Last Updated: 24 January 2026
1. Who We Are
MTD Landlord Services (“we”, “our”, “us”) is a trading name of MTD Landlord Services Ltd. We are the data controller for the personal data processing involved in providing our service.
2. Data We Collect
We collect different types of data depending on how you use our service:
Account Data
- Email address
- Full name
- Password (hashed - we never store plaintext passwords)
Tax Identifiers
- National Insurance Number (NINO) - encrypted at rest
- MTD Income Tax ID (MTDITID) - encrypted at rest
- Unique Taxpayer Reference (UTR) - if provided
HMRC Connection Data
- OAuth access tokens - encrypted at rest
- OAuth refresh tokens - encrypted at rest
- Token expiry timestamps
- Connection status and scopes
Property Data
- Property addresses and postcodes
- Ownership percentages and roles (owner, co-owner, agent)
- Property type and rental status
Transaction Data
- Income amounts and dates
- Expense amounts and dates
- Transaction descriptions
- HMRC category classifications
- Receipt images (if uploaded)
Bank Data (if using Bank Import)
- Bank account names and types
- Last 4 digits of account numbers (we do not store full account numbers)
- Transaction history imported via Plaid
- Bank connection access tokens - encrypted at rest
Technical Data
- IP address (hashed for trial abuse prevention)
- Browser type and version
- Device information
- Session data and cookies
- Timestamps of account activity
3. How Your Data is Protected
We take the security of your data seriously and implement multiple layers of protection:
Encryption at Rest
- AES-256-GCM encryption for sensitive data including:
- HMRC OAuth tokens
- National Insurance Numbers (NINO)
- MTD Income Tax IDs (MTDITID)
- Bank access tokens
- Envelope encryption with per-record unique keys
- Key rotation support to maintain security over time
Encryption in Transit
- All data transmitted over TLS 1.2 or higher
- HTTPS enforced on all endpoints
- Secure connections to HMRC and banking APIs
Authentication Security
- Passwords are never stored by us - authentication handled by Supabase Auth
- Passwords hashed using industry-standard algorithms
- Session tokens with secure expiry
4. Legal Basis for Processing
Under the UK GDPR, we process your personal data on the following legal bases:
- Contract Performance: Processing necessary to provide you with our service, including storing your property and transaction data, connecting to HMRC, and submitting tax returns on your behalf.
- Legal Obligation: Processing required to provide tax submission services to HMRC on your behalf.
- Legitimate Interests: Processing for fraud prevention, security monitoring, service improvement, and debugging (where these interests do not override your rights).
- Consent: For optional features such as marketing communications (you can withdraw consent at any time).
5. How We Use Your Data
We use your data to:
- Calculate your tax liability including Section 24 tax credit restrictions
- Submit quarterly updates and annual returns to HMRC via Making Tax Digital
- Provide dashboards, reports, and financial summaries
- Import and categorise bank transactions
- Send service notifications (submission confirmations, deadline reminders)
- Provide customer support
- Detect and prevent fraud and abuse
- Improve our service based on usage patterns (anonymised)
6. Third-Party Services
We share your data with the following third parties to provide our service:
Supabase (Authentication & Database)
- Handles user authentication and database hosting
- Data stored in EU region
- Privacy Policy: supabase.com/privacy
HMRC (Tax Submissions)
- You authorise us to submit data to HMRC via OAuth
- We only submit data when you explicitly click “Submit”
- HMRC is a UK government department
Plaid (Bank Connections)
- Powers the bank import feature
- You authorise Plaid directly with your bank - we never see your banking credentials
- Privacy Policy: plaid.com/legal
Stripe (Payments)
- Processes subscription payments
- We do not store your full card details
- Privacy Policy: stripe.com/privacy
Sentry (Error Monitoring)
- Captures application errors for debugging
- No personally identifiable information (PII) is intentionally sent
- Privacy Policy: sentry.io/privacy
7. Data Retention
We retain your data for the following periods:
- Transaction Records: Retained while your account is active. Subject to HMRC record-keeping requirements (at least 5 years after the relevant tax year submission deadline).
- Property Records: Retained while your account is active. Subject to HMRC record-keeping requirements (at least 5 years after the relevant tax year submission deadline).
- HMRC Submission Records: Retained per HMRC requirements (at least 5 years after the submission deadline), then deleted when eligible.
- Audit Logs: Retained for compliance and debugging purposes. Subject to HMRC record-keeping requirements where applicable.
- HMRC OAuth Tokens: Until you disconnect your HMRC account or delete your account.
- Bank Connection Tokens: Until you disconnect the bank account or delete your account.
- Account Data: Until you request account deletion, subject to HMRC retention requirements for tax-related records.
Important: HMRC requires landlords to keep records for at least 5 years after the 31 January submission deadline of the relevant tax year. If you request account deletion, tax-related records (transactions, properties, submissions, and audit logs) may be retained until the HMRC retention period expires. We recommend using the “Export Data” feature in Settings to download your records before deleting your account.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of Access: Request a copy of your personal data. You can use our “Export Data” feature in Settings, or contact us for a full Subject Access Request.
- Right to Rectification: Request correction of inaccurate data. You can edit most data directly in the app.
- Right to Erasure: Request deletion of your data, subject to HMRC retention requirements (see Section 7).
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interests.
- Right to Restrict Processing: Request we limit how we use your data.
- Right to Withdraw Consent: Withdraw consent for optional processing (e.g., marketing) at any time.
To exercise these rights, contact us at support@mtdlandlordservices.co.uk. We will respond within one month.
9. International Data Transfers
Your data is primarily processed within the UK and EU:
- Database: Hosted by Supabase in EU region
- HMRC: UK Government
- Plaid: May process data in the US under Standard Contractual Clauses
- Stripe: May process data in the US under Standard Contractual Clauses
Where data is transferred outside the UK/EU, appropriate safeguards are in place including Standard Contractual Clauses approved by the ICO.
10. Cookies
We use cookies for:
- Essential cookies: Required for authentication and security
- Preference cookies: Remember your settings (e.g., dark mode)
We do not use advertising or tracking cookies.
11. Children's Privacy
Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through a notice on our website. The “Last Updated” date at the top indicates when the policy was last revised.
13. Contact Us & Complaints
If you have questions about this Privacy Policy or how we handle your data:
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):