Privacy Policy
Last updated: 23 March 2026
Your privacy matters. Here is exactly what data we collect, why we need it, and how we protect it.
1. Introduction
ActiveSoft Ltd ("we", "us", "our") operates activetax.pages.dev and activetax.uk. This privacy policy explains how we collect, use, and protect your personal data in compliance with the UK Data (Use and Access) Act 2025 and UK GDPR.
By creating an account and using ActiveTax, you acknowledge that you have read and understood this policy.
2. Data Controller
ActiveTax is the data controller for your personal data. If you have any questions about how your data is handled, please contact us at:
- Email: support@activetax.uk
- Contact form
3. What Data We Collect
We collect the following categories of personal data:
Account Information
- First name, middle names (optional), last name
- Email address
- Phone number (optional)
- Postal address
Tax Identifiers
- National Insurance Number (NINO)
- Unique Taxpayer Reference (UTR)
Authentication Data
- Password (stored as a one-way bcrypt hash — we cannot read your password)
- JWT session tokens (stored in your browser's local storage)
HMRC Data
- HMRC OAuth2 access and refresh tokens (to submit data on your behalf)
- Self-assessment data retrieved from HMRC (income, expenses, obligations, tax calculations)
Technical Data
- Device ID — a random identifier required by HMRC's fraud prevention regulations
- Theme preference and dashboard layout (stored locally in your browser)
Communication Data
- Any messages you send via our contact form
4. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Provide the Making Tax Digital filing service | Performance of contract |
| Authenticate your identity and manage your account | Performance of contract |
| Submit tax data to HMRC on your behalf | Legal obligation (MTD regulations) |
| Include HMRC fraud prevention headers in API calls | Legal obligation (HMRC requirement) and Recognised Legitimate Interest under DUAA 2025 |
| Send email verification and password reset emails | Performance of contract |
| Respond to support enquiries | Legitimate interest |
| Detect and prevent fraud and abuse of the service | Recognised Legitimate Interest under DUAA 2025 |
Recognised Legitimate Interests: The Data (Use and Access) Act 2025 introduced a list of "Recognised Legitimate Interests" — processing activities that are automatically considered lawful without requiring a separate balancing assessment. Our fraud prevention and security processing (including the HMRC-mandated device identifier) falls within this category, providing an additional lawful basis for that processing.
5. Data Security
We take the security of your data seriously, particularly given the sensitivity of tax information:
- Encryption at rest: All personal data (except boolean flags and your internal user ID) is encrypted using AWS KMS envelope encryption before storage in our database.
- Email hashing: Your email address is stored as a SHA-256 hash for database lookups, meaning the plain-text email is never stored in a searchable index.
- Password security: Passwords are stored using the bcrypt algorithm. We cannot retrieve or read your password.
- JWT security: Session tokens are signed using RS256 asymmetric cryptography with 2048-bit RSA keys.
- Encryption in transit: All data is transmitted over HTTPS/TLS.
- HMRC tokens: OAuth2 tokens for HMRC access are stored encrypted in our database.
6. Data Sharing and Third Parties
We do not sell your personal data. We share data only with the following parties and only as necessary to provide the service:
| Party | What Is Shared | Reason |
|---|---|---|
| HMRC | Your tax data and fraud prevention headers | Legal obligation — required by Making Tax Digital regulations |
| Amazon Web Services (AWS) | All account and tax data | Infrastructure provider — database (DynamoDB), compute (Lambda), encryption (KMS), and email (SES). Data stored in the eu-west-2 (London) region. |
| Cloudflare | Web traffic metadata | Website hosting and CDN (Cloudflare Pages). Sets strictly necessary security cookies. |
7. Data Retention
- Account data: Retained for as long as your account is active. Upon account deletion, all personal data is removed.
- Session tokens: Expire after 2 hours (or 30 days if you select "Remember Me").
- Email verification tokens: Expire after 24 hours.
- Password reset tokens: Expire after 1 hour.
- HMRC OAuth tokens: Retained while your account remains connected to HMRC. You can disconnect at any time from your account settings.
8. Your Rights
Under UK data protection law, you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you (Subject Access Request).
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data ("right to be forgotten").
- Right to restrict processing: Request that we limit how we use your data.
- Right to data portability: Receive your data in a machine-readable format.
- Right to object: Object to processing based on legitimate interest.
To exercise any of these rights, please contact us at support@activetax.uk or via our contact form. We will respond within 30 days of receiving your request.
Stop the Clock (DUAA 2025): Under the Data (Use and Access) Act 2025, we may pause ("stop the clock" on) the 30-day response period if we need additional information from you — for example, to verify your identity or to clarify the scope of your request. If we need to do this, we will contact you promptly to explain what information is required. The clock resumes once you provide that information.
9. International Transfers
Your data is primarily stored and processed in AWS eu-west-2 (London, UK). Cloudflare, as a global CDN, may process website traffic data internationally under their Data Processing Addendum with UK Standard Contractual Clauses.
10. Children's Data
ActiveTax is not intended for users under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us so we can delete it.
11. Changes to This Policy
We may update this privacy policy from time to time. The "Last updated" date at the top of this page reflects when it was last revised. For material changes, we will notify you by email. Continued use of ActiveTax after changes constitutes acceptance.
12. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK's data protection regulator:
- Information Commissioner's Office (ICO): ico.org.uk
- ICO helpline: 0303 123 1113
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first.
13. Contact Us
For any privacy-related questions or to exercise your rights:
- Email: support@activetax.uk
- Contact form