Under the General Data Protection Regulations (GDPR) of the European Union (even with Brexit - it's still in our law books) we are obligated to tell you about what data we need from you and how we will process it.

TaxSheets Tool

Cookie policy

On our site we currently use the following cookies (we do not use analytics or tracking cookies):

  1. A session cookie - this is a system cookie and is generated automatically when you visit the site. It is purely for use with logging in and system functionality.
  2. CSRF cookie - this cookie is part of our security and allows us to secure our web forms and make sure they are not used by spam bots. Again, this is a system cookie and cannot be disabled.
  3. If you use the "Where am I" accessibility feature this will enable a cookie but is completely optional.

Your data:

Under the GDPR there are 2 categories of data holders - those who effectively "own" the data and those who process it on their behalf (this includes storage).

Hatton Software Ltd trading as TaxSheets is considered both a controller and processor. Here is a list of the data involved, how it is stored and your rights.

  1. Username, Password, National Insurance Number, Oauth Tokens, Paypal Link: We are the controller. You may change your password in our tool. All other data can be changed, requested or amended by contacting us. It is held encrypted at rest and is held indefinitely until your account is deleted. Following account deletion your email will persist but in an unreadable format and any other identifying information will be removed to render your account anonymous.

    Basis for processing: consent - you may withdraw your consent at any time.
  2. Business details, Employments, State Benefits etc: We are a sub-processor, you are the controller and HMRC are the processor. We store limited amounts of this data within your sessions and our database and you are able to decide how much is stored. Any data from HMRC held permanently in our database is held encrypted at rest (this excludes session data which is only held for a short while). We do not provide access to this data, but our tool is designed to help you export and amend it directly.

    Basis for processing: consent - by connecting to HMRC with our system you consent for us to transact with them.
  3. Support tickets: We are the controller. You may view your support tickets anytime online and add to them as well. You may not edit them as we will respond to the messages you supply.

    Basis of processing: Consent - you may create tickets any time you like and to remove them, please contact us.
  4. Forum based posts: We are planning to use a platform called Talkyard or phpBB - neither of which appear to support encryption at rest. You should therefore assume your details and posts are not encrypted. Furthermore, whilst your passwords will be stored encrypted, we would advise (for added security) that you use a different password to the forums than you do for our portal.
  5. System information: This includes when you login, logs related to security and data sent to HMRC. This data cannot be removed and will be held indefinitely. We are the controller.

    Basis of consent: Legal and Legitimate. Legal because we are required to log when you ask us to process data as part of the GDPR. You may request copies of the logs for your actions. Legitimate interest for the security side of things and when you login and use our system. This data may not be exported but will be made available to the relevant services should it need to be.
  6. Your accounting spreadsheets: We are the data processor, you are the controller. You may choose to (or not to!) upload your spreadsheets to our tool. We will let you preview the data you have uploaded and add it to our processing queue. In the queue you may again preview it or remove it. However you may not export it as it is based entirely on your spreadsheets which you supplied. You may however copy and paste it from our system.

    Basis for processing: consent - you may (or may not) upload your spreadsheets and withdraw processing consent at any time (unless already submitted).
  7. Paypal data: We are the controller of the link with your account, Paypal are also the controller of your data. Should you wish to remove the link (this data may, for legitimate business reasons not be amended!) between us and Paypal this will terminate your auto-renewal. To amend your data with Paypal you will need to contact them directly.

    Basis of consent: Legitimate interest - to allow us to auto-renew your service annually we keep a link to Paypal. You may cancel this link from the Account page at any time.
  8. During the HMRC connection process we are also required to send over Anti-Fraud information. This is gathered from your browser and is freely available for us to detect. This is a mandatory requirement from HMRC and applies to all Making Tax Digital providers.

    Basis for processing: consent - by connecting to HMRC with our system you consent for us to transact with them. Legal basis also applies as HMRC have stipulated we have to send this information.
  9. Email alerts are held indefinitely in our database as proof that you have (or have not) been notified of obligation due dates.

    Basis of consent: Legitimate interest. Should you want a list of these, please contact us and you may turn off the facility on the My Account page.
  10. If you decide to leave us, you may cancel your Paypal subscription anytime from the My Account page. Once the account has gone past the expiry date, we will continue to hold your details for 2 weeks after which your account will be deleted. You may however hasten this process by closing the account manually prior to the Expiry date in which case it will be deleted immediately.
  11. Old session data is cleared automatically from our systems every 10 minutes

Where TaxSheets acts as the controller you are entitled to contact us and receive copies of your data or make amendments (excluding security/system details). We are happy to discuss this with you further. Should you be unhappy with our response, or we not respond quick enough you should contact the Information Commissioner to discuss this with them.


  1. This platform is intended for UK users only who submit to HMRC Making Tax Digital
  2. Your data will be stored on UK based cloud server(s)
  3. We will hold your data indefinitely, however will blank out the email address immediately after sending you the confirmation rendering your record not identifiable to you.

You agree to and understand the points listed above prior to signing up to our service.


We use Paypal as our payment provider. Your details will be held separately within their tools and databases and should you wish to purchase through our site then you are encouraged to visit the Paypal legal portal . Please select your country where you can view country specific Privacy policy details.

Should you purchase through our site then we will have access to your personal details through our Paypal admin area. All the details provided to Paypal are held within their databases and are never transferred to our tool or systems. We store a link to your account but please see above for information on how we hold/handle your data.

TaxSheets will never:

  • Print out Paypal records
  • Email or transfer your details (please note we receive an email from Paypal with your details within them. TaxSheets forward this email to a different email account but which is still managed by the same individual (within Google servers))
  • Seek to amend your details

You agree: Paypal is responsible for your data, security and storage (if you purchase from us).


TaxSheets uses Google mail. When you receive emails from us we send our emails (including automated ones) out through Google's SMTP servers. As a result the sent message is stored within our email accounts. These will be cleared out on a regular basis to remove any trails of your email address in our wider systems.

You agree to and understand the points listed above prior to signing up to our service.

SMS and Email Notifications

We reserve the right to contact all users by email in the event that we feel it is necessary. These could include (but are not limited to):

  • Important issues or errors found in the platform
  • Data security issues
  • New HMRC requirements

Furthermore, and depending on your subscription, we may send your SMS or Email notifications through a third party provider. Our provider is a company called ClickSend and you should read ClickSend's legal policies regarding their GDPR and use of your data.

TaxSheets will never:

  • Sell,Share,Rent etc your details
  • Send you emails unrelated to TaxSheets and the services we offer
  • Send you more than 1 email per week unless we deem it urgent

You understand: ClickSend may be used by TaxSheets to send you details via SMS or Email.