Privacy Policy

Last Updated: 3 June 2026

Invatax Ltd ("we", "our", "us") respects your privacy and is committed to protecting your personal data in accordance with UK GDPR and the Data Protection Act 2018.

1. Who We Are

Invatax Ltd is a UK software company providing VAT threshold monitoring and financial insight tools for UK businesses.

Data controller: Invatax Ltd.

Company number: To be completed before full public launch.

Registered office: To be completed before full public launch.

Contact:
info@invatax.co.uk

Privacy contact:
privacy@invatax.co.uk should be set up before public launch.

2. Information We Collect

We may collect:

• Name
• Email address
• Business name
• VAT information
• Turnover figures
• Accounting software connection data
• Device/browser information
• IP address
• Usage analytics
• Payment/subscription status
• Audit logs and security events
• Support messages and bug reports

We do NOT store full banking credentials or payment card information.

Where you connect Xero or QuickBooks, we store connection metadata and encrypted tokens needed to keep the integration working. We do not ask for or store your Xero or QuickBooks password.

3. How We Collect Information

Information may be collected when you:

• Create an account
• Connect Xero or QuickBooks
• Enter manual turnover data
• Subscribe to a paid plan
• Contact support
• Use the website/app

4. Why We Process Your Data

We process data to:

• Provide VAT monitoring services
• Calculate VAT threshold progress
• Send alerts and notifications
• Manage subscriptions
• Improve the platform
• Prevent fraud and abuse
• Comply with legal obligations

5. Legal Basis

We rely on different legal bases depending on how the data is used:

• Contractual necessity: to create your account, provide the app, save turnover records, run VAT threshold calculations, manage integrations, and provide support.
• Legitimate interests: to secure the platform, prevent abuse, improve the product, keep audit logs, monitor errors, and understand basic product usage.
• Legal obligations: to keep records needed for accounting, tax, disputes, fraud prevention, and compliance.
• Consent: for non-essential cookies, marketing emails, lead magnet follow-up emails, and any other processing where consent is required.

6. Third-Party Providers

We may share limited data with trusted providers including:

• Stripe
• Supabase
• Resend
• Xero
• QuickBooks
• Netlify
• Sentry
• Google Analytics (if enabled)

We only share information necessary for the service to operate.

7. Automated Calculations and Alerts

Invatax uses automated systems to generate VAT threshold calculations, alerts, forecasts, reports, and reminder emails based on information entered by the user or synced from connected accounting software.

Invatax is software only. It does not provide tax, legal, accounting, or financial advice. Users remain responsible for reviewing financial information and ensuring HMRC compliance.

Integrations with Xero, QuickBooks, Stripe, Resend, Supabase, Netlify, Sentry, or other providers may fail, be delayed, or be unavailable. If this happens, alerts, reports, emails, or synced turnover figures may be delayed or incomplete. Users should check source records and confirm important VAT decisions with an accountant, tax adviser, or HMRC.

8. International Transfers

Some providers may process data outside the UK. Appropriate safeguards and contractual protections are used where required.

9. Data Retention

We retain data only as long as necessary for legal, accounting, security, and operational purposes.

Cancelling a paid subscription stops future billing according to the cancellation timing shown by Stripe, but it does not automatically delete account data. Account and turnover data may remain in Invatax so the user can reactivate, export records, request deletion, resolve billing issues, or maintain an audit trail.

If paid access ends, the account may be restricted, but operational records such as business profile details, turnover entries, VAT threshold history, reports, integration status, and audit logs are not treated as deleted unless a separate deletion request is confirmed.

Signed-in users can request account deletion from account settings or by contacting us. When a deletion request is confirmed, we disconnect accounting integrations, revoke stored accounting access where possible, remove access to active account data, and schedule deletion or anonymisation of operational personal data within 30 days.

Stripe customer, subscription, invoice, payment, tax, fraud-prevention, and dispute records may be retained by Stripe and Invatax where required for billing, accounting, legal, chargeback, or security obligations. We do not store full payment card details.

Deleted account data may remain in Supabase or hosting backups for up to 90 days before those backups expire.

Financial and subscription records may be retained for up to 6 years where required for UK accounting, tax, legal, or dispute purposes. Error logs are normally retained for up to 90 days, support emails for up to 24 months, and analytics for no longer than 14 months where enabled.

Security, audit, and legal records may be retained longer where necessary to protect the platform, investigate abuse, resolve disputes, or comply with legal obligations.

10. Your Rights

You may request:

• Access to your data
• Correction of inaccurate data
• Deletion of your data
• Export of your data
• Restriction of processing
• Objection to certain processing
• Withdrawal of consent where processing is based on consent

Requests can be sent to:
info@invatax.co.uk

Where account settings provide a self-service deletion or export option, you may also use that option while signed in.

The self-service export is generated for your signed-in account only. It may include your business profile, turnover records, VAT threshold calculations, safe subscription/account status fields, integration status information, and audit log entries relating to you. It does not include stored accounting access tokens, refresh tokens, payment card details, service keys, or other secrets.

You also have the right to complain to the UK Information Commissioner's Office (ICO) if you are unhappy with how we handle your personal data. We ask that you contact us first so we can try to help.

11. Cookies

We use cookies and similar technologies for essential functionality, analytics, and performance monitoring.

See our Cookie Policy for more details.

12. Security

We use reasonable technical and organisational measures including:

• Encrypted connections (HTTPS)
• Access controls
• Authentication protection
• Secure cloud infrastructure
• Row Level Security for customer data
• Encrypted accounting integration tokens
• Monitoring and audit logs

No online service can be guaranteed 100% secure. If we become aware of a suspected personal data breach affecting users, we will investigate, take containment steps, keep appropriate records, and assess whether ICO or user notification is required. We may seek legal, data protection, or cyber security advice where appropriate.

Invatax also does not guarantee uninterrupted service. Planned maintenance, third-party outages, security incidents, or technical failures may affect availability from time to time.

13. Children's Privacy

Invatax is not intended for children under 18.

14. Changes

We may update this policy from time to time. Continued use of the platform constitutes acceptance of the updated policy.

15. Contact

info@invatax.co.uk

Legal note: This Privacy Policy is written in plain English for launch readiness. Final legal review is recommended before public launch.