TiraverseTiraverseMTDOpen app

Privacy Policy

Last updated: 26 February 2026

1. Who we are

Tiraverse MTD is operated by Tiraverse Ltd, a company registered in England and Wales (company number 17036977). Our registered address is available on Companies House.

For data protection enquiries, contact us at privacy@tiraverse.co.uk.

2. What data we collect

When you use Tiraverse MTD, we collect and process:

  • Account information: name, email address, hashed password.
  • Business information: business name, type, HMRC business ID, UTR (encrypted at rest).
  • National Insurance Number (NINO): encrypted using AES-256-GCM before storage. Never stored in plain text or logged.
  • Financial documents: receipts, invoices, and bank statements you upload for OCR processing.
  • Transaction data: extracted line items, amounts, dates, and HMRC categories.
  • HMRC OAuth tokens: encrypted at rest using AES-256-GCM. Used to submit data to HMRC on your behalf.
  • Fraud prevention headers: as required by HMRC, we collect browser metadata (user agent, screen size, timezone, plugins, device ID) and transmit it to HMRC with each API call. See section 8 for details.
  • Technical data: IP address, browser type, access timestamps for security and rate limiting.

3. How we use your data

We process your data for the following purposes:

  • Service delivery: OCR extraction, automated categorisation, and HMRC submission of your tax data.
  • Legal compliance: submitting Making Tax Digital returns to HMRC as authorised by you.
  • Security: rate limiting, fraud prevention, and audit logging.
  • Account management: authentication, password resets, consent records.

Our legal bases under UK GDPR are: contract performance (providing the service), legal obligation (HMRC fraud prevention requirements), and legitimate interest (security monitoring).

4. Data storage and security

  • All data is stored on servers located in the United Kingdom.
  • Sensitive fields (NINO, HMRC tokens) are encrypted at the application level using AES-256-GCM before being written to the database.
  • Passwords are hashed using bcrypt with a minimum cost factor of 10.
  • All connections use TLS 1.2 or higher.
  • Uploaded documents are stored in encrypted object storage (MinIO with server-side encryption).
  • Database backups are encrypted and retained for 30 days.

5. Data sharing

We share your data only with:

  • HMRC: quarterly updates, annual submissions, VAT returns, and final declarations — only when you explicitly submit them.
  • Microsoft Azure: document images are sent for OCR processing. Microsoft processes this data under their Data Processing Addendum.
  • Anthropic: transaction descriptions are sent for automated category suggestion. No financial amounts or personal identifiers are included in these requests.

We do not sell your data to third parties. We do not use your financial data for advertising or profiling.

6. Data retention

  • Account data: retained while your account is active.
  • Financial records: retained for 7 years from the end of the relevant tax year, as required by HMRC.
  • HMRC audit logs: retained for 7 years (legal obligation).
  • Uploaded documents: retained until you delete them or request account deletion.
  • HMRC OAuth tokens: revoked and deleted when you disconnect from HMRC or delete your account.

7. Your rights

Under UK GDPR, you have the right to:

  • Access: download all your personal data (Settings > Privacy > Export my data).
  • Rectification: update your personal information in Settings.
  • Erasure: request account deletion (Settings > Privacy > Delete my account). A 30-day grace period applies.
  • Portability: export your data in machine-readable JSON format.
  • Withdraw consent: manage your consent preferences in Settings > Privacy.
  • Complain: lodge a complaint with the Information Commissioner's Office (ICO).

8. HMRC fraud prevention headers

HMRC requires all Making Tax Digital software to collect and transmit fraud prevention headers with every API request. This is a legal requirement under the HMRC Fraud Prevention specification.

The data collected includes:

  • Browser user agent string
  • Screen dimensions and colour depth
  • Browser window size
  • Timezone offset
  • Installed browser plugins
  • Do Not Track preference
  • A device identifier (UUID stored in your browser)
  • Your IP address (forwarded to HMRC)

This data is transmitted directly to HMRC and is not used by Tiraverse for any other purpose. HMRC uses it to detect and prevent tax fraud.

9. Cookies

Tiraverse MTD uses only essential cookies required for the service to function:

  • Session cookie: maintains your authenticated session.
  • CSRF token: protects against cross-site request forgery.
  • Theme preference: stored in localStorage (not a cookie), remembers your chosen colour scheme.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated via email or an in-app notification. The "last updated" date at the top of this page indicates when the policy was last revised.

11. Contact

If you have questions about this privacy policy or your data, contact us at privacy@tiraverse.co.uk.