Privacy Policy

1. Data Controller and Contact Details

For most processing described in this policy, MTD Landlord Services Ltd is the data controller. This means we decide why and how personal data is used.

• Company name: MTD Landlord Services Ltd
• Company number: 16989676
• Registered office: 31 Nightjar Way, Rainworth, Mansfield, England, NG21 0WG
• Registered in: England and Wales
• Data protection contact: support@mtdlandlordservices.co.uk

HMRC, banks, payment providers, analytics providers, and other third parties may act as independent controllers for their own processing. Their privacy notices explain how they handle data they receive directly or process for their own purposes.

2. Personal Data We Collect

We collect different data depending on how you use the Service.

Account and Profile Data

• name, email address, login method, user ID, and account status;
• password authentication data handled through our authentication provider;
• terms acceptance, marketing preferences, onboarding progress, and settings;
• subscription tier, trial status, feature access, and usage limits; and
• support requests, contact messages, replies, and related metadata.

Tax and HMRC Data

• National Insurance number, MTD Income Tax ID, and UTR where provided;
• HMRC OAuth tokens, scopes, expiry times, and connection status;
• business source IDs, obligation data, submission history, and HMRC responses;
• quarterly updates, year-end adjustments, final declaration workflow data;
• audit logs for HMRC-related actions and API calls; and
• technical fraud-prevention headers or device data required by HMRC APIs.

Property, Business, and Co-owner Data

• property addresses, postcodes, ownership percentages, and purchase dates;
• co-owner, invitee, relationship, and collaboration details;
• tenant, rent payment, and property management information where enabled;
• sole trader business details where self-employment features are enabled; and
• address lookup, postcode lookup, geocoding, and property image request data.

Financial and Record-keeping Data

• income, expenses, dates, descriptions, categories, and tax calculations;
• CSV imports, exports, reports, receipt images, invoices, PDFs, and attachments;
• AI/OCR extraction results, suggested categories, confidence scores, and raw output;
• bank account names, account type, last four digits, balances where available, and transactions imported through bank connections; and
• billing information such as payment processor customer ID, subscription ID, payment status, invoices, refunds, and plan changes.

AI Assistant and OCR Data

• receipt images, invoice images, PDFs, and temporary signed URLs used for OCR;
• prompts, messages, and responses when you use the AI assistant;
• AI-generated suggestions, categories, summaries, and extracted fields; and
• usage and rate-limit data for AI and OCR features.

Technical, Security, and Usage Data

• IP address, browser type, device information, timestamps, and request logs;
• cookies, local storage preferences, session identifiers, and consent choices;
• security events, rate-limit records, error logs, and diagnostics;
• website analytics events and page usage where you consent to analytics; and
• marketing and conversion events where you consent to marketing cookies.

3. Where Data Comes From

We collect personal data from:

• you, when you create an account, enter records, upload documents, or contact us;
• co-owners, invitees, collaborators, or account users who provide information about you;
• HMRC, when you authorise an HMRC connection and we retrieve obligations, business details, status data, or submission responses;
• banks and open banking providers, when you connect a bank account;
• payment providers, when you subscribe, cancel, refund, or update billing details;
• third-party sign-in providers where enabled;
• address lookup, geocoding, and property imagery providers; and
• cookies, logs, analytics, and security tools used by the Service.

If you provide personal data about another person, such as a co-owner, tenant, accountant, or invitee, you must have a lawful reason to do so and should tell them that their data will be processed by the Service.

4. How We Use Data and Our Lawful Bases

UK GDPR requires us to explain our lawful bases for using personal data. More than one lawful basis may apply to the same data.

