Privacy Policy

1. Who we are

Taxify is a UK-based tax management service for sole traders, freelancers, and limited company directors. References to "we", "us", or "Taxify" in this policy refer to the Taxify service and its operators.

2. What data we collect

Account information

• Your name and email address (required to create an account)
• Your business name and job title
• Business type (sole trader, limited company, etc.)
• Password (stored as a one-way hash — we cannot see it)

Tax and financial information

• Your Unique Taxpayer Reference (UTR) number, if provided
• VAT registration number and status, if applicable
• Income and expense transactions you enter or import
• Director salary, dividend, and company data (Director Hub users)
• Estimated income band and filing history

Files you upload

• Bank statement CSV files or PDFs uploaded for analysis
• These are processed transiently and not permanently stored on our servers

Usage and technical data

• Log data (browser type, pages visited, timestamps)
• Theme preference (light/dark mode)
• Feature usage patterns (used to improve the product)

Payment information

We do not store card details. Payments are processed by Stripe, who are PCI-DSS compliant. We store only your Stripe customer ID and subscription status.

3. Why we collect it (legal basis)

Under UK GDPR, we must have a lawful basis for processing your data. We rely on:

• Contract performance — to provide the Taxify service you signed up for
• Legitimate interests — to improve the product, prevent fraud, and ensure security
• Legal obligation — where we're required to retain records for legal or regulatory reasons
• Consent — for optional communications like product updates (you can withdraw at any time)

4. How we use AI

Taxify uses the Anthropic Claude API to power our AI assistant and file analysis features. When you interact with the AI or upload a file for analysis, the relevant data (your financial context and file contents) is sent to Anthropic's API for processing.

• Anthropic processes this data solely to generate your response
• We do not use your financial data to train AI models
• Anthropic's data processing is governed by their Privacy Policy and API usage terms
• All AI responses are labelled as guidance only, not regulated financial advice

You can opt out of AI features entirely by not using the AI tab or upload analysis — all other features work without it.

5. Who we share data with

We do not sell, rent, or trade your personal data. We share data only with the following trusted service providers, and only to the extent necessary to operate Taxify:

• Supabase — database and authentication infrastructure (servers in EU)
• Anthropic — AI processing for assistant and file analysis features
• Stripe — payment processing (PCI-DSS Level 1 certified)
• Vercel — hosting and serverless function infrastructure

All providers are bound by data processing agreements and may not use your data for their own purposes.

6. Cookies and tracking

We use a minimal set of cookies. You can manage your preferences using the cookie banner shown on your first visit.

Essential cookies (always on)

• Authentication session cookies — required to keep you logged in
• Security cookies — protect against cross-site request forgery

Analytics cookies (optional)

• Usage analytics to understand which features are useful (privacy-first, no personal identifiers)

We do not use advertising cookies or track you across other websites.

7. How long we keep your data

• Account and transaction data — retained while your account is active
• Deleted account data — permanently deleted within 30 days of account deletion request
• Payment records — retained for 7 years as required by UK tax law
• Uploaded files — not permanently stored; processed transiently then discarded

8. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Access — request a copy of all data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your account and all associated data
• Portability — receive your data in a machine-readable format (CSV export is available in-app)
• Restriction — ask us to limit how we process your data
• Objection — object to processing based on legitimate interests
• Withdraw consent — at any time, for consent-based processing

To exercise any of these rights, email us at privacy@taxify.co.uk. We'll respond within 30 days.

You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk if you believe we've handled your data unlawfully.

9. Security

We take the security of your financial data seriously:

• All data is encrypted in transit using TLS 1.2 or higher
• Database data is encrypted at rest
• Row Level Security (RLS) ensures you can only access your own data
• Passwords are hashed using bcrypt and never stored in plain text
• API keys are never exposed to the browser

In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware, as required by UK GDPR.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make significant changes, we'll notify you by email and update the "last updated" date at the top of this page. Continued use of Taxify after changes constitutes acceptance of the updated policy.

Contact us