Privacy Policy
Operated by GMB DEV Ltd — Last updated: February 2026
1. Who We Are
GetMyBooksDone is a Making Tax Digital (MTD) accounting software service operated by GMB DEV Ltd (“we”, “us”, “our”). We help self-employed individuals and sole traders manage their bookkeeping and submit quarterly updates to HMRC under Making Tax Digital for Income Tax.
If you have any questions about this policy or how we handle your data, please contact us at: privacy@getmybooksdone.online
2. What Data We Collect
We collect and process the following personal data:
Account data
- Name and email address (used to create and manage your account)
Tax identifiers
- National Insurance number (NINO)
- Unique Taxpayer Reference (UTR)
- MTD ID assigned by HMRC
Financial data
- Business income and expense records you enter into the service
- Quarterly update data submitted to HMRC on your behalf
HMRC connection data
- OAuth access tokens and refresh tokens used to connect your account to HMRC's systems
- Scopes granted by you during the HMRC authorisation process
Technical data
- IP address and browser information (collected as part of HMRC's legally required fraud prevention headers)
- Device identifiers (collected as part of HMRC's legally required fraud prevention headers)
- Session and usage data
3. Why We Collect It (Legal Basis)
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, email | Account management and communication | Contract |
| NINO, UTR, MTD ID | Submitting tax data to HMRC on your behalf | Contract / Legal obligation |
| Financial records | Preparing and submitting MTD quarterly updates | Contract |
| HMRC OAuth tokens | Authenticating with HMRC APIs on your behalf | Contract |
| IP address, device data | HMRC fraud prevention (legally required) | Legal obligation |
4. Who We Share Data With
We do not sell your data. We share data only where necessary to provide the service:
HMRC — We submit your financial data and tax identifiers to HMRC via their Making Tax Digital APIs. This is the core purpose of the service. HMRC's own privacy notice applies to data held by them.
Supabase — Our database provider, used to store your account and financial data securely. Data is stored in the European Union.
Render — Our backend hosting provider. Servers are located in the European Union.
Vercel — Our frontend hosting provider. Servers are located in the European Union.
We require all third-party processors to handle your data in accordance with UK GDPR.
5. International Transfers
All data processors used by GetMyBooksDone store data within the European Economic Area (EEA) or United Kingdom. Where any transfer outside the UK/EEA is required, we ensure appropriate safeguards are in place in accordance with UK GDPR.
6. How Long We Keep Your Data
| Data | Retention period |
|---|---|
| Account data | For as long as your account is active, plus 30 days after deletion |
| Financial records | 6 years from the end of the relevant tax year (UK legal requirement) |
| HMRC OAuth tokens | Until you disconnect your HMRC connection or delete your account |
| Technical/fraud prevention logs | 6 months |
7. Your Rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to correct inaccurate data
- Erasure — ask us to delete your data (subject to legal retention obligations)
- Portability — receive your data in a machine-readable format
- Restriction — ask us to restrict processing of your data
- Objection — object to processing based on legitimate interests
To exercise any of these rights, please contact us at privacy@getmybooksdone.online. We will respond within 30 days.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
8. Security
We take the security of your data seriously. Measures include:
- All data in transit is encrypted using TLS 1.2 or higher
- All data at rest is encrypted
- HMRC OAuth tokens are stored securely and never exposed to the browser
- Access to production systems is restricted to authorised personnel only
- We will notify affected users and the ICO within 72 hours of becoming aware of a data breach that poses a risk to individuals
9. Cookies
GetMyBooksDone uses only essential cookies required for authentication and session management. We do not use advertising or tracking cookies.
10. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by email. The date at the top of this page shows when it was last updated.
11. Contact
GMB DEV Ltd
Email: privacy@getmybooksdone.online
Website: getmybooksdone.online