Privacy Policy

MTD for Landlords ("we", "us", "our") operates the MTD for Landlords web application, a Making Tax Digital compliance and property income management tool for UK landlords. We are the data controller for personal data processed through our Service. If you have any questions about this Privacy Policy or your personal data, please contact us: Email: privacy@mtdforlandlords.co.uk We aim to respond to all data-related enquiries within 5 business days.

We collect and process the following categories of personal data: Account and Profile Data • Full name and email address (collected at registration) • Encrypted password (managed by our authentication provider, Supabase) • Any optional profile information you choose to provide Financial and Transaction Data • Property income and expense records you manually enter • Transaction data from CSV or bank export files you upload • Category labels, notes, and annotations you add to transactions • Property details (address, type, ownership share) you create within the Service Usage and Technical Data • Log data including IP address, browser type, and device information • Pages visited, features used, and session duration • Error logs and performance diagnostics We do not collect payment card information directly. If we introduce paid plans in future, payment processing will be handled by a PCI-DSS compliant provider (e.g. Stripe), and we will update this policy accordingly.

We use your personal data to: • Create and manage your account • Provide the core Service: storing and displaying your property and transaction data • Generate financial summaries, quarterly categorisations, and MTD compliance outputs from your uploaded data • Process bank/export CSV files to categorise transactions, detect rental income, and produce compliance-ready summaries • Respond to your support requests and communications • Send essential service notifications (e.g. confirmation emails, security alerts) • Improve the reliability, performance, and features of the Service • Comply with our legal obligations We do not use your financial data for advertising, sell it to third parties, or use it to train AI models operated by third parties without your explicit consent.

Under UK GDPR and the Data Protection Act 2018, we rely on the following lawful bases: Contract performance (Article 6(1)(b)): Processing necessary to provide you with the Service you have signed up for, including storing your transactions, generating summaries, and managing your account. Legitimate interests (Article 6(1)(f)): Improving the Service, detecting fraud and misuse, and ensuring the security and performance of our systems. We have assessed that these interests do not override your rights and freedoms. Legal obligation (Article 6(1)(c)): Where we are required to process or retain data to comply with applicable law. Consent (Article 6(1)(a)): Where we ask for your consent for specific optional activities (e.g. marketing communications). You may withdraw consent at any time.

When you upload CSV files or bank export files to the Service, those files may contain transaction descriptions, merchant names, amounts, dates, and reference numbers. We process this data solely to: • Parse and import transactions into your account • Apply automated categorisation rules (income, expenses, categories) to generate financial summaries • Produce MTD-compliant quarterly summaries and accountant exports This processing is carried out on your behalf as data processor acting on your instructions. You remain the data controller for any personal data about third parties (e.g. tenant names in transaction references) contained in uploaded files. We strongly recommend that you review uploaded files to ensure they do not contain sensitive personal data beyond what is required for tax record-keeping.

We use the following sub-processors to operate the Service. Each has been assessed as providing appropriate data protection safeguards: Supabase (database and authentication): Your account credentials, transaction data, and property records are stored in a Supabase PostgreSQL database hosted on AWS infrastructure in the EU (eu-west-1 / Ireland). Supabase is SOC 2 Type II certified and GDPR compliant. Vercel (hosting and delivery): Our web application is deployed on Vercel's edge network. Vercel is GDPR compliant and processes request data (including IP addresses) as described in their privacy policy. Email delivery: We may use a transactional email provider (e.g. Resend or Postmark) to send account confirmation and notification emails. Only your email address is shared for this purpose. HMRC API: If you connect your account to HMRC's Making Tax Digital API, your submissions and token data are transmitted directly to HMRC. HMRC is a data controller in its own right for data submitted to them. We do not share your data with other third parties except as required by law or with your explicit consent.

We retain your data for as long as your account is active. If you close your account, we will: • Delete your personal and financial data within 30 days of account closure • Retain anonymised, aggregated usage statistics indefinitely (these cannot be linked back to you) • Retain any data we are legally required to keep (e.g. for fraud prevention or legal proceedings) for up to 7 years in accordance with UK tax law record-keeping requirements You may request deletion of your data at any time by contacting privacy@mtdforlandlords.co.uk.

We take appropriate technical and organisational measures to protect your data, including: • All data transmitted between your browser and our Service is encrypted using TLS/HTTPS • Database records are protected by Row Level Security (RLS) policies ensuring users can only access their own data • Authentication credentials are managed by Supabase Auth; passwords are never stored in plaintext • Access to production systems is restricted to authorised personnel • We conduct periodic security reviews of our codebase and infrastructure Despite our best efforts, no system is completely immune to security risks. If you suspect a security incident involving your data, please contact us immediately at privacy@mtdforlandlords.co.uk.

As a data subject under UK GDPR (UK General Data Protection Regulation), you have the following rights: • Right of access: Request a copy of the personal data we hold about you • Right to rectification: Ask us to correct inaccurate or incomplete data • Right to erasure: Request deletion of your personal data ("right to be forgotten") • Right to restrict processing: Ask us to limit how we use your data • Right to data portability: Receive your data in a machine-readable format • Right to object: Object to processing based on legitimate interests • Rights related to automated decision-making: We do not make solely automated decisions that significantly affect you To exercise any of these rights, contact us at privacy@mtdforlandlords.co.uk. We will respond within one calendar month. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We use only essential cookies required to operate the Service, including: • Session cookies to keep you logged in • Security cookies to prevent cross-site request forgery We do not currently use third-party analytics tracking cookies (e.g. Google Analytics). If we introduce analytics in future, we will update this policy and obtain appropriate consent. You can manage cookies through your browser settings, but disabling session cookies will prevent you from using the Service.

Your data is primarily stored within the European Economic Area (EEA) on Supabase infrastructure hosted in Ireland (AWS eu-west-1). Any transfers outside the UK or EEA (for example, for email delivery or CDN services) are conducted under appropriate safeguards such as UK Adequacy Regulations, Standard Contractual Clauses (SCCs), or equivalent mechanisms.

If you use the HMRC MTD API integration features, you will need to authorise our application via HMRC's OAuth 2.0 flow. In doing so: • We store OAuth access and refresh tokens securely in an encrypted, access-controlled database table • Tokens are used solely to submit data to HMRC on your instruction • We do not access HMRC data beyond what you explicitly request • You can revoke this connection at any time from within the Service or via your HMRC Government Gateway account Data submitted to HMRC is subject to HMRC's own privacy notice and data handling practices.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice in the Service. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.