website 30 days before any such change in ownership or control.
Data Rights: Any successor entity will be required to honor the terms of this Privacy Policy and may only use your data in accordance with the original consent provided, unless you are otherwise notified.
Cessation of Trading (Solvency or Exit)
Should the Provider decide to cease trading or discontinue the Service for any reason:
Notice Period: We will provide a minimum of 30 days' notice to all active users via the registered email address.
Data Export (Portability): During this notice period, the Service will remain accessible for the sole purpose of allowing you to export your data. You will be able to download your full transaction history and submitted tax records in a standard, machine-readable format (e.g., CSV or Excel).
Final Deletion: Following the expiry of the notice period and the subsequent 30-day "grace period," all customer data will be securely deleted from our production servers, except where retention is required by UK law (e.g., for our own financial auditing purposes).
Cookies
We use small text files called cookies to ensure the website functions correctly:
- Strictly Necessary Cookies: These are essential for core functions, such as maintaining your secure login session.
- Analytics Cookies: Used by Google Analytics to track site usage for improvement purposes. You will be given the option to opt-out of these cookies when you first visit the site.
