Privacy Policy
Last updated:
How Amaesa Tax collects, uses, shares, retains and protects personal data, and your rights under the UK GDPR and the Data Protection Act 2018.
1. Who we are
This policy is issued by Amaesa Tax Ltd ([company number — to be added on incorporation]), trading as Amaesa Tax, of [registered office address — to be added once incorporated] ("Amaesa Tax", "we", "us" or "our"). We are registered with the UK Information Commissioner's Office ([ICO registration number — to be added once registered with the ICO]).
Amaesa Tax builds and operates a practice management platform for UK accountancy firms, covering Self Assessment, VAT, Payroll, Accounts & Corporation Tax, Bookkeeping, Company Secretarial and AML/KYC, together with a white-labelled client portal and app, document management, and billing.
2. Scope of this policy
This policy explains how we handle personal data when:
- an accountancy firm (a "Firm") signs up for and administers an Amaesa Tax account;
- a Firm's staff use the firm portal;
- a Firm's clients (an "Individual") use the white-labelled client portal or app; and
- anyone visits our marketing website at amaesa.co.uk.
If you're the client of an accountancy firm that uses Amaesa Tax, please also read that firm's own privacy notice — as explained in section 3, your firm is usually the controller of your tax and financial data, and their notice governs how they use it. This policy explains our role as their processor, and our role as controller for the platform itself (your account credentials, cookies, support communications, and so on).
3. When we're a controller, and when we're a processor
UK data protection law distinguishes between two roles, and Amaesa Tax occupies both, depending on the data in question:
- Data controller — for account, billing, marketing and platform-usage data about Firms, their staff, and our own website visitors, we decide the purposes and means of processing, so we're the controller.
- Data processor — for the tax, financial, employment, company and due-diligence data that a Firm inputs, uploads, or has its clients submit through the platform in the course of using our modules, the Firm is the controller and Amaesa Tax is their processor, acting only on the Firm's documented instructions under Article 28 UK GDPR. Those instructions, and our obligations as processor, are set out in the data processing terms incorporated into our Terms of Service with each Firm.
This also applies to AML/KYC due diligence: the Firm remains the entity subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLR 2017") as the regulated accountancy service provider. We provide software to help them apply, record and review that due diligence — we don't decide who a Firm accepts as a client or what risk rating they apply.
4. Information we collect
- Account and identity data: name, work email address, role, firm affiliation, authentication credentials, and multi-factor authentication status.
- Tax and financial data (processed on a Firm's instructions): income sources (employment, self-employment, dividends, property, interest, capital gains, pensions), VAT transactions, payroll and National Insurance details, company accounts and Corporation Tax computations, ledger and bookkeeping entries, and company secretarial records (officers, PSC register, filings).
- Due diligence data: identity verification information and risk ratings captured through the AML/KYC module, which may include copies of identity documents. See section 7 on special category data.
- Documents: files uploaded to the platform (e.g. bank statements, invoices, engagement letters) and their metadata (filename, folder, upload date, visibility).
- Billing data: billing contact details, subscription plan, and invoice history. Card details are entered directly into Stripe and never touch our servers — see section 9.
- Communications: support requests, in-platform messages between a Firm and its clients, and correspondence with us.
- Usage and device data: IP address, browser and device information, pages visited, timestamps, and actions taken (login, filing, document access), captured in our append-only audit log.
- Cookies and similar technologies: see our Cookie Policy.
5. How we collect information
- Directly from you, when you register, use the platform, or contact support.
- From your accountancy firm, if you're their client — they invite you to the portal and may upload or enter information about you in the course of preparing your tax affairs.
- Automatically, through your use of the platform — server logs, audit log entries, and cookies.
- From third parties: HMRC and Companies House (confirming the status of a filing submitted at a Firm's instruction), Stripe (payment confirmation), and identity verification/AML providers once a Firm has engaged one through the platform.
6. How we use your information, and our lawful basis
Under UK GDPR Article 6, we only process personal data where we have a lawful basis to do so:
| Purpose | Categories of data | Lawful basis |
|---|---|---|
| Creating and administering Firm, staff and client accounts | Identity, contact, account credentials | Performance of a contract (Art 6(1)(b)) |
| Providing the Self Assessment, VAT, Payroll, Accounts & CT, Bookkeeping, Company Secretarial and AML modules | Tax, financial, employment, company and due-diligence data | Performance of our contract with the Firm (Art 6(1)(b)); processed as processor on the Firm's instructions |
| Submitting filings to HMRC and Companies House at a Firm's instruction | Tax and company data | Performance of a contract (Art 6(1)(b)); compliance with a legal obligation where filing is a statutory requirement (Art 6(1)(c)) |
| Billing and subscription management | Billing contact details, payment metadata | Performance of a contract (Art 6(1)(b)) |
| Keeping the platform secure, preventing abuse, and enforcing rate limits/quotas | Account activity, IP address, device/log data | Legitimate interests (Art 6(1)(f)) — keeping the service available and safe for every Firm |
| Maintaining the audit log of logins, filings, document access and support actions | Account activity, timestamps, actor identity | Legal obligation and legitimate interests (Art 6(1)(c)/(f)) — accountability and evidencing compliance |
| Responding to support requests | Contact details, correspondence | Legitimate interests (Art 6(1)(f)) / performance of a contract |
| Sending service and security notices | Contact details | Legal obligation and legitimate interests |
| Sending marketing communications | Contact details | Consent (Art 6(1)(a)), only where you've opted in — withdrawable at any time |
| Complying with our own legal, regulatory and professional obligations | Relevant account/billing data | Legal obligation (Art 6(1)(c)) |
7. Special category data and anti-money laundering checks
Identity verification carried out through the AML/KYC module may involve documents (such as a passport or driving licence) that reveal special category data within the meaning of Article 9 UK GDPR, or that a Firm chooses to treat with equivalent care. Where this applies, our lawful basis is the substantial public interest condition for preventing or detecting unlawful acts (Article 9(2)(g) UK GDPR, read with Schedule 1, Part 2, paragraph 10 of the Data Protection Act 2018), reflecting the Firm's own obligations as a regulated business under MLR 2017.
