Privacy Policy

How we look after your data

Last updated: March 2026 · Version 1.1

We believe your tax data is your business, not ours. We built !Abridge to be the lightest possible bridge between your spreadsheet and HMRC. We collect only what we need, we store it securely on UK servers, and we never sell your data to anyone.

1. Who we are

!Abridge is a product of Bluecase Ltd, a company registered in England and Wales. We are the data controller for your personal information, which means we decide how and why your data is used.

Company name: Bluecase Ltd (trading as !Abridge). Registered in England & Wales (No. 16092999).
Privacy contact: privacy@abridge.tax
ICO registration: ZB943232

If you have any questions about this policy, or about how we handle your data, please email us at the address above. We aim to respond within 2 working days.

2. The short version

We know privacy policies can be long. Here is the summary. The rest of this document gives the full detail.

We are a bridge, not a vault. Your tax figures pass through our servers to reach HMRC. We keep a record of what was submitted (so you have proof), but we do not mine, analyse, or monetise your financial data.
UK servers. Your data is stored on servers located in the United Kingdom.
Encrypted everywhere. Your data is encrypted when it travels over the internet (in transit) and when it sits on our servers (at rest).
We never sell your data. We do not sell, rent, or trade your personal information to anyone, for any reason.
No ads. We do not show advertisements in our product and we do not share your data with advertising networks.
You are in control. You can ask us to show you your data, correct it, or delete it at any time.

3. What information we collect and why

We only collect information that we genuinely need in order to provide the service, keep it secure, and meet our legal obligations. Below is a complete list.

3.1 Account information

What: Your email address and, if you choose to sign in or receive notifications that way, your mobile phone number. Where password-based login is used, we also store a securely hashed version of your password.

Why: So you can log in and so we can identify your account, secure access to the service, and contact you about your account. We never store your password in readable form.

Legal basis: Contract — we need this to provide the service you have signed up for.

3.2 HMRC connection (OAuth tokens)

What: When you connect !Abridge to HMRC, you sign in directly on the HMRC website using your Government Gateway credentials. We never see your Government Gateway username or password. HMRC then gives our software a secure access token (and a refresh token) that allows us to interact with HMRC on your behalf.

Why: So we can submit your quarterly updates and retrieve your tax obligations from HMRC.

Legal basis: Contract — this is the core function of the service.

Important: You can revoke !Abridge's access to your HMRC account at any time by visiting your Government Gateway account or by contacting us. We will delete the stored tokens immediately.

3.3 Submission data (your tax figures)

What: The summary income and expense figures that you submit to HMRC through !Abridge (for example, total turnover, total expenses, and the amounts in each quarterly update). We also store the confirmation and reference number returned by HMRC, the date and time of submission, and whether the submission was successful.

Why: So you have a record of what you submitted and when. This protects you if HMRC ever queries a submission. It also allows us to help you if something goes wrong.

Legal basis: Contract (providing the service) and Legal Obligation (HMRC requires taxpayers to keep records for at least 5 years after the 31 January deadline of the relevant tax year; we help you meet this obligation).

If you use our Excel add-in or Google Sheets add-on, the plugin reads the cells you select locally within your spreadsheet so it can calculate the values you want to submit. We do not upload or store your full spreadsheet. We only receive the specific mapped values needed for submission and your submission record.

3.4 Cell mappings and configuration

What: The mapping you create that tells!Abridge which cells in your spreadsheet correspond to which HMRC fields (for example, "Cell B12 = Total Turnover"). This is structural metadata; it does not contain actual financial figures. If you use our plugins, we may also store this mapping configuration locally in the plugin environment so that your setup is remembered between sessions.

Why: So you do not have to re-configure the plugin every time you submit.

Legal basis: Contract.

In practice, this means the Excel add-in may store sign-in and mapping data in browser local storage on your device, and the Google Sheets add-on may store mapping data in document properties and sign-in data in user properties within your Google Workspace environment.

3.5 Google API Services disclosure

If you use our Google Sheets add-on, !Abridge's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We use Google user data only to provide the Google Sheets add-on's core user-facing functionality, such as reading the cells or ranges you select and the mappings you configure so we can prepare the figures you choose to submit to HMRC.

We do not use Google user data to train generalized artificial intelligence or machine learning models. We do not sell Google user data, share it with data brokers or information resellers, or use it for targeted advertising, personalised advertising, or marketing profiling.

3.6 Payment information

What: We use Stripe to process payments. Your card number, expiry date, and CVC are entered directly into Stripe's secure payment form and never touch our servers. We receive and store only: your Stripe customer ID, the plan you are on, and the status of your subscription (active, cancelled, etc.).

Why: So we can manage your subscription and know whether your account is active.

Legal basis: Contract.

3.7 Device information for HMRC fraud prevention

What: Every time we make a submission to HMRC on your behalf, UK law requires us to send certain information about your device. This includes your IP address, timezone, screen size, browser type, and browser plugins.

