Last updated: July 2026
Privacy Policy
This Privacy Policy explains how Acciom Limited ("we", "us", "QuickEasyTax") collects, uses, stores, and protects your personal data when you use our services at quickeasytax.co.uk and app.quickeasytax.co.uk. We are committed to protecting your privacy in compliance with UK GDPR.
Who we are
QuickEasyTax is operated by Acciom Limited, a company incorporated in England and Wales (Companies House: 11862326). We are registered with the Information Commissioner's Office (ICO) as a data controller. For data requests, contact: privacy@quickeasytax.co.uk.
What data we collect
- Account information: Your name, email address, and password (stored as a bcrypt hash).
- Company information: Your company name, registration number, UTR, VRN, NINO (sole traders), accounting period, and VAT scheme.
- Financial data: Transactions, invoices, journal entries, and HMRC submission records you create in the app.
- HMRC OAuth tokens: Encrypted access and refresh tokens issued by HMRC, stored AES-256-GCM encrypted.
- Bank connection tokens: TrueLayer OAuth tokens for Open Banking, stored AES-256-GCM encrypted.
- Payment information: We do not store card details. Stripe processes payments and provides us with a customer ID and subscription status only.
- Usage data: IP addresses and HTTP request logs retained for security and audit purposes (30-day rolling).
Why we collect it
- To provide the QuickEasyTax service — bookkeeping, VAT, CT600, and ITSA filing.
- To submit tax returns to HMRC on your behalf via OAuth-authorised API calls.
- To import bank transactions via Open Banking on your behalf.
- To process your subscription payments via Stripe.
- To send you service-related communications (account, billing, filing reminders).
- To comply with HMRC record-keeping requirements (7-year retention).
How we store it
Your data is stored in a Turso (LibSQL/SQLite) database hosted in the EU (AWS eu-west-1). HMRC OAuth tokens and TrueLayer bank tokens are encrypted using AES-256-GCM before writing to the database — the encryption key is derived from your account credentials and never stored in plain text. Application code is deployed on Vercel's EU infrastructure. All data is transmitted over TLS 1.2 or higher.
How long we keep it
- Financial records: 7 years from the end of the relevant tax year, as required by HMRC.
- Account data: For the duration of your subscription, plus 7 years for financial records.
- Security logs: 30 days rolling.
- Deleted accounts: Financial records retained for 7 years; personal account data deleted within 30 days of deletion request.
Your rights
Under UK GDPR, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate data.
- Erasure: Ask us to delete your account and personal data (subject to our 7-year financial record retention obligation).
- Portability: Export your data at any time from Settings — all transactions, invoices, and submissions in a machine-readable format.
- Objection: Object to processing for direct marketing (we do not send marketing emails without consent).
To exercise any of these rights, email privacy@quickeasytax.co.uk. We will respond within 30 days.
Data export and deletion
You can export all your data at any time from Settings → Data. This produces a ZIP file containing all your transactions, invoices, VAT returns, and HMRC submissions. You can delete your account from Settings → Account → Delete Account. This immediately disables your account. Financial records are retained for 7 years per HMRC requirements; all other personal data is deleted within 30 days.
Third parties
- TrueLayer: FCA-authorised Open Banking provider. Used for bank feed connections. TrueLayer's privacy policy applies to data processed by their platform.
- Stripe: Payment processor. Stripe stores and processes card data under their own PCI-DSS compliance. We never see your card number.
- Emailit: SMTP provider for transactional emails. Email addresses and message content are processed to deliver emails.
- HMRC: We submit tax data to HMRC on your behalf as your authorised agent via OAuth. HMRC's own privacy notice applies to data processed by them.
- Anthropic (Claude): Transaction descriptions are sent to Anthropic's API for categorisation. We do not send identifying personal information. Anthropic's privacy policy applies.
Cookies
We use only essential cookies — specifically, a session cookie (authjs.session-token) to maintain your login session and an active_company_id cookie for your company switcher preference. No tracking cookies. No analytics. No third-party advertising pixels.
Security
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). HMRC and TrueLayer tokens are additionally encrypted at the application layer before database storage. Session tokens are stored in HttpOnly, Secure, SameSite=Lax cookies — not localStorage. Authorization headers and API keys are redacted from all logs.
Your right to complain
If you believe we have not handled your data correctly, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk/concerns or by calling 0303 123 1113.
Contact
For any privacy-related questions or data requests: privacy@quickeasytax.co.uk
Acciom Limited · Companies House 11862326 · ICO Registered