Privacy Policy
Last updated: April 2026
Who we are
123tax is a trading name of 123 TAX LTD, a company registered in England and Wales (Company Number: 11729244), with its registered office at Studio 9, 50-54 St Paul's Square, Birmingham B3 1QS.
We are the data controller for the personal data you provide to us. This means we decide how and why your data is used.
If you have any questions about this policy or want to exercise your rights, contact us at:
What data we collect and why
We only collect data that is genuinely necessary to deliver our service. Here is what we collect, why we collect it, and the legal basis we rely on under UK GDPR.
Account and identity data
What: Your name, email address, phone number, UTR (Unique Taxpayer Reference), and National Insurance number.
Why: To create and manage your account and to submit information to HMRC on your behalf.
Legal basis: Performance of a contract (UK GDPR Article 6(1)(b)).
CIS financial data
What: CIS payment statements you share with us (via WhatsApp photo, direct upload, or manual entry), including contractor name, gross payment, CIS deduction amount, and payment period.
Why: To calculate your estimated tax refund, populate your quarterly MTD updates, and support your Self Assessment submission.
Legal basis: Performance of a contract (Article 6(1)(b)) and compliance with a legal obligation (Article 6(1)(c)) where HMRC submissions are involved.
WhatsApp message data
What: The content of messages you send to the 123tax WhatsApp number, including any photos of payslips or CIS statements. Metadata including your WhatsApp phone number and message timestamp.
Why: To process inbound messages, extract financial data from photos using our OCR service, reply to your queries, and record your message history within your account.
Legal basis: Performance of a contract (Article 6(1)(b)).
Important: The 123tax WhatsApp service operates via the Meta WhatsApp Cloud API. Meta processes message data according to their own privacy policy and business messaging terms. By using our WhatsApp service, you are also subject to Meta's terms. We recommend reviewing Meta's privacy policy at facebook.com/privacy/policy.
HMRC-sourced data
What: Data we retrieve from HMRC on your behalf, including your tax account information, CIS deductions held by HMRC, and previous submission records. We access this data using the OAuth 2.0 authorisation you grant us when connecting your HMRC account.
Why: To pre-populate your tax position, verify CIS deductions, and submit updates to HMRC.
Legal basis: Performance of a contract (Article 6(1)(b)) and your explicit authorisation via HMRC's OAuth flow.
Usage and device data
What: Log data when you use the web portal or iOS app, including your IP address, device type, browser or OS version, pages visited, and session duration. We use Microsoft Application Insights for this.
Why: To maintain service performance, diagnose errors, and understand how features are used. We also share a subset of this data with HMRC as required by the Fraud Prevention Headers specification, which is a legal requirement for providers of MTD software.
Legal basis: Legitimate interests (Article 6(1)(f)) for service improvement; legal obligation (Article 6(1)(c)) for the fraud prevention data shared with HMRC.
How we use cookies
The 123tax web portal uses cookies. These fall into three categories:
Strictly necessary cookies — required for the portal to function (session management, security tokens). You cannot opt out of these.
Analytics cookies — used to understand how the portal is used (Microsoft Application Insights). You can decline these via our cookie banner.
No advertising cookies — we do not use advertising cookies or share data with ad networks.
Who we share your data with
We do not sell your personal data. We only share it with the following parties:
| Recipient | Purpose | Location |
|---|---|---|
| HMRC | MTD quarterly updates, CIS deduction verification, Self Assessment submission | UK |
| Microsoft Azure | Cloud hosting, database storage, blob storage, AI Document Intelligence (OCR) | UK (UK South data centre) |
| Meta Platforms | WhatsApp message delivery via Cloud API | EU/US (subject to Meta's DPA) |
| Stripe | Subscription billing | US/EU (subject to Stripe's DPA) |
All third-party processors are bound by data processing agreements. Where data is transferred outside the UK, we rely on appropriate safeguards (adequacy decisions or Standard Contractual Clauses).
How long we keep your data
We keep your data for as long as you have an active 123tax account, and for a period of 7 years after your account closes, in line with HMRC record-keeping requirements for tax purposes.
| Data type | Retention period |
|---|---|
| Account and identity data | Duration of account + 7 years |
| CIS financial records and submissions | 7 years from tax year end |
| WhatsApp message content | 7 years from tax year end |
| Raw receipt/document photos | 7 years from tax year end |
| Usage and log data | 13 months rolling |
After the applicable retention period, data is permanently deleted from our systems. If you request deletion of your account, we will delete all data that we are not legally required to retain and will inform you of anything we must keep and why.
Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data (subject to legal retention requirements)
- Restrict how we process your data in certain circumstances
- Port your data to another service in a machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent where consent is the legal basis we rely on
To exercise any of these rights, email [email protected] with your request. We will respond within one calendar month (or inform you if we need more time for complex requests). We may ask you to verify your identity before acting on a request.
If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk — Phone: 0303 123 1113.
How we protect your data
We implement appropriate technical and organisational security measures to safeguard the personal data we process.
Your data is hosted in the United Kingdom using Microsoft Azure cloud infrastructure. Microsoft maintains independent security certifications for its cloud services, including ISO 27001 and SOC 2.
We use encryption to protect data in transit and at rest. Access to live systems and personal data is limited to authorised personnel with a legitimate business need and is managed in accordance with least-privilege principles.
We use secure identity, authentication, and access management controls, and support additional protections such as multi-factor authentication where appropriate. We also apply controls designed to maintain logical separation between customer accounts and data.
We regularly review our security posture and take steps to maintain, patch, and update the systems and software we rely on.
We maintain procedures for identifying, investigating, and responding to security incidents. Where a personal data breach occurs, we will make any required notifications in accordance with applicable data protection law.
Where your data is stored
Your data is hosted in the United Kingdom using Microsoft Azure cloud infrastructure. Customer data is not transferred outside the UK in the normal course of providing the service.
Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of the service after notification constitutes acceptance of the updated policy.