Security

How we protect your data

• Encrypted connections: all data transmitted between your browser and our Service is protected by encrypted connections. We enforce secure connections for every request.
• Secure password storage: passwords are securely hashed before storage. We never store your password in plain text, and our team cannot view it.
• Sensitive data protection: credentials and sensitive tokens stored within the Service are encrypted at rest using industry-standard methods.
• Session security: session cookies are configured with industry-standard security settings to prevent unauthorised access.
• Access controls: the Service includes role-based permissions so that team members only have access to the functions they need. Each company's data is isolated from other accounts.
• Abuse prevention: we apply safeguards to protect against automated attacks and unauthorised access attempts.
• Audit trail: key actions within the Service are logged, giving you and your team a clear record of who did what and when.

Our service providers

We use a small number of trusted service providers to support the operation of VAT Margin, including payment processing, email delivery, data hosting, and document processing. Each provider is selected based on their security practices and engaged under appropriate data processing agreements. We do not share your data with any provider beyond what is necessary for them to perform their specific function.

What we do not claim

We believe in being straightforward. We do not currently hold formal security certifications. We are focused on building practical, effective safeguards appropriate to the data we handle, and we continue to improve our security practices over time.

Responsible disclosure

If you discover a security concern, please report it responsibly to [email protected]. We will acknowledge receipt promptly and work to address confirmed issues as quickly as possible.

Security & Privacy FAQ

Common questions from customers and prospects.

How do you protect my data?

We apply industry-standard safeguards including encrypted connections, secure password storage, access controls, and session security. Your company's data is isolated from other accounts, and sensitive credentials are encrypted at rest. We regularly review our practices to ensure they remain appropriate.

Is my data encrypted?

Yes. All data in transit between your browser and VAT Margin is sent over encrypted connections. Sensitive data such as credentials and tokens is also encrypted at rest. Passwords are securely hashed and can never be viewed, even by our team.

Who can access my data?

Access to your data is limited on a need-to-know basis. Within the Service, role-based permissions control what each team member can do. Your company's data is fully separated from other accounts. We do not access your data except as needed to provide the Service or respond to your support requests.

Do you share my data?

We do not sell your data. We share data only with a limited number of trusted service providers who help us operate the Service (such as payment processing, email delivery, and data hosting). Each provider is bound by a data processing agreement and only receives the data necessary for its function. A full list of providers is available on request.

What data do you collect?

We aim to collect only the information needed to provide and support the Service. This includes your name, email, company name, and the transaction data you import or upload. We do not collect unnecessary personal information. Full details are in our Privacy Policy.

Are you GDPR compliant?

We work to align our practices with UK GDPR and applicable data protection requirements. This includes identifying lawful bases for processing, respecting data subject rights, limiting data collection to what is necessary, applying appropriate safeguards, and engaging service providers under data processing agreements. Our Data Processing Addendum is available for customers who need it.

Who owns the data?

You do. You retain full ownership of all data you upload or import into VAT Margin. We do not claim any intellectual property rights over your data. We process it solely to provide the Service, as set out in our Terms of Service.

Can I delete my data?

Yes. You can request deletion of your account and all associated data by contacting [email protected] or through the Data & Privacy section of your account settings. We will process deletion requests within 30 days. Some records may be retained where required by law (for example, billing records for UK tax compliance).

How long do you keep my data?

We retain your data for as long as your account is active and as needed to provide the Service. If you close your account, we delete your personal data and business content within 30 days, except where we are legally required to retain certain records (such as billing records for up to 6 years under UK tax law).

Do you use cookies?

We use a single, strictly necessary session cookie to keep you signed in. We do not use analytics cookies, tracking cookies, or advertising cookies. Because our only cookie is essential for the service to function, no cookie consent banner is needed under UK regulations. Full details are in our Cookie Policy.

What happens if there is a security issue?

In the event of a data breach that is likely to affect your rights, we will notify you without undue delay and take immediate steps to contain and address the issue. We will also notify the Information Commissioner's Office (ICO) where required by UK GDPR.

How can I contact you about privacy?

You can reach us at [email protected] for any privacy or data protection enquiry, including access requests, correction requests, deletion requests, or general questions. We aim to respond within one month as required by UK GDPR.