Privacy Policy
Last updated: 25 February 2026 · Amelia GB Ltd, Company No. 07124049
1. Who We Are
Amelia GB Ltd ("we", "us", "our") is the data controller for BankConverter.co.uk and TaxBridge UK. We are registered in England and Wales under Company No. 07124049.
- Trading names: BankConverter, TaxBridge UK
- Privacy contact: privacy@bankconverter.co.uk
- ICO registration: We are registered with the Information Commissioner's Office (ICO) as required under the UK GDPR and Data Protection Act 2018.
2. What Data We Collect
| Data Category | Examples | Lawful Basis |
|---|---|---|
| Account information | Name, email address, company name, hashed password | Contract performance |
| Tax identifiers | National Insurance Number (NINO), Unique Taxpayer Reference (UTR) | Contract performance; Legal obligation (HMRC MTD) |
| HMRC OAuth tokens | Access token, refresh token (encrypted with Fernet symmetric encryption at rest) | Contract performance; Consent (HMRC OAuth authorisation) |
| Financial data | Bank statement transactions, income & expense categories, Self Assessment submissions | Contract performance |
| Payment data | Stripe customer ID, subscription ID (card details are held solely by Stripe) | Contract performance |
| HMRC fraud prevention headers | IP address, device identifiers, timezone, browser user-agent, window dimensions (collected as required by HMRC) | Legal obligation (HMRC Fraud Prevention specification) |
| Technical data | IP address, browser type, session cookies | Legitimate interest (security, service operation) |
| Receipt images | Uploaded receipt photos for OCR processing | Contract performance |
3. HMRC API Integration
TaxBridge UK connects to the HMRC Making Tax Digital (MTD) APIs to submit and retrieve Self Assessment data on your behalf. When you authorise us via HMRC's OAuth 2.0 flow:
- You are redirected to HMRC's own website to grant consent — we never see your HMRC Government Gateway password.
- We receive an OAuth access token and refresh token, which are encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) before being stored in our database.
- Tokens are used solely to interact with the HMRC APIs you have authorised (e.g. Self Assessment for Individuals).
- You may revoke access at any time via your HMRC online account or by contacting us.
3.1 HMRC Fraud Prevention Headers
HMRC requires all software connecting to their APIs to transmit fraud prevention headers with each request. This is a legal obligation under HMRC's terms of use. Headers include your IP address, device identifiers, timezone, screen dimensions, and browser user-agent. These are sent directly to HMRC and are not used by us for any other purpose. For details, see HMRC's Fraud Prevention specification.
4. How We Use Your Data
- To provide the BankConverter and TaxBridge UK services (bank statement conversion, income/expense mapping, MTD submissions)
- To manage your account and subscription
- To process payments via Stripe
- To submit Self Assessment data to HMRC on your behalf
- To comply with HMRC fraud prevention requirements
- To respond to your support enquiries
- To maintain security and prevent abuse
5. Data Sharing
We do not sell your data. We share data only with the following third parties as necessary to provide our services:
| Recipient | Purpose | Data Shared |
|---|---|---|
| HMRC | MTD Self Assessment submissions and fraud prevention | Tax data, NINO/UTR, fraud prevention headers |
| Stripe, Inc. | Payment processing | Email, name, payment card details (directly to Stripe) |
| Google (OAuth login) | Optional single sign-on | Email, name (if you choose Google login) |
6. Data Security
- Passwords are hashed using bcrypt with unique salts.
- HMRC OAuth tokens are encrypted at rest using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256).
- All connections use HTTPS/TLS encryption in transit.
- Session cookies use
Secure,HttpOnly, andSameSiteattributes. - Uploaded files are processed in temporary storage and deleted after conversion.
- Rate limiting is applied to prevent brute-force attacks.
- Bot protection uses server-side honeypot fields and session-based time validation — no third-party services or user data sharing required.
- Web fonts are self-hosted — no requests are made to external font services (e.g. Google Fonts), eliminating unnecessary data exposure.
- Automatic session timeout after 10 minutes of inactivity.
7. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Until account deletion | Service provision |
| Tax records (Self Assessment submissions, NINO, UTR) | 7 years from the end of the relevant tax year | HMRC record-keeping requirements; legal obligation |
| Conversion history | Until account deletion | Service provision |
| Uploaded files (PDFs, CSVs) | Deleted immediately after processing | Not retained |
| Receipt images | Until deleted by user or account deletion | Service provision |
| Payment records | 7 years | Financial record-keeping; legal obligation |
| Contact messages | 2 years | Customer service |
8. CSV Export & Data Portability
You can export your data at any time:
- Converted bank statements are available for download as CSV files immediately after conversion.
- Income & expense reports can be exported as CSV via the mapper tool.
- Self Assessment data can be viewed and exported from your MTD dashboard.
- You may request a full copy of your personal data by emailing privacy@bankconverter.co.uk.
9. Cookies
We use session cookies only for essential functionality:
| Cookie | Purpose | Duration |
|---|---|---|
session |
User authentication, CSRF protection, flash messages | Expires after 10 minutes of inactivity or on browser close |
We do not use tracking, analytics, or advertising cookies by default. If analytics or marketing cookies are introduced in future, they will require your explicit consent via the cookie banner.
10. Your Rights Under UK GDPR
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights:
- Right of access — request a copy of your personal data
- Right to rectification — correct inaccurate data
- Right to erasure — request deletion of your data (subject to legal retention obligations)
- Right to restrict processing — limit how we use your data
- Right to data portability — receive your data in a machine-readable format (CSV)
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — where processing is based on consent (e.g. HMRC OAuth), you may withdraw at any time
To exercise any of these rights, email privacy@bankconverter.co.uk. We will respond within 30 days.
11. Account Deletion
You can delete your account at any time from the Account Settings page. This will:
- Cancel any active Stripe subscriptions
- Delete your conversion history and receipt images
- Remove your personal data from our active systems
- Note: tax records required by law may be retained for up to 7 years in anonymised form
12. International Transfers
Your data is processed and stored in the United Kingdom. Where third-party services (e.g. Stripe, Google OAuth) process data outside the UK, they do so under appropriate safeguards including Standard Contractual Clauses or UK adequacy decisions. Web fonts are self-hosted and do not involve any cross-border data transfers.
13. Children
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children.
14. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
We encourage you to contact us at privacy@bankconverter.co.uk first so we can try to resolve your concern directly.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the website. The "Last updated" date at the top reflects the most recent revision.
Contact us: Amelia GB Ltd, Company No. 07124049 · privacy@bankconverter.co.uk