Why: HMRC uses this information to detect and prevent tax fraud. All MTD software providers are legally required to collect and transmit this data. We do not store this information ourselves — it is collected at the moment of submission and sent directly to HMRC.

Legal basis: Legal Obligation — this is mandated by HMRC under the fraud prevention header specification. HMRC's fraud prevention guidance.

3.8 Product analytics

What: We use PostHog (hosted on EU servers) to understand how people use !Abridge so we can improve it. This includes information such as which pages you visit within our app, which features you use, how long actions take, and basic device information (browser type, screen size). We do not record your keystrokes or capture screenshots of your screen.

Why: To find and fix problems, to understand which features are useful, and to make the product better.

Legal basis: Legitimate Interest — we have a genuine need to understand how our product is used. You can opt out of analytics at any time (see Section 9).

3.9 Support and correspondence

What: If you contact us for help, we keep a record of the conversation (email address, the content of your messages, and any account details relevant to your query).

Why: So we can resolve your issue and refer back to it if the problem recurs.

Legal basis: Contract.

4. What we do not do with your data

We think it is just as important to be clear about what we will never do.

We do not sell, rent, or trade your personal data to anyone.
We do not share your data with advertising companies or ad networks.
We do not display advertisements in our product.
We do not use your tax figures for any purpose other than submitting them to HMRC and storing them as your submission record.
We do not build profiles of you for marketing purposes.
We do not make any automated decisions about you (such as credit scoring or risk assessment).
We do not upload or store the full contents of your spreadsheet. Our plugins may read the cells you select locally so they can calculate mapped values, but we only receive the figures you choose to submit.

5. Who we share your information with

We share your data only where it is necessary to provide the service, process payments, or comply with the law.

Recipient	What we share	Why	Where
HMRC	Your tax figures, HMRC OAuth tokens, fraud prevention device data	To submit your quarterly updates and Final Declaration as instructed by you	United Kingdom
Supabase	Account data, tokens, submission records (encrypted)	Database hosting and authentication	United Kingdom (London)
Stripe	Payment card details (entered directly into Stripe)	Payment processing	United States (UK adequacy protections)
PostHog	Anonymised usage and product analytics	Product improvement and bug detection	European Union
Resend	Email address and the contents of service emails	Sending account, reminder, and submission emails	United States
Twilio	Phone number and the contents of service SMS messages	Phone sign-in and optional SMS notifications	United States
Vercel	Web requests (IP address, browser info)	Website and application hosting	United Kingdom / EU

We may also share your information with law enforcement or regulatory authorities if we are legally required to do so. We will always tell you if this happens, unless we are legally prevented from doing so.

Accountant dashboard (B2B): If you use !Abridge through your accountant's practice, your accountant is a separate data controller. We act as a data processor on their instructions, governed by a Data Processing Agreement.

6. International data transfers

We store your core data (account details, HMRC tokens, submission records) on servers in the United Kingdom.

Some of the services we use are based outside the UK. Where this is the case, we ensure that your data is protected by appropriate safeguards as required by UK data protection law.

Stripe (United States): Processes payments under the UK-US Data Bridge and Standard Contractual Clauses.
PostHog (European Union): The EU is covered by a UK adequacy decision.
Resend (United States): Sends service emails for us. Where personal data is transferred outside the UK, we rely on appropriate safeguards required by UK data protection law.
Twilio (United States): Supports phone sign-in and SMS notifications. Where personal data is transferred outside the UK, we rely on appropriate safeguards required by UK data protection law.

7. How long we keep your information

We do not keep your data for longer than we need it.

Type of data	How long we keep it	Why
Account information (email, phone number, login credentials)	While active, plus 2 years after deletion	Re-activation and post-closure queries
HMRC OAuth tokens	Deleted when you disconnect or delete account	—
Submission records	6 years from end of relevant tax year	HMRC record-keeping requirements
Cell mappings	While account active; deleted on account deletion	—
Product analytics	12 months (rolling)	Product improvement
Support correspondence	3 years after resolution	Legal and recurrence
Payment records	7 years	UK legal requirement
Fraud prevention device data	Not stored (sent directly to HMRC)	—

8. How we protect your information

Encryption in transit: TLS (the padlock in your browser).
Encryption at rest: AES-256 for stored data.
HMRC tokens: Additional application-level encryption.
Password security: Hashed with bcrypt; we never store readable passwords.
UK-based servers: Core data hosted in the United Kingdom.
Access controls: Restricted access, all access logged.
Regular reviews: We review security practices and will pursue certifications (e.g. Cyber Essentials) as we grow.

No system is 100% secure. If we discover a data breach that affects your personal information, we will notify you and the ICO in line with our legal obligations.

9. Your rights

Under UK data protection law (UK GDPR), you have the following rights. You can exercise any of them by emailing privacy@abridge.tax. We will respond within one month.