• Providing the Service: account creation, authentication, property records, transactions, reports, exports, dashboards, subscriptions, support, HMRC workflows, AI/OCR features, and bank imports. Lawful basis: contract performance.
• HMRC authorisation and submissions: connecting to HMRC, retrieving obligations, preparing updates, submitting data you approve, and storing submission records. Lawful basis: contract performance, your authorisation, and our legal obligations where applicable.
• Tax, accounting, and compliance records: retaining records, invoices, audit logs, and evidence needed for legal, tax, accounting, or dispute purposes. Lawful basis: legal obligation and legitimate interests.
• Security and abuse prevention: authentication, rate limiting, fraud prevention, misuse detection, service integrity, and incident response. Lawful basis: legitimate interests and legal obligation where applicable.
• Payments and subscriptions: billing, plan changes, cancellations, failed payments, refunds, and subscription support. Lawful basis: contract performance, legal obligation, and legitimate interests.
• Communications: service notices, support messages, verification emails, deadline reminders, invite emails, billing emails, and important legal updates. Lawful basis: contract performance, legitimate interests, and legal obligation.
• Marketing: product updates, educational content, lead follow-up, and newsletters where you opt in or where law permits limited business communications. Lawful basis: consent where required and legitimate interests where permitted. You can unsubscribe at any time.
• Analytics and product improvement: understanding aggregate usage, fixing bugs, improving flows, and measuring website performance. Lawful basis: consent for non-essential cookies and legitimate interests for essential diagnostics.

Where we rely on legitimate interests, you can object to that processing. We will stop unless we have compelling legitimate grounds to continue or need the data for legal claims, security, fraud prevention, or compliance.

5. AI, OCR, and Automated Processing

We use AI-assisted features to extract receipt data, suggest categories, and provide an in-product assistant where enabled. Receipt images, PDFs, temporary signed file URLs, prompts, and chat messages may be sent to our AI provider so it can return the requested output.

AI outputs can be incomplete or inaccurate. You must review AI-generated fields, categories, summaries, and chatbot responses before relying on them, saving records, or submitting data to HMRC.

We do not use your data to train our own AI models. Third-party AI providers process data according to their service and data processing terms. We may keep AI outputs and related metadata in your account where needed to provide the feature, audit usage, or support your tax records.

We do not make decisions based solely on automated processing that produce legal or similarly significant effects for you. Feature access, rate limits, fraud checks, and subscription gates may be automated, but you can contact us if you think an automated system has affected your account incorrectly.

6. Who We Share Data With

We share data only where needed to provide, secure, support, improve, or comply with obligations relating to the Service.

We do not sell personal data, and we do not share personal data with third parties for their own direct marketing.

Core Service Providers

• Database, storage, and authentication providers: account login, user records, file storage, access controls, and secure session management.
• Hosting and infrastructure providers: website and app hosting, deployment, platform logs, caching, and service availability.
• Security and reliability providers: rate limiting, bot protection, abuse prevention, monitoring, diagnostics, and error reporting.
• Email and communications providers: transactional email, account notifications, support email handling, and unsubscribe management.

Tax, Finance, and Payment Providers

• HMRC: MTD ITSA authorisation, obligation retrieval, and tax submissions you approve.
• Open banking providers: bank account connection and transaction import where you choose to use bank import.
• Payment processors: checkout, billing, subscription management, invoices, payment status, refunds, and chargeback handling.

AI, Address, Analytics, and Marketing Providers

• AI service providers: AI receipt/OCR processing, categorisation suggestions, summaries, and chatbot responses where you use those features.
• Address, postcode, and property data providers: address lookup, postcode search, geocoding, and property imagery where enabled.
• Analytics and product improvement providers: website analytics, session insights, diagnostics, and product usage analysis where enabled and, where required, consented to.
• Marketing and advertising partners: conversion measurement, campaign attribution, and advert performance analysis where you consent.

We may also share data with professional advisers, insurers, regulators, courts, law enforcement, payment networks, or acquirers if required for legal, compliance, dispute, security, or corporate transaction purposes.

7. International Transfers

We primarily use UK, EU, and US-based providers. Some providers may process personal data outside the UK. Where this happens, we rely on an appropriate safeguard, such as:

• UK adequacy regulations or another recognised adequacy mechanism;
• the UK International Data Transfer Agreement;
• the UK Addendum to the EU Standard Contractual Clauses;
• provider data processing terms; and
• technical and organisational controls such as encryption and access limits.

You can contact us if you want more information about transfer safeguards for a particular provider.

