Privacy Policy

Regulas ("we", "our", "us") provides Making Tax Digital for Income Tax Self Assessment (MTD ITSA) software that connects to HM Revenue & Customs (HMRC) APIs on your behalf. This Privacy Policy explains how we collect, use, store and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Regulas is the data controller for your personal data.

3.1 Account Information

• Name and email address (registration)
• Password (hashed with bcrypt, never stored in plain text)
• User type (individual or agent)
• Agent reference number (if applicable)

3.2 HMRC Data

• National Insurance Number (NINO) — encrypted at rest using AES-256-GCM
• HMRC OAuth tokens — encrypted at rest
• Business details, obligations, and tax calculations retrieved from HMRC
• Self Assessment income, expenses, and submission data

3.3 Transaction Data

• Income and expense records you enter or import
• Quarterly update submissions and their status
• End-of-year adjustments and final declarations

3.4 Technical Data

• IP address, browser type, screen dimensions, timezone
• Device identifiers (for HMRC fraud prevention compliance)
• Audit logs of actions performed within the platform

HMRC requires all MTD software vendors to send fraud prevention headers with every API request. As a WEB_APP_VIA_SERVER application, we collect and transmit the following to HMRC:

• Your public IP address and port
• Browser user-agent string
• Device identifier (persistent UUID)
• Screen resolution, timezone, and window size
• Our server's IP address and software version

This data is sent directly to HMRC as required by the Fraud Prevention Specification v3.3.

• Encryption in transit: All data transmitted over HTTPS (TLS 1.2+)
• Encryption at rest: NINO encrypted with AES-256-GCM; tokens encrypted at rest
• Password storage: Bcrypt hashing with salt rounds
• NINO lookup: HMAC-SHA256 hash for search without decryption
• Access control: JWT-based authentication, role-based authorisation
• Audit trail: All sensitive operations logged
• Infrastructure: AWS (EU-West region) with VPC isolation, WAF, encrypted storage

We share your data only with:

• HMRC — via their APIs, to fulfil your statutory tax obligations
• Your agent — if you authorise an accountant via HMRC's agent authorisation process
• Infrastructure providers — AWS (hosting), PostgreSQL (database), bound by data processing agreements

We do not sell your personal data to third parties. We do not share data with advertising networks.

Under the UK GDPR, you have the right to:

• Access — request a copy of all personal data we hold
• Rectification — correct inaccurate personal data
• Erasure — request deletion ("right to be forgotten"), subject to legal retention
• Portability — receive your data in a portable format
• Restriction — restrict processing while a complaint is investigated
• Objection — object to processing based on legitimate interest
• Withdraw consent — for consent-based processing

To exercise any of these rights, email [email protected]. We will respond within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

We use minimal client-side storage:

We use Google Analytics 4 and Microsoft Clarity for anonymised usage analytics, loaded only after you accept cookies. We do not use advertising pixels or sell data to third parties.

Our services are designed for UK taxpayers and their authorised agents. We do not knowingly collect data from anyone under the age of 16.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. The "Effective date" at the top indicates when the policy was last revised.