Legal

Privacy Policy

Last updated: 3 April 2026

1. Data Controller

MTD Bridge is operated by Garry Cronin, trading as Steadfast Software, a sole trader registered in Cardiff, Wales. We are registered with the Information Commissioner's Office (ICO) under registration number C1894526.

Contact: [email protected]

2. What Data We Collect

We collect and process the following categories of personal data:

  • Account information — your name, email address, and authentication credentials (managed via Supabase Auth using magic links or Google OAuth).
  • HMRC connection data — OAuth 2.0 access and refresh tokens issued by HMRC via Government Gateway. These are encrypted with AES-256 at rest and are never logged or exposed in application interfaces.
  • Tax identifiers — your National Insurance number (NINO) and/or Business ID, required for HMRC submissions. These are encrypted with AES-256 at rest.
  • Property data — addresses, types, and ownership details for your rental properties.
  • Transaction data — income and expense records you enter, including amounts, dates, categories, and descriptions.
  • Receipt images — photographs or scans of receipts you upload, stored in Cloudflare R2.
  • HMRC submission records — copies of data submitted to HMRC and responses received, retained for audit trail purposes.
  • Payment information — processed by Stripe. We do not store your card details. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
  • Usage analytics — anonymised usage data collected via PostHog (EU instance) to improve the service. No personally identifiable information is sent to PostHog.

3. Legal Basis for Processing

We process your data under the following lawful bases (UK GDPR):

  • Contract — processing necessary to provide the MTD Bridge service you have signed up for, including submitting data to HMRC on your behalf.
  • Legal obligation — HMRC fraud prevention headers are transmitted as required by law when making API calls to HMRC.
  • Legitimate interest — anonymised analytics to improve the service, and error tracking via Sentry to maintain reliability.

4. How We Store Your Data

Your data is stored in a PostgreSQL database hosted by Neon. Authentication is managed by Supabase. Receipt files are stored in Cloudflare R2. The application is hosted on Railway.

Sensitive data — including HMRC tokens, National Insurance numbers, and Business IDs — is encrypted with AES-256 before being written to the database. Encryption keys are stored separately from the database in environment variables.

5. Data Sharing

We share your data only with the following parties, and only as necessary to provide the service:

  • HMRC — your property income and expense data, submitted via the Making Tax Digital API at your direction.
  • Stripe — payment processing for subscriptions and one-off purchases.
  • Supabase — authentication and session management.
  • Neon — database hosting.
  • Cloudflare — CDN, DNS, and receipt file storage (R2).
  • Sentry — error tracking (no personal financial data is sent).
  • PostHog — anonymised usage analytics (EU instance).

We do not sell your data to any third party. We do not use your data for advertising.

6. Data Retention

We retain your account and transaction data for as long as your account is active. HMRC submission records are retained for a minimum of 6 years after the end of the relevant tax year, in line with HMRC record-keeping requirements. If you delete your account, personal data is removed within 30 days, except where retention is required by law.

7. Your Rights

Under the UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Erase your data (subject to legal retention obligations)
  • Restrict or object to processing
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, contact [email protected]. We will respond within 30 days.

8. Cookies

MTD Bridge uses essential cookies for authentication and session management. We use PostHog for anonymised analytics. We do not use advertising or tracking cookies.

9. HMRC Fraud Prevention Headers

When MTD Bridge makes API calls to HMRC on your behalf, we are legally required to send fraud prevention headers. These may include your IP address, device information, and timestamps. This data is transmitted directly to HMRC and is not stored by us beyond what is included in submission audit logs.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notification. The "last updated" date at the top of this page reflects the most recent revision.

11. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).