SimpleReturns

Privacy Policy

Last updated: 26 May 2026

This policy explains what personal data we collect when you use SimpleReturns, why we collect it, how long we keep it, and the rights you have over it under the UK GDPR and the Data Protection Act 2018. It works alongside our Terms of Service — neither one stands on its own.

1. Who's responsible for your data

$IMPLE RETURNS LTD (the Company, we, us) is the data controller for the personal data described in this policy. We are a private limited company registered in England and Wales under company number 17263315, registered with the Information Commissioner's Office (ICO).

Our Data Protection contact is [email protected]. We respond to data-subject requests within one month, as required by Article 12 of the UK GDPR.

2. What personal data we collect

About you (the user):

  • Your name, email address, and any other contact details you give us when you create an account or contact support.
  • Authentication metadata: when you log in, the device/browser you log in from, and the IP address of that session.
  • Payment metadata: the timestamp, amount and reference of any £99 submission fee you pay. We do not see or store your full card details — those go directly to our payment processor Stripe.
  • Support correspondence: any emails, messages or call notes exchanged with our support team.

About your company (which may include personal data about other directors, employees or counterparties):

  • Company number, registered office and the company's public Companies House record.
  • The Companies House Authentication Code you provide so we can transmit returns on the company's behalf.
  • Bank statement transactions you upload or enter manually: date, description (which may include counterparty names), amount, and any classification notes.
  • Year-end figures you enter: receivables, payables, opening balances, stock, capital allowance claims, charitable donations, losses carried forward, director's loan account balances.
  • The director's name and confirmation tick recorded when you sign and submit a return.

3. Where we get it from

Most data comes directly from you — what you type or upload into the wizard. We also pull public Companies House data (your company's record, directors and historic accounts) from the Companies House public APIs. Where you have previously filed accounts via Companies House, we read the prior-year micro-entity iXBRL so the wizard can show comparatives.

4. Why we use it (and our lawful basis)

UK GDPR requires us to identify a lawful basis under Article 6 for every use of your personal data. Ours are:

  • Performing our contract with you (Art 6(1)(b)). Preparing and transmitting your Corporation Tax return and accounts is the service you signed up for. Without your personal data and your company's financial data we cannot do it.
  • Compliance with a legal obligation (Art 6(1)(c)). HMRC and Companies House require us to keep records of what we transmitted on your behalf, and the Money Laundering Regulations require certain checks. We hold transmission records for the periods set out in section 7 of this policy.
  • Legitimate interests (Art 6(1)(f)). We use limited operational data — error logs, anonymised aggregate usage statistics, security audit trails — to keep the service running safely and to improve it. Our balancing assessment concluded these uses do not override your interests; you can object at any time using the contact details in section 1.

5. AI processing

To assist categorisation and explanation, transaction descriptions and amounts are sent to third-party large-language model providers under our standard processor agreements. Before sending, we apply automated redaction to remove or mask full bank account numbers and sort codes, and apply best-efforts pattern matching to mask individuals' personal names and other identifiers that appear in counterparty fields. No automated redaction is perfect — please avoid uploading statements containing data you would not want a processor outside the UK to see. Our model providers are contractually prohibited from training on our data and do not retain personal data beyond the immediate request/response cycle.

Our in-app help assistant answers your questions about using the service from a curated library of our own guidance and quoted official HMRC / Companies House material; it does not browse the internet and has no access to your tax data. To improve our help, we store the questions you ask it (together with the step and field you were on and whether we had an answer). Please do not type personal or sensitive details into the help assistant. Your question is sent to our large-language model provider on the same terms described above to generate the answer.

6. Who we share it with

We do not sell your personal data. We share with a small number of processors strictly to deliver the service:

  • HMRC — recipients of the Corporation Tax return you authorise us to submit.
  • Companies House — recipients of the micro-entity accounts you authorise us to submit.
  • Stripe — our PCI-DSS-compliant payment processor (for the £99 submission fee).
  • Resend — our transactional email provider (for magic-link sign-in and submission receipts).
  • Hostinger — our hosting provider; the database and application servers are presently in a London data centre.
  • Our LLM providers — see section 5 above for what is and isn't sent.

