Privacy Policy

1. Introduction

This Privacy Policy explains how Rckts Software Ltd collects, uses, and protects your personal information when you use our HMRC Making Tax Digital (MTD) Spreadsheet Bridging Tool for Income Tax Self Assessment (ITSA).

Company Details:

Company: Rckts Software Ltd
Company Number: 16879107
Privacy Contact: tommy.rowe@quixmtd.co.uk

2. Information We Collect

Account Information:

Name, email, business details, encrypted passwords

Tax Data (Highly Sensitive):

MTD IT ID (HMRC identifier), National Insurance number (encrypted), income and expense data, quarterly and annual tax submissions, HMRC submission data and references

Technical Data:

IP address, device and browser information, usage analytics, error and security logs

HMRC Integration Data:

Authentication and authorisation tokens, submission confirmations, HMRC API responses

3. How We Use Your Data

Primary Service Functions:

Extract and validate tax data from spreadsheets
Submit Income Tax Self Assessment returns to HMRC on your behalf (once live)
Provide account management and customer support

Legal and Regulatory Compliance:

Comply with HMRC Making Tax Digital requirements
Comply with UK tax and anti-money laundering legislation
Maintain audit trails and statutory records

Service Improvement:

Analyse usage patterns
Monitor performance and security
Fix issues and develop new features

4. Lawful Basis for Processing

We process personal data under the following lawful bases in accordance with UK GDPR:

Contract

Processing is necessary to provide the Rckts Software Ltd MTD service requested by the user.

Legal Obligation

Processing is required to comply with HMRC Making Tax Digital regulations and UK tax law.

Legitimate Interests

To improve service reliability, security, and fraud prevention, where such interests do not override user rights.

Where consent is required, it will be explicitly obtained and can be withdrawn at any time.

5. Data Sharing

HMRC (Required by Law):

Tax return data, business identification details, submission references and confirmations

Service Providers:

Cloud hosting providers, security and monitoring services, analytics providers

All third parties are contractually required to protect data and comply with UK GDPR.

We Never:

Sell your data
Share data for third-party marketing
Use your tax data for our own commercial purposes

6. Data Security

We implement appropriate technical and organisational security measures, including:

Encryption of data in transit (TLS 1.3) and at rest (AES-256)
Secure session management using HTTP-only cookies and rotating tokens
Role-based access controls and multi-factor authentication
Hosting in UK-based data centres with industry-standard security controls
Regular internal security reviews and penetration testing
Secure integration with HMRC APIs using OAuth 2.0 as specified by HMRC

7. Data Retention

Tax Records: 6 years

Required by HMRC for audit and compliance purposes

Account Data: 7 years after account closure

Legal and regulatory compliance

Technical Logs: Up to 2 years

Security monitoring and support

8. Your Rights

Under UK GDPR, you have rights to:

Access – Request copies of your personal data
Rectification – Correct inaccurate or incomplete data
Erasure – Request deletion of data (subject to legal obligations)
Portability – Receive your data in a transferable format
Object – Object to certain processing activities
Restriction – Limit how your data is processed

To exercise your rights, contact:
📧 tommy.rowe@quixmtd.co.uk

We will respond within 30 days.

9. Contact & Complaints

Data Protection Contact:

Email: tommy.rowe@quixmtd.co.uk

Supervisory Authority:

Information Commissioner's Office (ICO)

Website: https://ico.org.uk
Phone: 0303 123 1113

10. Changes to This Policy

We may update this Privacy Policy to reflect legal, regulatory, or service changes. Material changes will be communicated at least 30 days in advance via email or in-app notification.

Continued use of the service after changes take effect constitutes acceptance of the updated policy.