This data is processed strictly as instructed by the Firm, for due diligence and ongoing monitoring purposes only.
10. International transfers
Our primary infrastructure is hosted in the EU/Ireland, which the UK's own adequacy regulations recognise as providing an adequate level of protection, so no additional safeguard is needed for that transfer.
Where a sub-processor is located outside the UK and the EEA (for example, in the United States), we put an appropriate transfer mechanism in place before any personal data is transferred — either the UK's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, or reliance on the UK extension to the EU–US Data Privacy Framework ("UK–US Data Bridge") where the recipient is certified. The safeguard used for each sub-processor is noted on our Sub-processors page.
11. How long we keep information
- Tax and accounting data: retained for the duration of a Firm's contract with us, plus a reasonable period afterward to allow export or handover, reflecting the underlying statutory retention periods that apply to the Firm (HMRC requires Self Assessment records to be kept for at least five years from the 31 January filing deadline; company accounting records generally must be kept for six years under the Companies Act 2006).
- AML due diligence records: retained for five years from the end of the business relationship, in line with Regulation 40 of MLR 2017, unless a Firm is required or permitted to retain them for longer.
- Account data: retained while an account is active, and for a limited period afterward for legal and accounting purposes, generally aligned with the six-year contractual limitation period under the Limitation Act 1980.
- Audit logs: retained to support security investigation and to provide evidence of compliance.
- Marketing data: retained until you withdraw consent or unsubscribe.
12. How we protect your information
Every table in our database is scoped by tenant and protected by Postgres Row-Level Security, so a bug in the application layer can never leak one Firm's data into another's. On top of that: TLS in transit, encryption at rest, mandatory multi-factor authentication for our own staff, an append-only audit log of every login, filing, document access and support action, and rate limiting/capacity quotas to keep the platform stable and to stop any single account from being able to overwhelm it.
If a personal data breach occurs that's likely to result in a risk to individuals, we'll notify the ICO within 72 hours as required by Article 33 UK GDPR, and notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34.
13. Automated decision-making and profiling
Our Self Assessment, VAT, Payroll, and Corporation Tax computations are produced by deterministic, rules-based calculation engines — not artificial intelligence or machine learning — and every computation is held in draft until a Firm's own qualified staff review and approve it before anything is filed. Our AI-assisted document extraction feature only pre-fills draft fields from an uploaded document for a human to check; it doesn't decide anything by itself. We don't make any decision about you based solely on automated processing that produces legal or similarly significant effects, within the meaning of Article 22 UK GDPR.
14. Your rights under UK data protection law
Subject to certain exemptions and conditions, you have the following rights under UK GDPR:
- Right of access (Article 15) — request a copy of the personal data we hold about you.
- Right to rectification (Article 16) — ask us to correct inaccurate or incomplete data.
- Right to erasure (Article 17) — ask us to delete your data, subject to our (and our Firm customers') legal obligation to retain tax and AML records for the statutory periods described in section 11.
- Right to restrict processing (Article 18) — ask us to limit how we use your data in certain circumstances.
- Right to data portability (Article 20) — receive certain data in a structured, machine-readable format.
- Right to object (Article 21) — object to processing based on legitimate interests, and to direct marketing at any time.
- Rights related to automated decision-making (Article 22) — as explained in section 13, we don't currently make solely-automated decisions with legal or similarly significant effects about you.
- Right to withdraw consent at any time, where consent is our lawful basis, without affecting processing carried out before withdrawal.
15. How to exercise your rights
If you're the client of a Firm that uses Amaesa Tax, your Firm is usually the controller of your tax and financial data, so they're the right first point of contact for most requests. You're also welcome to contact us directly at privacy@amaesa.co.uk: where we control the data ourselves, we'll respond directly; where we're only a processor, we'll pass your request to the relevant Firm promptly and let you know we've done so.
We'll respond within one calendar month of a valid request, extendable by a further two months for complex or numerous requests (Article 12(3) UK GDPR), and we may need to verify your identity first. There's ordinarily no charge, except where a request is manifestly unfounded or excessive.
16. How to complain
We'd like the chance to put things right, so please contact us first at privacy@amaesa.co.uk. You also have the right to lodge a complaint with the UK's independent regulator at any time:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113 · Website: ico.org.uk
17. Children's information
Amaesa Tax is a business-to-business platform, and its Self Assessment, VAT, Payroll, Corporation Tax and AML functionality is inherently intended for use by adults and companies acting through their accountancy Firm. We don't knowingly collect personal data from children. If we become aware that we've done so without an appropriate lawful basis, we'll delete it.
18. Changes to this policy
We may update this policy from time to time. The "last updated" date at the top always reflects the current version; where a change is material, we'll notify Firms and account holders via the platform or by email. Earlier versions are available on request.
19. Contact us
Amaesa Tax Ltd ([company number — to be added on incorporation])
[registered office address — to be added once incorporated]
ICO registration: [ICO registration number — to be added once registered with the ICO]
Privacy queries: privacy@amaesa.co.uk
See also our Terms of Service, Cookie Policy, Acceptable Use Policy and Sub-processors page.