Privacy Policy

Last updated: 6 February 2026

1. Who We Are

MTD Simple is a trading name of Sabia Solutions Ltd, a company registered in England and Wales. We are the data controller responsible for your personal data.

If you have any questions about this privacy policy or how we handle your data, please contact us at privacy@mtdsimple.io.

2. What Data We Collect

We collect and process the following categories of personal data:

  • Account information: your name, email address, and password (stored in hashed form).
  • Business information: your self-employment business details, including business name, trade classification, and accounting periods.
  • Tax data: income and expense figures you provide for Making Tax Digital (MTD) quarterly updates, End of Period Statements, and final declarations.
  • HMRC authorisation tokens: OAuth 2.0 tokens that allow us to submit data to HMRC on your behalf.
  • Technical data: IP address, browser type, and device information collected automatically when you use our service.
  • Usage data: pages visited, features used, and timestamps of your interactions with MTD Simple.

3. How We Use Your Data

We use your personal data for the following purposes:

  • To create and manage your MTD Simple account.
  • To submit quarterly updates, End of Period Statements, and final declarations to HMRC via the Making Tax Digital for Income Tax Self Assessment (MTD ITSA) APIs.
  • To calculate estimated tax liabilities based on the data you provide.
  • To display your MTD obligations and deadlines.
  • To send you important notifications about upcoming deadlines and submission statuses.
  • To improve and maintain the security of our service.

4. Legal Basis for Processing

Under UK GDPR, we rely on the following legal bases:

  • Contract: processing is necessary to provide you with the MTD Simple service you have signed up for (Article 6(1)(b)).
  • Legal obligation: where processing is required to comply with tax or regulatory requirements (Article 6(1)(c)).
  • Legitimate interests: to improve our service, ensure security, and prevent fraud (Article 6(1)(f)).
  • Consent: where we send you optional marketing communications, which you can withdraw at any time (Article 6(1)(a)).

5. Sharing Your Data

We share your personal data with the following third parties only as necessary to provide our service:

  • HM Revenue & Customs (HMRC): we submit your tax data directly to HMRC via their official MTD APIs. This is the core function of our service and is done under your explicit authorisation.
  • Hosting providers: our infrastructure providers who store and process data on our behalf, under strict data processing agreements.
  • Email service providers: to send you transactional emails such as password resets and deadline reminders.

We do not sell your personal data to any third party. We do not share your data with advertisers or marketing platforms.

6. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

  • Encryption of data in transit using TLS/HTTPS.
  • Encryption of sensitive data at rest, including HMRC authorisation tokens.
  • Secure password storage using industry-standard hashing algorithms.
  • Regular security reviews and updates.
  • Access controls limiting who can access personal data within our organisation.

7. Data Retention

We retain your personal data for as long as necessary to provide our service and comply with legal obligations:

  • Account data: retained while your account is active and for up to 30 days after account deletion to allow recovery.
  • Tax submission data: retained for a minimum of 6 years after the end of the relevant tax year, in line with HMRC record-keeping requirements.
  • HMRC tokens: deleted immediately when you disconnect your HMRC authorisation or delete your account.
  • Technical and usage data: retained for up to 12 months for security and analytics purposes.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your personal data, subject to legal retention requirements.
  • Right to restrict processing: request that we limit how we use your data in certain circumstances.
  • Right to data portability: receive your data in a structured, commonly used, machine-readable format.
  • Right to object: object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at privacy@mtdsimple.io. We will respond to your request within one month.

9. Cookies

MTD Simple uses the following cookies:

  • Session cookies: essential for keeping you logged in and maintaining security (e.g. CSRF protection). These are strictly necessary and do not require consent.
  • Preference cookies: to remember your settings and preferences.

We do not use third-party advertising or tracking cookies.

10. International Transfers

Your data is primarily stored and processed within the United Kingdom and the European Economic Area. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the Information Commissioner's Office (ICO).

11. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

We would appreciate the chance to address your concerns before you contact the ICO, so please reach out to us first at privacy@mtdsimple.io.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any significant changes by email or by displaying a prominent notice within the service. Your continued use of MTD Simple after changes are posted constitutes your acceptance of the updated policy.