Privacy Policy – aligned.tax
Last updated: 8th March 2026
1. Who We Are
This Privacy Policy explains how Abridged Ltd ("we", "our", "us") collects, uses, stores, and shares your personal data when you use the aligned.tax platform ("Service").
Data Controller: Abridged Ltd Registered Address: 167-169 Great Portland Street, 5th Floor, London, W1W 5PF Company Number: 17081706 Data Protection Contact: hello@aligned.tax
We are not required to appoint a Data Protection Officer, but you may contact us at the address above with any data protection query.
2. What This Policy Covers
This policy applies to personal data we collect through the Service, our website at aligned.tax, and related communications. It applies to all users including individual taxpayers, accountants, bookkeepers, and agents using the Service on behalf of clients.
Where an accountant or agent uploads client data, the accountant or agent acts as the data controller for that client data and we act as a data processor. Our Data Processing Agreement governs that relationship separately.
3. Personal Data We Collect
3.1 Data you provide directly
- Full name and email address (account registration)
- Phone number (where provided for two-factor authentication)
- Organisation or practice name (where applicable)
- Unique Taxpayer Reference (UTR)
- National Insurance Number (where required for HMRC submissions)
- Business income and expense figures
- Financial data contained in uploaded spreadsheets
- Bank account or payment details (for subscription payments)
- Any correspondence you send us
3.2 Data we collect automatically
- IP address and approximate location (IP addresses are hashed before storage in activity logs)
- Browser type and operating system
- Device identifiers and screen dimensions
- Pages visited and features used within the Service
- Timestamps of actions including submissions
- Referral source
3.3 Data collected for HMRC fraud prevention
HMRC legally requires all Making Tax Digital software to collect and transmit fraud prevention headers with every API request. This includes:
- Client IP address and port
- Device identifiers and screen dimensions
- Browser plugins and user agent string
- Timezone and local timestamp
- Multi-factor authentication status
This data is transmitted directly to HMRC and is not stored by us beyond the duration of the API request.
3.4 Data we receive from third parties
- HMRC: business details, obligation periods, submission confirmations, and calculation results retrieved via HMRC APIs following your authorisation
- Payment processor: confirmation of payment status (we do not store full card numbers)
4. How We Use Your Data and Our Lawful Basis
The UK GDPR requires us to have a lawful basis for each processing activity. The table below sets out our purposes and the corresponding lawful basis.
| Purpose | What we do | Lawful basis |
|---|---|---|
| Account creation and management | Register your account, authenticate you, manage your subscription | Performance of contract (Article 6(1)(b)) |
| Service delivery | Transform spreadsheet data, prepare financial summaries, transmit data to HMRC on your instruction | Performance of contract (Article 6(1)(b)) |
| HMRC submissions | Submit quarterly updates, year-end adjustments, and final declarations to HMRC | Performance of contract (Article 6(1)(b)) and legal obligation (Article 6(1)(c)) |
| HMRC fraud prevention | Collect and transmit device and connection data as required by The Income Tax (Digital Requirements) Regulations | Legal obligation (Article 6(1)(c)) |
| AI categorisation | Provide automated categorisation suggestions for financial transactions | Performance of contract (Article 6(1)(b)) |
| Phone verification | Verify your phone number via SMS for two-factor authentication | Performance of contract (Article 6(1)(b)) |
| Audit and compliance | Maintain submission logs, user confirmations, and system event records | Legal obligation (Article 6(1)(c)) and legitimate interest (Article 6(1)(f)) |
| Security | Detect and prevent fraud, misuse, or security incidents | Legitimate interest (Article 6(1)(f)) |
| Error monitoring | Track application errors to maintain service reliability (with automatic PII redaction) | Legitimate interest (Article 6(1)(f)) |
| Service improvement | Analyse usage patterns to improve the Service | Legitimate interest (Article 6(1)(f)) |
| Communications | Send service notifications, submission confirmations, security alerts, and policy updates | Performance of contract (Article 6(1)(b)) |
| Marketing | Send product updates or feature announcements (only with your separate consent) | Consent (Article 6(1)(a)) |
| Payment processing | Process subscription payments and manage billing | Performance of contract (Article 6(1)(b)) |
Where we rely on legitimate interest, our interest is in operating, securing, and improving the Service. We have assessed that this does not override your rights and freedoms. You may contact us to request details of our balancing assessment.
