Privacy Policy
Last updated: December 2025
SubmitFox ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our tax filing software service.
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
SubmitFox is a tax filing software service that helps individuals and businesses submit tax returns to HM Revenue & Customs (HMRC). We are the data controller for the personal data we collect.
2. What Data We Collect
2.1 Account Information
- Email address
- Password (stored securely hashed, never in plain text)
- Name
- Phone number (optional)
- Company name (if applicable)
2.2 Tax Information
- Unique Taxpayer Reference (UTR)
- National Insurance Number (NINO)
- VAT Registration Number (VRN)
- Company Registration Number
- Income and expense figures
- Tax return form data
2.3 Technical Data
- IP address
- Browser type and version
- Device information
- Login timestamps
- Usage data and analytics
2.4 Payment Information
- Payment card details are processed securely by Stripe and are never stored on our servers
- We store transaction records and billing history
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing our tax filing service | Contract performance |
| Submitting returns to HMRC on your behalf | Contract performance |
| Processing payments | Contract performance |
| Sending service-related communications | Legitimate interest |
| Improving our service | Legitimate interest |
| Complying with legal obligations | Legal obligation |
| Marketing communications (with consent) | Consent |
| Fraud prevention (HMRC requirement) | Legal obligation |
4. HMRC Data Sharing
Important: When you authorise SubmitFox to connect to HMRC, we use OAuth 2.0 authentication. This means:
- We never see or store your Government Gateway password
- We receive secure access tokens to submit returns on your behalf
- You can revoke our access at any time from your HMRC account
We share the following data with HMRC as required for tax submissions:
- Your tax return data
- Fraud prevention headers (IP address, device information) as required by HMRC
- Your taxpayer identifiers (UTR, NINO, VRN)
5. Data Storage and Security
5.1 Where We Store Your Data
Your data is stored on secure servers located in the United Kingdom. We do not transfer your data outside the UK.
5.2 How We Protect Your Data
- Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher encryption
- Encryption at rest: Sensitive data including tax identifiers and OAuth tokens are encrypted using AES-256
- Password security: Passwords are hashed using bcrypt and never stored in plain text
- Access controls: Strict role-based access controls limit employee access to data
- Regular security testing: We conduct regular security assessments
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion + 30 days |
| Tax return data | 7 years (HMRC requirement) |
| Submission receipts | 7 years (HMRC requirement) |
| Payment records | 7 years (legal requirement) |
| HMRC access tokens | Until expired or revoked |
| Support chat history | 1 year |
| Server logs | 90 days |
7. Your Rights
Under UK GDPR, you have the following rights:
7.1 Right of Access
You can request a copy of all personal data we hold about you. Use the "Download My Data" feature in your account settings, or contact us.
7.2 Right to Rectification
You can update your personal information through your account settings, or contact us to correct any inaccuracies.
7.3 Right to Erasure
You can delete your account and associated data using the "Delete My Account" feature. Note that we must retain certain data (such as tax submission records) for legal compliance.
7.4 Right to Data Portability
You can export your data in a machine-readable format (JSON) using the "Download My Data" feature.
7.5 Right to Restrict Processing
You can request that we limit how we use your data in certain circumstances.
7.6 Right to Object
You can object to processing based on legitimate interests, and you can opt out of marketing communications at any time.
7.7 Right to Withdraw Consent
Where we process data based on consent, you can withdraw that consent at any time.
Exercise Your Rights
To exercise any of these rights, please:
- Use the relevant feature in your account settings, or
- Email us at: [email protected]
We will respond within 30 days.
8. Cookies
We use cookies to:
- Essential cookies: Keep you logged in and maintain your session
- Preference cookies: Remember your settings
- Analytics cookies: Understand how you use our service (with your consent)
You can manage cookie preferences through our cookie banner or your browser settings.
9. Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| HMRC | Tax return submission | Tax data, fraud prevention data |
| Stripe | Payment processing | Payment card details |
| OpenAI | AI tax guidance (FoxChat) | Anonymised queries only - no PII sent |
10. Children's Privacy
Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our website. The "Last updated" date at the top of this policy indicates when it was last revised.
12. Complaints
If you have concerns about how we handle your data, please contact us first. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
13. Contact Us
SubmitFox Data Protection
Email: [email protected]