Your Privacy Matters
Last updated: 25 February 2026 · DoneLabs Ltd · ICO Reg. No. ICO-0001353294
1. Who We Are
DoneTax is a product of DoneLabs Ltd, a company registered in England and Wales, company number 17056937. We provide Making Tax Digital (MTD) software for UK landlords, enabling quarterly income tax submissions to HMRC. For the purposes of UK data protection law, DoneLabs Ltd is the data controller for personal data collected through DoneTax. Contact: hello@donetax.co.uk
2. What Personal Data We Collect
We collect and process: Identity data (name, email address, National Insurance Number), HMRC data (MTD ID, property income source ID, encrypted OAuth access tokens), Financial data (bank transactions, rental income, allowable expenses via open banking), Submission data (quarterly tax returns and Final Declarations), Technical data (IP address, device ID, browser information, session data), and Usage data.
3. How We Use Your Data
To provide the DoneTax service on the basis of contractual necessity: processing your bank transactions, categorising income and expenses, and submitting quarterly MTD returns to HMRC on your behalf. To comply with legal obligations: fraud prevention header data submitted to HMRC as required. To manage your account and subscription on the basis of contractual necessity. To improve our service on the basis of legitimate interests.
4. HMRC Data and OAuth
DoneTax uses OAuth 2.0 to connect to your HMRC account. We never store your Government Gateway username or password. We store encrypted OAuth access tokens solely to submit your tax returns on your behalf. These tokens are encrypted using AES-256-GCM encryption at rest and transmitted over HTTPS. Your National Insurance Number is stored encrypted and used only to identify your MTD records with HMRC.
5. Open Banking Data
DoneTax connects to your bank account via TrueLayer, an FCA-authorised open banking provider. We request read-only access to your transaction history. We cannot and never will move money from your account. Bank transaction data is stored securely and used only to identify rental income and allowable expenses for your MTD submissions.
6. Fraud Prevention Data
HMRC requires all MTD software providers to submit fraud prevention headers with every API call. This includes your device ID, IP address, browser information, and timezone. This is a legal requirement under the Regulation of Investigatory Powers Act 2000 and HMRC's Terms of Use. We have no discretion over this requirement.
7. Data Sharing
We share your personal data only where necessary: HMRC (to submit your quarterly MTD returns), TrueLayer (open banking, read-only), Stripe (subscription payments), Supabase (database provider, EU-hosted). We do not sell, rent, or share your personal data with any third party for marketing purposes.
8. Data Storage and Security
Your data is stored on Supabase infrastructure in the European Union. Security measures include: AES-256-GCM encryption for all OAuth tokens at rest, HTTPS and TLS for all data in transit, HttpOnly and Secure cookie flags, Content Security Policy and HSTS headers, rate limiting on all API endpoints, and parameterised database queries.
9. Data Retention
We retain your personal data for as long as your DoneTax account is active. If you delete your account, we will delete your personal data within 30 days, except where required by law. Financial records required for tax purposes may be retained for up to 7 years.
10. Your Rights
Under UK GDPR you have: Right of access (request a copy via Data Export), Right to erasure (delete account via Delete Account feature), Right to rectification (update your profile), Right to restrict processing, Right to data portability (machine-readable format), Right to object. Contact us at hello@donetax.co.uk to exercise any right.
11. Cookies
DoneTax uses strictly necessary cookies only: session cookies for authentication and a persistent device ID cookie for HMRC fraud prevention compliance. We do not use advertising or tracking cookies.
12. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.