AI TaxPilot← Back to site
PRIVACY

Privacy Policy

How Aicountant Ltd collects, uses and protects your personal data

Aicountant Ltd Version 1.0 — Effective 01 May 2026

1. Introduction

This Privacy Policy explains how Aicountant Ltd ("we", "us", "our"), trading as AI TaxPilot, a company registered in England and Wales under company number 17193613 with its registered office at 61 Bridge Street, Kington, United Kingdom, HR5 3DJ, collects, uses, stores and protects personal data when you visit https://www.aitaxpilot.com or use our software service AI TaxPilot (the "Service"). The Service is recognised software for HM Revenue & Customs (HMRC) Making Tax Digital ("MTD") and connects to HMRC APIs to submit tax data on your behalf.

We are the data controller in respect of personal data processed in connection with your account and our website. We are registered with the Information Commissioner's Office (ICO) under registration number [ICO REGISTRATION NUMBER — registration in progress].

This policy is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). It also reflects the obligations placed on us by HMRC as a recognised MTD software provider, including those set out in the HMRC Developer Hub Terms of Use and the Fraud Prevention Header Data Compliance and Sanctions Guidelines.

2. Who this policy applies to

  • Visitors to our website.
  • Individual taxpayers (sole traders and landlords) who register for the Service to file MTD for VAT and/or MTD for Income Tax Self-Assessment (ITSA).
  • Authorised users of business customers (limited companies, partnerships and other VAT-registered entities) who use the Service.
  • Prospective customers who contact us, sign up for trials, or subscribe to marketing communications.

3. Personal data we collect

3.1 Information you provide to us

  • Identity data: full name, business name, job title, date of birth where required by HMRC.
  • Contact data: email address, postal address, telephone number.
  • Tax data: Unique Taxpayer Reference (UTR), VAT registration number, National Insurance number where applicable, tax period(s), accounting figures, transaction records, supporting documents you upload.
  • Account data: username, password (stored only in hashed form), security questions, two-factor authentication settings.
  • Billing data: billing address, VAT number, payment card last four digits and expiry (full card details are handled by our PCI-DSS compliant payment processor — we do not see or store full card numbers).
  • Communications: support tickets, emails, chat transcripts and call recordings.

3.2 Information we collect automatically

When you use the Service we automatically collect technical and usage data, including the data we are legally required to send to HMRC as fraud prevention headers under the HMRC Developer Hub rules. This includes:

  • Device information: device IDs, MAC address (where the operating system permits), screen resolution, time zone, browser type and version, operating system, public IP address and, where applicable, local IP address, Wi-Fi SSID/BSSID and the device being used to connect.
  • Connection method information: HTTP user-agent, type of connection (browser, mobile app, batch, server-to-server), proxy or VPN indicators where detected.
  • Usage data: pages visited, features used, timestamps, error logs, performance metrics.
  • Cookies and similar technologies — see Section 11.

We are required by law (under Schedule 24 to the Finance Act 2021 and HMRC's MTD regulations) to collect this information and transmit it to HMRC as part of every submission. You cannot opt out of fraud prevention headers and continue to use the Service to file with HMRC.

3.3 Information from third parties

  • Authentication and authorisation tokens received from HMRC when you grant the Service permission to act on your behalf (OAuth 2.0 grant tokens).
  • Bank-feed and open-banking data, where you connect a bank account through an authorised account information service provider (AISP).
  • Information from your accountant, bookkeeper or agent, where they sign you up to the Service.
  • Anti-fraud and credit-check data from third-party verification providers.

4. Lawful bases for processing

We rely on the following lawful bases under Article 6 of the UK GDPR:

  • Performance of a contract (Article 6(1)(b)) — to provide and operate the Service, manage your account, process payments and provide customer support.
  • Compliance with a legal obligation (Article 6(1)(c)) — to send fraud prevention headers and tax data to HMRC, retain accounting and tax records for the periods required by HMRC, and comply with anti-money laundering, accounting and tax law.
  • Legitimate interests (Article 6(1)(f)) — to secure our systems, prevent fraud, develop and improve the Service, conduct internal analytics, and contact business customers about similar services. We balance our legitimate interests against your rights and you may object at any time.
  • Consent (Article 6(1)(a)) — for non-essential cookies, marketing emails to individual subscribers, and any optional features that involve additional processing. You can withdraw consent at any time without affecting prior processing.

