AffordableMTD is a product of Nesbitt Web Ltd, company number 09417982, registered in England and Wales at 27 Old Gloucester Street, London, WC1N 3AX.
For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), Nesbitt Web Ltd is the Data Controller for personal data collected through affordablemtd.com.
Questions about this policy: info@nesbittweb.com
Data We Collect and Why
| Category | Data | Source |
|---|---|---|
| Account | Email address, password (hashed), account creation date | You provide this on registration |
| Tax identity | National Insurance number, Unique Taxpayer Reference (UTR), tax year | You provide this; used to connect to your HMRC account via OAuth |
| Business data | Business name, business type (self-employment / property), business ID | Retrieved from HMRC's Business Details API after you authorise the connection |
| Financial data | Income and expense figures you enter or import via CSV/spreadsheet | You provide this directly |
| HMRC tokens | OAuth access and refresh tokens for your HMRC account | Issued by HMRC after you authorise the connection; stored encrypted (AES-256-GCM) |
| Fraud prevention | IP address, browser type and version, screen resolution, device time zone, and other headers required by HMRC's fraud prevention specification | Collected automatically from your browser when you submit data to HMRC |
| Usage data | Pages visited, time on page, errors encountered | Collected automatically via our hosting infrastructure |
| Payment data | Subscription status, payment date. We do not store card numbers — these go directly to Stripe | Stripe (our payment processor) |
How We Use Your Data
We use your data only to:
- Provide the Service — connect to HMRC on your behalf, submit quarterly updates, and display your obligations and submission history
- Process your subscription payment via Stripe
- Send transactional emails — account confirmation, subscription receipts, and upcoming deadline reminders
- Comply with HMRC's fraud prevention header requirements (see below)
- Diagnose bugs and improve the Service
- Meet our legal and regulatory obligations
HMRC Connection and Fraud Prevention Headers
When you authorise AffordableMTD to connect to HMRC on your behalf, we act as an MTD-registered software provider under HMRC's Making Tax Digital programme. This involves:
- Storing OAuth tokens that allow us to call HMRC's APIs on your behalf. These are encrypted at rest and in transit. You can revoke this access at any time via your HMRC Business Tax Account.
- Sending fraud prevention headers with every API call to HMRC. HMRC requires all MTD software providers to transmit device and connection data (IP address, browser fingerprint, screen dimensions, time zone, and similar) as part of their fraud detection framework. This is a mandatory requirement — we cannot submit data to HMRC without it.
Your income and expense data is transmitted to HMRC when you make a quarterly submission. Outside of this, your financial data is stored only in our database and is not shared with any other party.
Our Legal Basis for Processing
| Processing activity | Legal basis (UK GDPR) |
|---|---|
| Running your account and delivering the Service | Contract (Article 6(1)(b)) — necessary to perform the subscription agreement |
| Submitting data to HMRC on your behalf | Contract (Article 6(1)(b)) and your explicit authorisation via OAuth consent |
| Sending fraud prevention headers to HMRC | Legal obligation (Article 6(1)(c)) — mandatory under HMRC's MTD fraud prevention specification |
| Transactional emails (receipts, deadline reminders) | Contract (Article 6(1)(b)) |
| Retaining records for legal and tax compliance | Legal obligation (Article 6(1)(c)) |
| Improving the Service and diagnosing errors | Legitimate interests (Article 6(1)(f)) |
Who We Share Data With
We use the following sub-processors to operate the Service. All are bound by data processing agreements and comply with UK GDPR.
Vercel Privacy Policy →
Supabase Privacy Policy →
Stripe Privacy Policy →
Anthropic Privacy Policy →
We do not use any analytics platforms, advertising networks, or remarketing services. We do not use Google Analytics or equivalent.
We may also disclose data where required by law — for example, in response to a valid court order or request from a regulatory authority.
If Nesbitt Web Ltd is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will give you reasonable notice before your data becomes subject to a different privacy policy.
How Long We Keep Your Data
| Data | Retention period |
|---|---|
| Account and financial data | For the duration of your subscription, plus 90 days after termination or expiry, then deleted |
| HMRC OAuth tokens | Until revoked by you or until your account is deleted |
| Fraud prevention logs | As required by HMRC's data retention requirements (currently up to 7 years) |
| Payment records | 7 years, in line with HMRC's financial record-keeping requirements |
| Usage/diagnostic data | Up to 90 days |
If you delete your account, we will delete or anonymise your personal data within 90 days, except where we are required to retain it for legal compliance purposes.
Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — request deletion of your data (subject to legal retention obligations)
- Restriction — ask us to restrict processing of your data in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, you may withdraw it at any time (this does not affect the lawfulness of processing before withdrawal)
To exercise any of these rights, email us at info@nesbittweb.com. We will respond within one month. We may ask you to verify your identity before processing your request.
If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
Cookies
We use only the cookies necessary to operate the Service:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Keeps you logged in during your session | Session (deleted when you close your browser) |
| Auth token | Remembers your login if you choose "stay signed in" | Up to 30 days |
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. You can control cookies through your browser settings, but disabling session cookies will prevent you from logging in.
Children's Privacy
The Service is intended for adults managing their own tax affairs. We do not knowingly collect personal data from anyone under the age of 18. If you become aware that a child has provided us with personal data, please contact us at info@nesbittweb.com and we will delete it promptly.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The "last updated" date at the top of this page will always reflect the current version. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
Contact Us
For any questions about this Privacy Policy or to exercise your data rights:
Nesbitt Web Ltd
27 Old Gloucester Street, London, WC1N 3AX
Company number: 09417982
info@nesbittweb.com
For complaints: Information Commissioner's Office (ICO) · 0303 123 1113