5. AI and Automated Processing
The Service uses artificial intelligence to suggest categorisations for financial transactions and to assist with mapping spreadsheet columns to HMRC-required fields. This processing is automated but does not produce legal or similarly significant effects because:
- Suggestions are presented to you for review before any submission to HMRC
- You may accept, reject, or modify any AI-generated suggestion
- No submission to HMRC occurs without your explicit confirmation
When using AI features, we send transaction descriptions, column names, and category labels to our AI providers. We do not send National Insurance Numbers, names, or other direct personal identifiers to AI providers.
We do not use automated decision-making that produces legal effects without human intervention.
6. Who We Share Your Data With
We share personal data only where necessary to deliver the Service or where required by law.
6.1 HMRC
| Recipient | Purpose | Safeguards |
|---|---|---|
| HMRC | Submitting financial data and fraud prevention headers under Making Tax Digital | UK government body; data stays in the UK; legally mandated |
6.2 Sub-Processors
We use the following third-party service providers who process personal data on our behalf. All sub-processors are bound by data processing agreements requiring them to process data only on our instructions and to implement appropriate security measures.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Railway (Railway Corporation) | Cloud hosting and application deployment | All application data in transit and at rest during platform operation | European Union |
| Amazon Web Services – S3 (Amazon Web Services, Inc.) | Cloud file storage for uploaded spreadsheets and documents | Uploaded financial files (Excel/CSV), file metadata, user identifiers | European Union |
| PostgreSQL Database (hosted via Railway) | Primary data storage | All user account data, financial records, encrypted HMRC tokens, audit logs, and application state | European Union |
| Stripe (Stripe, Inc.) | Payment processing and subscription management | Email addresses, subscription status, payment method tokens (card details handled directly by Stripe under PCI DSS) | United States |
| Lemon Squeezy (Lemon Squeezy, LLC) | Alternative payment and subscription management | Email addresses, user identifiers, subscription and order information | United States |
| SendGrid (Twilio Inc.) | Transactional email delivery (account notifications, submission confirmations, password resets) | Email addresses, message content and metadata | United States |
| Twilio (Twilio Inc.) | SMS-based phone verification (two-factor authentication) | Phone numbers, verification codes | United States |
| Anthropic (Anthropic PBC) | AI-powered smart column mapping and tax categorisation assistance | Spreadsheet column names, transaction descriptions, income/expense category labels (no NINOs or direct personal identifiers) | United States |
| OpenAI (OpenAI, LLC) | Text embeddings for semantic search and transaction categorisation | Transaction descriptions, category labels (no NINOs or direct personal identifiers) | United States |
| Sentry (Functional Software, Inc.) | Error monitoring and application performance tracking | Error stack traces, user ID, email (with automatic PII redaction — NINOs are hashed, authorisation headers and cookies are stripped) | United States |
| Google Analytics (Google LLC) | Website analytics to understand usage patterns (consent-based only) | Page views, traffic sources, device information, IP address (anonymised). Only activated if you consent via our cookie banner | United States |
| Plausible Analytics (Plausible Insights OÜ) | Privacy-focused website analytics | Page views, traffic sources, visitor counts (no cookies, no personal identifiers) | European Union (Estonia) |
We do not sell your personal data to any third party. We do not share personal data for marketing purposes without your consent.
6.3 Changes to Sub-Processors
We will update this list when we add or remove sub-processors. Where a change is material, we will notify you by email or through the Service before the change takes effect, giving you the opportunity to object.
