VAT MarginSign in

Privacy Policy

Last updated: 8 April 2026

1. Who we are

VAT Margin is operated by Gadgets and Mobile Repair Ltd (registered in England and Wales). We provide a SaaS platform for UK VAT Margin Scheme reconciliation and compliance. In this policy, “we”, “us” and “our” refer to Gadgets and Mobile Repair Ltd.

For the purposes of UK GDPR, we are the data controller for account and service data. When processing your business transaction data (purchases, sales, invoices), we act as a data processor on your behalf — you remain the data controller for that content. Our Data Processing Addendum sets out those obligations in detail.

2. Data we collect

We collect and process the following:

Account data (we are data controller)

  • Identity & contact: name, email address, company name
  • Authentication: password (securely hashed — we never store your password in plain text)
  • Billing: subscription plan, billing status, and payment history. Card details are collected and stored exclusively by our payment provider — we do not receive or store card numbers.
  • Team membership: role, invitation status
  • Audit trail: timestamped records of key actions you take in the Service (imports, matches, team changes)

Business content (we are data processor)

  • Purchase and sales transaction data you import (CSV or connected accounting software)
  • Invoice documents you upload, including text extracted via automated processing
  • Stock-item records, matching data, and VAT calculations generated from your data
  • Accounting data from third-party platforms, if you choose to connect your account

Technical data (collected automatically)

  • IP address (used for security and abuse prevention only)
  • Browser type and version (via standard HTTP headers)
  • A session cookie for authentication (see our Cookie Policy)

3. How and why we use your data (lawful bases)

Under UK GDPR, we must have a lawful basis for each type of processing. The table below sets out how we use your data and the legal ground we rely on:

PurposeLawful basis
Creating and managing your accountPerformance of contract (our Terms of Service)
Processing your transaction data, generating VAT calculations, and producing reportsPerformance of contract
Processing payments and managing subscriptionsPerformance of contract
Sending transactional emails (verification, password reset, team invitations)Performance of contract
Syncing data from connected accounting softwarePerformance of contract (initiated by your explicit connection)
Extracting text from uploaded invoicesPerformance of contract
Maintaining audit logs of actions in the ServiceLegitimate interests (security, accountability, and providing an audit trail for your compliance needs)
Security monitoring and abuse preventionLegitimate interests (protecting the Service and our users)
Retaining billing records for accounting and tax complianceLegal obligation (UK tax and accounting regulations)

We do not send marketing emails. If we introduce marketing communications in the future, we will seek your consent first.

4. Who we share data with

We do not sell your data. We share data only with a limited number of trusted service providers who process data on our behalf under appropriate contractual safeguards. These providers support functions such as:

  • Payment processing
  • Transactional email delivery
  • Accounting data sync (only when you explicitly connect your account)
  • Document text extraction
  • Application hosting and data storage

Each provider is engaged under a data processing agreement and is only given access to the data necessary to perform its function. A full list of our current service providers is available on request by contacting [email protected].

5. International transfers

Some of our service providers may process data outside the UK. Where this occurs, we rely on appropriate safeguards recognised under UK data protection law, such as Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or adequacy decisions where available.

6. Data retention

We retain your data for as long as your account is active and as needed to provide the Service. Specifically:

  • Account data: retained while your account is active. If you request account deletion, we will delete your personal data within 30 days.
  • Business content: retained while your account is active and deleted within 30 days of account closure, except where we are required by law to retain certain records.
  • Audit logs: retained for a reasonable period to support your compliance obligations.
  • Billing records: retained for a minimum of 6 years after the end of the financial year in which the transaction occurred, as required by UK tax law.
  • Backups: data may persist in secure backups for a limited period after deletion, consistent with our backup schedule.

7. Security

We apply appropriate technical and organisational measures to protect your data, including:

  • Encrypted connections for all data in transit
  • Passwords are securely hashed before storage — we never store plain-text passwords
  • Sensitive credentials are encrypted at rest
  • Session cookies are configured with industry-standard security settings
  • Access controls limit what each team member can do within the Service
  • Protections against common web-based attacks and abuse

For more detail, see our Security page.

8. Your rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you
  • Rectification: ask us to correct inaccurate or incomplete data
  • Erasure: ask us to delete your personal data (subject to legal retention obligations)
  • Restriction: ask us to restrict processing in certain circumstances
  • Portability: receive your personal data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests

To exercise any of these rights, contact us at [email protected] or use the data rights options in your account settings. We will respond within one month, as required by UK GDPR.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

We use a single, strictly necessary session cookie for authentication. We do not use tracking cookies, analytics cookies, or third-party advertising cookies. For full details, see our Cookie Policy.

10. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or through the Service. The “last updated” date at the top of this page indicates when the policy was last revised.

11. Contact

For privacy-related enquiries, contact us at [email protected].

For general support, contact [email protected].

Related policies

Terms of ServiceCookie PolicyData Processing AddendumSecurity