Where we process special category data (rare for an MTD service, but possible where supporting documents are uploaded), we rely on Article 9(2)(g) — substantial public interest — and the conditions in Schedule 1 of the Data Protection Act 2018.

5. How we use your personal data

  • Creating and managing your account.
  • Authenticating you with HMRC via OAuth 2.0.
  • Preparing, validating and submitting MTD obligations, including VAT returns, ITSA quarterly updates, end of period statements and final declarations.
  • Sending fraud prevention headers to HMRC with every API call.
  • Receiving notices, obligations and liabilities back from HMRC.
  • Taking payment and issuing invoices.
  • Providing technical support and responding to your enquiries.
  • Sending service messages (security alerts, downtime notices, regulatory changes, renewal notices) — these are not marketing and you cannot opt out while you remain a customer.
  • Sending marketing communications where you have opted in (or are a business customer who has not opted out).
  • Detecting, preventing and investigating fraud, security incidents and breaches of our terms.
  • Improving and developing new features (using aggregated and pseudonymised data wherever possible).
  • Complying with legal, regulatory and law-enforcement requests.

6. Who we share your data with

6.1 HM Revenue & Customs

When you use the Service to file or query MTD information, we transmit your tax data and the fraud prevention header data described in Section 3.2 to HMRC. HMRC becomes an independent data controller in respect of that information once it is received. HMRC's privacy notice is available on GOV.UK.

6.2 Service providers (processors) acting on our behalf

  • Website and application hosting — GoDaddy.com, LLC (and its group companies), which provides our hosting infrastructure.
  • Payment processing — Stripe Payments Europe Ltd / Stripe, Inc., which processes subscription payments. Card details are entered directly into Stripe's PCI-DSS compliant environment; we do not see or store full card numbers.
  • Business email and productivity — Microsoft 365 (provided through GoDaddy), which handles our email correspondence and document storage.
  • Artificial Intelligence processing — Anthropic PBC, which provides the large language model technology that powers automated tax-data extraction, validation and the AI assistant features of the Service. Customer Data submitted to AI features is processed by Anthropic strictly to provide the response and is not used by Anthropic to train its models.
  • Identity verification and anti-fraud providers, where engaged.
  • Professional advisers — accountants, auditors, lawyers and insurers — under duties of confidentiality.

Each processor is bound by a written contract that meets the requirements of Article 28 of the UK GDPR. A current list is available on request from privacy@aicountant.co.uk.

6.3 Other recipients

  • Your nominated agent, accountant or bookkeeper, where you have authorised them.
  • Law-enforcement, regulators or courts, where required by law or court order.
  • A purchaser, investor or successor of our business in the event of a sale, merger, restructure or insolvency — subject to equivalent confidentiality obligations.

We do not sell personal data to third parties and we do not share personal data with advertising networks for the purposes of profiling or targeted advertising.

7. International transfers

Our primary processing takes place in the United Kingdom. Some of our processors are based, or process data, outside the UK — in particular Anthropic PBC and Stripe, Inc. (United States), and elements of GoDaddy and Microsoft 365 infrastructure. Where data is transferred outside the UK, we rely on one of the following safeguards:

  • An adequacy decision made by the UK government in respect of the destination country (including the UK extension to the EU-US Data Privacy Framework, where the recipient is certified).
  • The International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment.
  • Binding corporate rules approved by the ICO.

We have completed (or are in the process of completing) a transfer risk assessment for each non-UK processor. A copy is available on request from privacy@aicountant.co.uk.