7. International Transfers
Some of our service providers process personal data outside the United Kingdom, primarily in the United States. Where this occurs, we ensure appropriate safeguards are in place, including:
- Transfers to countries with a UK adequacy decision
- The UK International Data Transfer Agreement (UK IDTA)
- The UK Addendum to EU Standard Contractual Clauses
- The data importer's certification under the UK Extension to the EU-US Data Privacy Framework, where applicable
You may contact us for further details of the specific safeguards applied to any transfer.
8. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.
| Data category | Retention period | Reason |
|---|---|---|
| Account data (name, email, phone) | Duration of account plus 12 months | Contract performance and reasonable follow-up |
| Submission records and audit logs | 7 years from date of submission | Tax record-keeping obligations |
| Financial data in spreadsheets | Duration of account; deleted on termination unless legal retention applies | Service delivery |
| HMRC authorisation tokens | Until revoked by user or expiry | Service delivery |
| Payment records | 7 years from transaction date | Financial record-keeping and tax obligations |
| Uploaded files (S3) | Duration of account; deleted on termination | Service delivery |
| Device and usage logs | 12 months from collection | Security and service improvement |
| Error monitoring data (Sentry) | 90 days from collection | Automatically purged by provider |
| Marketing consent records | Duration of consent plus 12 months | Demonstrating consent compliance |
| Analytics data | Aggregated and anonymised; no personal data retained beyond session | Service improvement |
Upon account termination, we delete or anonymise personal data in accordance with the periods above, unless retention is required by law.
9. Your Rights
Under the UK GDPR, you have the following rights:
- Right of access – obtain a copy of the personal data we hold about you
- Right to rectification – correct inaccurate or incomplete personal data
- Right to erasure – request deletion of your personal data where there is no compelling reason to continue processing
- Right to restriction of processing – request that we limit how we use your data in certain circumstances
- Right to data portability – receive your personal data in a structured, commonly used, machine-readable format
- Right to object – object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent – where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
- Rights related to automated decision-making – not to be subject to a decision based solely on automated processing that produces legal effects (see section 5)
To exercise any of these rights, contact us at hello@aligned.tax. We will respond within one month. In certain circumstances we may extend this by a further two months, in which case we will inform you.
We will not charge a fee for responding to a request unless it is manifestly unfounded or excessive.
10. Right to Complain
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Website: ico.org.uk Helpline: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO.
11. Cookies and Tracking Technologies
Our website and Service may use cookies and similar technologies. Cookies are small text files placed on your device.
11.1 Essential cookies
These are necessary for the Service to function, including session management and authentication. They do not require consent.
11.2 Analytics cookies
We may use analytics cookies to understand how the Service is used and to improve it. These are only placed with your consent via our cookie consent banner.
11.3 Managing cookies
You can control cookies through your browser settings or via our cookie consent banner, which you can access at any time. Disabling essential cookies may affect your ability to use the Service.
We do not use advertising or third-party tracking cookies.
12. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS) and sensitive data at rest (HMRC OAuth tokens are encrypted using AES-256)
- Role-based access controls with a six-tier permission hierarchy (Reviewer, Bookkeeper, Preparer, Supporting Agent, Main Agent, Client Owner)
- Centralised audit logging of all user actions, data access, and HMRC submissions
- Automatic PII redaction in application logs (NINOs, emails, IP addresses, phone numbers, and sensitive fields are masked before logging)
- IP address hashing in user activity records
- Rate limiting and abuse prevention on API endpoints
- Regular review of security practices and dependency updates
No system is completely secure. We cannot guarantee absolute security but we take reasonable steps to protect your data.
13. Children
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
14. Third-Party Links
The Service may contain links to third-party websites including HMRC. We are not responsible for the privacy practices of these websites. We encourage you to read their privacy policies.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or through the Service before the changes take effect.
The date at the top of this policy indicates when it was last updated.
16. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:
Email: hello@aligned.tax Post: Abridged Ltd, 167-169 Great Portland Street, 5th Floor, London, W1W 5PF