Privacy Policy

Last updated: 12 May 2026 · Effective: 12 May 2026

1. Who We Are

Finance Panda Limited, trading as EasyTax ("EasyTax", "we", "us", "our") is the data controller responsible for your personal data. We are registered in England and Wales.

Company name	Finance Panda Limited
Registered address	London, United Kingdom
Email	privacy@easytax.vip
ICO registration	Pending

This Privacy Policy explains what personal data we collect, why we collect it, the legal basis for processing it, how long we keep it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect and Why

We only collect data that is necessary for the purposes described below.

2.1 Account and Identity Data

Name, email address, and profile picture (if you sign in via Google).

Legal basis: Contract— Necessary to create and manage your account and provide the service.

2.2 Tax and Financial Data

National Insurance number (NINO), Unique Taxpayer Reference (UTR), income figures, expense records, and data retrieved from HMRC on your behalf (obligations, calculations, previously submitted returns).

Legal basis: Contract— Necessary to calculate and submit your Self Assessment tax return.

2.3 Bank Transaction Data

Bank account details and transaction history retrieved via Plaid's Open Banking connection, used to identify and categorise expenses.

Legal basis: Consent— You explicitly authorise this connection. You can disconnect at any time from your dashboard.

2.4 HMRC OAuth Connection

HMRC access token and refresh token stored securely to allow us to act on your behalf with HMRC.

Legal basis: Consent— You explicitly grant this via HMRC's Government Gateway OAuth flow.

2.5 Payment Data

Payment is processed by Stripe. We do not store card numbers. We retain transaction references and amounts for invoicing and legal compliance.

Legal basis: Contract— Necessary to process payment for our service.

2.6 Device and Fraud Prevention Data

IP address, browser type, screen resolution, timezone, and device identifiers. HMRC mandates these "fraud prevention headers" be submitted with every API call.

Legal basis: Legal obligation— Required under HMRC's Fraud Prevention Headers specification (TxM standard).

2.7 Usage Data

Pages visited, features used, and error logs. Used solely to improve the product and diagnose issues.

Legal basis: Legitimate interests— We have a legitimate interest in maintaining and improving our service. This data is aggregated and not used to profile individuals.

3. How Long We Keep Your Data

Data type	Retention period	Reason
Account data	Until account deletion + 30 days	Service provision
Tax return data	7 years from filing date	HMRC legal requirement (6 years + buffer)
Bank transaction data	6 years	Tax record keeping obligations
HMRC tokens	Until disconnected or expired	Service provision
Payment records	7 years	Financial record keeping (Companies Act 2006)
Device / fraud prevention data	13 months	HMRC TxM requirement
Usage / error logs	90 days	Operational necessity

4. Your Rights Under UK GDPR

You have the following rights regarding your personal data. To exercise any of them, email privacy@easytax.vip. We will respond within 30 days.

Right of access

Request a copy of all personal data we hold about you (Subject Access Request).

Right to rectification

Ask us to correct inaccurate or incomplete data.

Right to erasure

Ask us to delete your data where we have no legal obligation to retain it.

Right to restriction

Ask us to pause processing your data while a dispute is resolved.

Right to data portability

Receive your data in a structured, machine-readable format (e.g. JSON/CSV).

Right to object

Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent

Where processing is based on consent (e.g. bank connection, HMRC OAuth), you can withdraw at any time via your dashboard without affecting the lawfulness of prior processing.

Rights re: automated decisions

We do not make solely automated decisions that produce legal or similarly significant effects on you. AI categorisation is always presented for your review and approval.

5. Cookies

We use only technically necessary cookies (session authentication). We do not use advertising or tracking cookies. No cookie consent banner is required for strictly necessary cookies.

6. Security

We implement appropriate technical and organisational measures including TLS encryption in transit, encryption at rest, access controls, and token-based authentication. HMRC access tokens are stored encrypted. We do not store Government Gateway passwords.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR Article 33–34.

7. Children

Our service is not directed at anyone under the age of 18. We do not knowingly collect data from minors.

8. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or by a prominent notice in the app at least 14 days before changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

9. How to Complain

If you are unhappy with how we handle your data, please contact us first at privacy@easytax.vip. If you remain unsatisfied, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113

10. Contact Us

For any privacy-related questions or to exercise your rights:

Email: privacy@easytax.vip

We aim to respond to all requests within 30 days. For complex requests we may extend this by a further two months, in which case we will notify you.