Right of access: You can ask for a copy of all the personal data we hold about you.
Right to rectification: You can ask us to correct wrong or incomplete data.
Right to erasure: You can ask us to delete your data, unless we are legally required to keep it.
Right to restrict processing: You can ask us to temporarily stop using your data while we resolve a concern.
Right to data portability: You can ask for your data in a machine-readable format (e.g. CSV or JSON).
Right to object: You can object to processing based on legitimate interest (e.g. product analytics). We will stop unless we have a compelling reason to continue.
Right to withdraw consent: Where we rely on consent (e.g. marketing), you can withdraw it at any time. Every marketing email includes an unsubscribe link.

We will never charge you for exercising these rights. If a request is manifestly unfounded or excessive, we may ask for a reasonable fee or decline, but we will always explain why.

10. Cookies

We use strictly necessary cookies (to keep you logged in and make the service work) and analytics cookies (PostHog), which you can accept or decline when you first visit and change in your account settings. If you use the Excel add-in, it also uses browser local storage on your device to remember sign-in and mapping settings. We do not use advertising or social media tracking cookies.

11. Marketing communications

We will only send you marketing emails if you have explicitly opted in. You can opt out at any time via the unsubscribe link or by emailing us. Service emails and, where you have enabled them, service SMS messages (submission confirmations, obligation reminders, account notifications) are not marketing and are necessary for the contract; you will receive these while your account is active.

12. Children

!Abridge is a tax compliance service intended for adults with Self Assessment obligations. We do not knowingly collect data from anyone under 16. If we discover that we have, we will delete it immediately. If you believe a child has provided us with personal data, please contact us.

13. Changes to this policy

We may update this privacy policy from time to time. When we do, we will update the date at the top and post the new version on our website. If we make a significant change that affects how we use your data, we will email you before the change takes effect. We will never reduce your rights under this policy without giving you notice and the opportunity to delete your account.

14. How to complain

If you are unhappy with how we have handled your data, please email us at privacy@abridge.tax. We take every complaint seriously.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint. ICO helpline: 0303 123 1113. Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

15. Summary of lawful bases

Purpose	Data involved	Lawful basis (UK GDPR)
Providing the service	Email, password hash, OAuth tokens, cell mappings, submission data	Article 6(1)(b) — Contract
Fraud prevention headers to HMRC	IP address, device info, timezone, screen size, browser details	Article 6(1)(c) — Legal Obligation
Keeping submission records	Submitted tax figures, HMRC responses, timestamps	Article 6(1)(c) — Legal Obligation
Product analytics	Usage data, page views, feature interactions	Article 6(1)(f) — Legitimate Interest (opt-out)
Marketing emails	Email address	Article 6(1)(a) — Consent
Payment processing	Payment card details (held by Stripe)	Article 6(1)(b) — Contract
Customer support	Email, correspondence, account details	Article 6(1)(b) — Contract

16. Data handling summary

This section provides a plain-language summary of exactly what data !Abridge stores, what it does not store, how long records are retained, and where everything lives.

What we store

Your email address and hashed password (for authentication).
Spreadsheet cell references you map to HMRC fields (e.g. "B12 → Total Turnover"). These are structural references only.
The actual values from those mapped cells at the time of each submission.
HMRC submission data: figures sent, confirmation references, timestamps, and success/failure status.
Business details you enter (business name, UTR, NINO).
Encrypted HMRC OAuth tokens for API access.
Stripe customer ID and subscription status (card details are held by Stripe, never by us).

What we do NOT store

Your spreadsheet files — we never upload, download, or access your spreadsheet.
Cell contents beyond the specific mapped values at submission time.
Your Government Gateway username or password.
Your payment card number, expiry, or CVC (Stripe handles these directly).
Fraud prevention device data (sent directly to HMRC, not retained).

Retention periods

Submission records: 7 years from the end of the relevant tax year, as required by HMRC record-keeping rules.
Account & profile data: While your account is active, plus 2 years after deletion for re-activation queries.
HMRC tokens: Deleted immediately when you disconnect or delete your account.
Cell mappings: Deleted when you delete your account.
Analytics data: 12 months (rolling).

Where data is stored

Core data (accounts, tokens, submissions, mappings) is stored in Supabase, hosted in the United Kingdom (London, eu-west-2). Analytics data is processed by PostHog on EU servers. Payment data is held by Stripe (US, with UK adequacy safeguards).

Right to deletion

You can delete your account and all associated data at any time from the Data Export page, or by emailing privacy@abridge.tax. We will remove all your personal data within 30 days, except where we are legally required to retain records (e.g. submission records for HMRC compliance).

Data Protection Officer

For data protection enquiries, contact our DPO at dpo@abridge.tax. Bluecase Ltd, registered in England & Wales (No. 16092999).

Thank you for trusting !Abridge. If anything in this policy is unclear, please email privacy@abridge.tax .

Back to home