We disclose data to law-enforcement or other public authorities only where we are legally required to do so (for example, under a court order or a valid HMRC information notice).

7. How long we keep it

  • Filed submissions, source transactions and the iXBRL we transmitted — kept for at least six years from the end of the accounting period to which they relate, in line with HMRC's record-keeping rule for limited companies (s.388 Companies Act 2006 and Sch.18 para 21 FA 1998). We do not routinely delete filing-related records.
  • Your account and contact details — for as long as you have an active account, plus at least six years thereafter (so we can answer regulator queries about past filings).
  • Account identity history — a log of changes to the name and email address on your account, including the values held at the point an account is deleted, kept for at least six years (we do not routinely delete this history) so we can maintain an accurate record for regulator and audit queries.
  • Payment records — six years from the transaction date, for HMRC/VAT-record purposes.
  • Activity and security logs — the audit trail of what happened on each return, together with authentication metadata (when and from where you signed in), kept for at least the six-year statutory period alongside the filing it relates to. We do not routinely delete this trail, so we can answer regulator and audit queries.
  • Support correspondence — three years from the last interaction.

8. International transfers

Personal data is stored on UK or EU infrastructure. Some of our processors (the LLM providers and certain Stripe sub-processors) process data in the United States. Where transfers leave the UK, they rely on the UK International Data Transfer Agreement (or the equivalent EU Standard Contractual Clauses recognised under the UK GDPR), plus additional technical safeguards (in-transit encryption, the redaction described in section 5). The named processors are listed in section 6 above; changes are notified per section 13.

9. Your rights

Under the UK GDPR you have the following rights over your personal data:

  • Right of access — a copy of the personal data we hold about you.
  • Right to rectification — correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — deletion of your data where there's no overriding legal basis to keep it. Filed tax returns and supporting records may need to stay on file for the retention periods in section 7 even after account deletion, because we are legally obliged to keep them.
  • Right to restriction of processing.
  • Right to data portability — your data in a structured, machine-readable form.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent — where we relied on consent (we currently do not rely on consent for any core function).
  • Right not to be subject to a decision based solely on automated processing — our wizard's AI suggestions are not solely-automated decisions; you review and confirm everything before submission.

You can delete your account yourself at any time from Settings. When you do, we anonymise your personal details (we blank your name and replace your email with a non-identifying placeholder) and disable sign-in, and we delete your HMRC connection. We retain the filed returns, supporting records and the account identity history described in section 7 for the legally required period, because we are obliged to keep them.

To exercise any of these rights, email [email protected]. If you're not happy with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office — we'd ask you to come to us first, but it isn't a precondition.

10. Cookies and similar technologies

SimpleReturns uses a single first-party authentication cookie (a short-lived JSON Web Token) to keep you signed in between page loads. We do not use third-party advertising cookies, social-media trackers, or behavioural-analytics cookies on the application. The marketing site uses a small number of strictly necessary cookies for navigation only; a cookie banner is not legally required for these under PECR.

11. Security

All data in transit uses HTTPS (TLS 1.2 or higher). Daily Postgres backups are encrypted with AES-256-GCM and stored off-site at a UK data centre; we periodically restore them to verify they are recoverable. Sensitive identifiers (Companies House Authentication Codes, session tokens) are stored in our UK database under restricted application-level access. Access to production systems is restricted to a small number of named engineers, governed by SSH key + multi-factor authentication, and every access is logged. You are responsible for keeping your magic-link email inbox and your Companies House Authentication Code confidential — see section 6 of the Terms.

12. Children

SimpleReturns is intended for UK company directors and so is not marketed at children. We do not knowingly collect data about anyone under 18.

13. Changes to this policy

We may update this policy from time to time. We will post the updated version on this page with a new "last updated" date, and where the change is material we will email you in advance. Continued use of the service after a change takes effect is acceptance of the new policy.

14. Contact

Any question about this policy — including a request to exercise one of the rights in section 9 — should go to [email protected]. General support enquiries go to [email protected].