8. How We Protect Data

We use technical and organisational measures designed to protect personal data. These include:

• TLS/HTTPS for data in transit;
• AES-256-GCM encryption for selected sensitive fields such as HMRC OAuth tokens, NINO, MTD ID, and bank tokens;
• envelope encryption and key rotation support for encrypted records;
• role-based access controls and least-privilege operational access;
• rate limiting, bot protection, audit logs, and monitoring;
• separate handling for temporary receipt uploads and signed URLs; and
• incident monitoring and backup/recovery processes.

No online service can be guaranteed completely secure. You should use a strong password, keep your devices secure, and tell us promptly if you suspect unauthorised access to your account.

9. How Long We Keep Data

We keep personal data only for as long as needed for the purposes described in this policy, including providing the Service, meeting legal obligations, resolving disputes, maintaining security, and enforcing agreements.

• Tax, property, business, transaction, receipt, submission, and audit records: generally retained while your account is active and, where relevant, for at least 5 years after the 31 January submission deadline for the relevant tax year, or longer if required for late returns, enquiries, disputes, or legal claims.
• Incomplete signup and onboarding records: if you start signup or onboarding but do not complete it, and there is no active subscription, HMRC connection, bank connection, tax record, or uploaded document linked to the account, we may delete or anonymise the incomplete account and related onboarding data after 14 days of inactivity.
• HMRC OAuth tokens: retained until you disconnect HMRC, delete your account, or the tokens are replaced or revoked, subject to security logs and compliance records.
• Bank connection tokens: retained until you disconnect the bank account, delete your account, or the connection expires, subject to security logs and compliance records.
• Billing records: retained for as long as needed for accounting, tax, payment, refund, chargeback, and dispute purposes.
• Support and contact messages: retained for as long as needed to handle your request, maintain a support history, and protect our legal position.
• Marketing subscription records: retained until you unsubscribe or until we no longer need to prove consent or suppression status.
• Cookies, analytics, and local storage: handled as described in our Cookie Policy.

If you request deletion, we will delete or anonymise data where possible, but some records may need to be retained until the applicable retention period expires.

10. Your UK GDPR Rights

Depending on the circumstances, you may have the right to:

• request access to your personal data;
• request correction of inaccurate or incomplete data;
• request deletion of personal data;
• object to processing based on legitimate interests;
• request restriction of processing;
• request portability of data you provided to us;
• withdraw consent where we rely on consent; and
• complain to the Information Commissioner's Office.

You can exercise rights by contacting support@mtdlandlordservices.co.uk. We may need to verify your identity before acting on a request. We normally respond within one month, unless UK GDPR allows more time for complex or multiple requests.

Some rights are not absolute. For example, we may need to retain tax, accounting, security, or HMRC audit records even after an account deletion request.

11. Marketing and Service Messages

We may send service messages that are necessary for your account, such as verification emails, security notices, subscription emails, HMRC deadline reminders, submission confirmations, support replies, and legal updates. These are not marketing messages.

We send marketing emails only where we have a lawful basis to do so. You can opt out using the unsubscribe link in marketing emails or by contacting us. We may keep a suppression record so we do not send marketing to an unsubscribed address.

12. Cookies and Similar Technologies

We use cookies and local storage for authentication, security, preferences, analytics, and marketing where consented to. Non-essential analytics and marketing tools are controlled through our cookie banner and preferences panel.

For details, see our Cookie Policy.

13. Children

The Service is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us and we will take appropriate steps.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If a change is material, we will give at least 30 days' notice where reasonably practicable by email, in-product notice, website notice, or another reasonable method. We may make urgent changes sooner where required by law, security, provider requirements, or to protect the Service. The date at the top shows when this policy was last updated.

15. Contact and Complaints

For privacy questions or rights requests, contact support@mtdlandlordservices.co.uk.

• MTD Landlord Services Ltd
• 31 Nightjar Way, Rainworth, Mansfield, England, NG21 0WG
• Company number: 16989676
• Data protection contact: support@mtdlandlordservices.co.uk
• Support: mtdlandlordservices.co.uk/support

You also have the right to complain to the Information Commissioner's Office:

• Website: ico.org.uk/make-a-complaint
• Helpline: 0303 123 1113
• Postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF