Privacy Policy

How MyVATBridge collects, uses, and protects personal data.

Last updated: 14 March 2026

Contact

[email protected]

Support page

1. Scope

This Privacy Policy explains how MyVATBridge handles information when you visit the website, create an account, add VAT clients, connect to HMRC, prepare VAT returns, or contact support. It is written as the operating privacy notice for the live service and should be reviewed again before full commercial launch.

2. Data we collect

Account and contact data

Username, email address, password hash, support messages, and account activity needed to operate the service.

VAT client and filing data

Client names, business names, VRNs, notes, VAT obligations, VAT return drafts, submission results, liabilities, payments, penalties, and related audit data.

HMRC integration data

OAuth access and refresh tokens, HMRC response payloads, sync timestamps, and error logs. Sensitive tokens are stored encrypted at rest.

Fraud-prevention and technical data

Browser, device, network, and session metadata captured to build HMRC fraud-prevention headers for VAT API calls, along with server logs and security records.

3. How we use the data

  • to create and secure user accounts
  • to let you manage VAT clients and prepare VAT returns
  • to connect to HMRC and make VAT API calls on your behalf
  • to generate HMRC fraud-prevention headers required for VAT integrations
  • to troubleshoot issues, maintain audit trails, and improve platform reliability
  • to respond to support requests and enforce platform security

4. Sharing

We may share relevant data with HMRC when you authorise or submit VAT-related actions, with infrastructure or software providers that help us run the platform, and with professional advisers or authorities where required for security, legal, or compliance reasons. We do not describe the service as an advertising platform and we do not use account data for ad targeting.

5. Retention

We keep data for as long as needed to operate the service, maintain filing history, support users, and meet tax, accounting, legal, or security obligations. Different categories may be kept for different periods. For example, filing and audit records may be kept longer than transient technical logs.

6. Security

We use access controls, encrypted credential storage, secure cookies, server-side logging, and restricted service routing to reduce unauthorised access risk. No internet-facing system can be guaranteed 100% secure, so you should also keep your own account credentials safe and review access regularly.

7. Cookies and browser storage

MyVATBridge uses essential cookies and session storage needed for login, security, and HMRC integration flows. The service also captures browser-side information to support HMRC fraud-prevention headers where required for VAT API requests.

8. Your rights

Depending on the applicable law and context, you may have rights to request access, correction, deletion, restriction, objection, or export of personal data. Some requests may be limited where we need to keep records for compliance, audit, or legal reasons.

If you have concerns about how personal data is handled, contact us first at [email protected]. You may also have the right to complain to the Information Commissioner's Office in the UK.

9. International transfers

Some service providers may process data outside the UK. Where that happens, appropriate contractual or organisational safeguards should be used as part of the production setup and vendor review process.

10. Updates

We may update this Privacy Policy as the product matures, especially when HMRC OAuth, payments, client onboarding, or agent workflows are expanded. The latest version will be published on this page.