Privacy policy

VATflow is operated by United Fintec Limited, a company registered in England and Wales (Companies House registration number 10216969).

Registered office: 3 Greer Garson Road, Denham, Uxbridge, UB9 5FP, United Kingdom.

As the data controller, United Fintec Limited determines the purposes and means by which personal data is processed in connection with the VATflow service.

United Fintec Limited is registered with the Information Commissioner’s Office (ICO) as a data controller under reference ZC139359 (valid until 04 May 2027).

To provide VATflow we collect:

• Email address and password hash (for account access).
• VAT registration numbers (VRNs) and trading names for the companies you file for.
• VAT return data (boxes 1–9) that you submit through VATflow.
• HMRC OAuth access and refresh tokens (encrypted at rest) authorising VATflow to call HMRC’s Making Tax Digital API on your behalf.
• IP address (one-way hashed) for rate-limiting and abuse prevention; we do not store raw IP addresses.
• Security audit-event logs (sign-in attempts, password changes, multi-factor enrolment events).
• Fraud-prevention metadata required by HMRC under the Finance Act 2021 (device characteristics, time-zone, browser and screen attributes). This data is transmitted to HMRC with every API call as part of HMRC’s mandatory header requirements.

We process personal data under UK GDPR Article 6 as follows:

• Contract— processing necessary to deliver the VATflow MTD submission service you have signed up for.
• Legal obligation— transmission of fraud-prevention headers to HMRC under the Finance Act 2021 and HMRC’s terms of use.
• Legitimate interest— security audit logs and rate-limiting to protect your account and the service against abuse.

Data at rest is stored in the United Kingdom, in Supabase (AWS eu-west-2 / London region). Transient request processing occurs in our backend hosted in the European Economic Area (Frankfurt) and is not retained on the backend hosts.

All data transmitted between your browser, VATflow and HMRC is encrypted in transit using TLS.

• VAT return records— retained for six years from the end of the relevant accounting period, in line with HMRC’s record-keeping requirements (VAT Notice 700/22).
• Security audit logs— retained for 90 days, then automatically deleted.
• Account data— retained for as long as your account is active. On account closure, personal identifiers are scrubbed; VAT submission records are retained for the six-year HMRC retention period as required by law.

Under UK GDPR you have the right to:

• Access the personal data we hold about you (Subject Access Request).
• Have inaccurate or incomplete data corrected.
• Request erasure of your data (subject to our legal obligation to retain VAT records for six years).
• Restrict or object to certain processing.
• Receive your data in a portable, machine-readable format.
• Withdraw consent at any time where processing relies on consent.

To exercise any of the rights above, email contact@unitedfintec.com with the subject line “Data Subject Request”. We will acknowledge your request within 5 working days and respond within one calendar month, as required by UK GDPR.

We do not transfer your personal data outside the United Kingdom or the European Economic Area. The EEA processing referenced in section 5 covers transient backend compute (Frankfurt, Germany) only — no customer data is retained outside the UK. Data transmitted to HMRC’s Making Tax Digital API stays within the United Kingdom.

VATflow uses essential session cookies only. We do not use analytics cookies, advertising cookies, or any third-party tracking. The cookies we set are required to keep you signed in and to remember the active company you are filing for.

If you are dissatisfied with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

ico.org.uk · helpline 0303 123 1113

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Material changes that affect how we process your personal data will be communicated by email to the address associated with your account at least 14 days before the change takes effect.