GDPR & Data Protection

1. Data Controller & Data Protection Officer

We are the data controller for the personal data processed under our Service.

For data protection queries you may contact us at [email protected].

2. Lawful Basis for Processing

As noted in the Privacy Policy, we rely on lawful bases such as performance of contract, legitimate interests, and legal obligations.

We carry out legitimate interests assessments (LIAs) when relying on legitimate interest, balancing our interests against your rights. Users may contact us for a summary of such assessments where relevant.

3. Consent & Withdrawal

Where processing is based on your consent (e.g. marketing communications), you have the right to withdraw consent anytime. Withdrawal of consent does not affect processing done before withdrawal.

4. Automated Decision-Making & Profiling

Some of our internal systems may use automated or semi-automated processes to analyse your documents and compute eligibility for tax claims.

We do not make fully automated decisions that have legal or similarly significant effects on you without human oversight.

You may request meaningful information about the logic used and challenge such decisions.

5. Data Protection Impact Assessments (DPIAs)

Where we judge a processing activity involves high risk to rights and freedoms, we will conduct a DPIA and, where required, consult relevant supervisory authority.

6. Security, Breach Notification & Accountability

We maintain records of processing (Record of Processing Activities, or RoPA).

We ensure “data protection by design and by default” (minimisation, pseudonymisation, access controls).

In case of a personal data breach posing risk, we will notify the UK Information Commissioner's Office (ICO) within 72 hours and communicate to affected individuals when required.

7. Cooperation with Supervisory Authority

We will cooperate with and comply with lawful orders of the ICO or equivalent supervisory authorities, including in investigations or audits.

8. International Transfers & Safeguards

Where personal data is transferred outside the EEA, we will use approved safeguards (e.g. standard contractual clauses, adequacy decisions).

9. Third-Party Processors

We use third-party processors bound by contractual obligations including data confidentiality, security, and use only as instructed.

10. Data Subject Rights & Complaints

As set out in the Privacy Policy: access, correction, deletion, objection, restriction, portability, withdraw consent.

If you believe our processing breaches the GDPR, you have the right to lodge a complaint with the UK ICO or equivalent authority in your jurisdiction.