8. How long we keep your data

We keep personal data only for as long as is necessary for the purposes for which it was collected and for any legal, accounting or reporting requirements:

  • Tax and accounting records — at least 6 years from the end of the tax year to which they relate, in line with HMRC retention requirements. We may keep them longer where HMRC has opened an enquiry.
  • Account and contract records — 6 years from the end of our contract with you, to deal with potential disputes under the Limitation Act 1980.
  • Marketing data — until you unsubscribe, then for a reasonable period to honour the opt-out.
  • Support tickets and call recordings — typically 24 months.
  • Technical logs (including fraud prevention header logs) — typically 12 months unless required for an active investigation.
  • Backups — overwritten on a rolling basis, normally within 90 days.

Where the right to erasure does not apply (for example because we are required to retain tax records under a legal obligation), we will restrict further processing to that purpose only.

9. How we protect your data

  • Encryption in transit using TLS 1.2 or higher.
  • Encryption at rest for databases, backups and document storage.
  • Role-based access controls and the principle of least privilege.
  • Multi-factor authentication for staff and administrators.
  • Continuous monitoring, intrusion detection and regular vulnerability scanning.
  • Independent penetration testing at least annually.
  • Documented incident response and breach notification procedures aligned with the 72-hour ICO notification requirement.
  • Staff training in data protection and information security on induction and annually.

10. Your rights

Subject to certain exemptions, you have the following rights under UK GDPR:

  • Right to be informed about how we use your personal data — that is the purpose of this notice.
  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure — ask us to delete data, subject to our legal retention obligations.
  • Right to restrict processing — ask us to limit how we use your data.
  • Right to data portability — receive a copy of your data in a structured, commonly used, machine-readable format.
  • Right to object — including to processing based on legitimate interests and to direct marketing.
  • Rights in relation to automated decision-making and profiling — we do not currently use solely automated decisions that produce legal or similarly significant effects.
  • Right to withdraw consent at any time, where consent is the lawful basis.

To exercise any of these rights, please contact us at privacy@aicountant.co.uk. We will respond within one calendar month. We may need to verify your identity before acting on your request.

11. Cookies and similar technologies

We use a small number of cookies that are strictly necessary to operate the Service (for example to keep you signed in). We only set analytics, performance or marketing cookies after you accept them through our cookie banner. You can change or withdraw your choice at any time through the "Cookie Settings" link in the footer of our website. A full list of cookies, their purposes, providers and lifetimes is set out in our Cookie Notice.

12. Children

The Service is intended for use by adults aged 18 or over in the course of a trade, profession or property business. We do not knowingly collect data relating to children. If you believe a child has provided personal data to us, please contact privacy@aicountant.co.uk and we will delete it.

13. Automated decision-making and AI processing

AI TaxPilot uses artificial intelligence (specifically, large language model technology provided by Anthropic PBC) to help categorise transactions, extract information from documents you upload, validate tax figures and answer questions in our AI assistant. We do not make decisions producing legal or similarly significant effects about you using solely automated means — every submission to HMRC requires you to review and authorise the data first.

When you use AI-assisted features, the relevant content (which may include personal data) is sent to Anthropic over an encrypted connection. Under our agreement with Anthropic, that content is used only to generate the response and is not used to train Anthropic's models. AI outputs may occasionally contain errors; you remain responsible for checking accuracy before relying on them.

You can ask us about how a particular AI-assisted result was produced, request human review of any AI output, or ask us to reprocess data without AI features by contacting privacy@aicountant.co.uk.

14. Changes to this policy

We may update this Privacy Policy from time to time. The most recent version is always available on our website. Where changes are material we will give you reasonable advance notice by email or in-app notification.

15. Complaints

If you have any concern about how we are handling your personal data, please contact us first at privacy@aicountant.co.uk so we can try to resolve it. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk/concerns
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

16. Contact us

Data controller: Aicountant Ltd Registered office: 61 Bridge Street, Kington, United Kingdom, HR5 3DJ Companies House number: 17193613 ICO registration number: [ICO REGISTRATION NUMBER — registration in progress] Data Protection Officer: Haroon Ibrahim General privacy enquiries: privacy@aicountant.co.uk Customer support: support@aicountant.co.uk Website: https://www.aitaxpilot.com

Questions? Contact our Data Protection Officer at dpo@aitaxpilot.com or write to Aicountant Ltd, England & Wales.