Privacy Policy
FlowForm — Making Tax Digital Services
Version 1.0
Effective Date: 01/02/2026
Last Reviewed: March 2026
Neuro-Symbolic Ltd
Company Registration Number: 16780511
Registered Address: 3rd Floor, 86-90 Paul Street, London EC2A 4NE
ICO Registration Number: 234252305
1. Introduction
Neuro-Symbolic Ltd (“we”, “our”, “us”) is a company registered in England and Wales. We are the data controller responsible for the personal data we collect and process through our FlowForm product suite, including any services related to HM Revenue & Customs (“HMRC”) Making Tax Digital (“MTD”) submissions.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use FlowForm to manage your tax obligations, including the submission of quarterly updates and final declarations to HMRC under the MTD for Income Tax Self Assessment programme.
We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable data protection legislation.
By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you should not use our services.
1.1 About FlowForm and HMRC MTD
FlowForm is a workflow automation platform that, among other functions, enables self-employed individuals and landlords to capture their income and expense data, prepare quarterly updates, and submit those updates directly to HMRC via HMRC’s Making Tax Digital APIs. FlowForm acts as an HMRC-recognised software provider under the MTD for Income Tax Self Assessment programme.
When you use FlowForm for MTD submissions, we act as a data processor on your behalf for the financial data you provide, and as a data controller for account information, usage data, and fraud prevention data required by HMRC.
2. Data We Collect
2.1 Data You Provide Directly
When you register for and use FlowForm, you may provide us with the following personal data:
Account Information
- Full name
- Email address
- Telephone number (if you choose to enable SMS or WhatsApp notifications)
- Business name and trading name (if applicable)
- Business address
Tax-Related Information
- Unique Taxpayer Reference (UTR)
- National Insurance number
- HMRC Government Gateway credentials (we never store these; they are used solely during the OAuth 2.0 authorisation flow with HMRC)
- Income and expense records for each reporting period
- Details of self-employment income sources
- Details of UK and foreign property income
- Allowances and reliefs claimed
- Year-end adjustment figures
Payment Information
We use Stripe as our payment processor. We do not store your full credit or debit card details. Stripe processes and stores your payment information in accordance with PCI DSS Level 1 standards. We retain only the last four digits of your card number and the card expiry date for your reference.
2.2 Data We Collect Automatically
When you use FlowForm, we automatically collect certain technical and usage data:
Device and Browser Data (Fraud Prevention Headers)
HMRC requires all MTD-compatible software to collect and transmit fraud prevention data with every API request. This is a legal requirement under the MTD regulations. The data we collect for this purpose includes:
| Header | Data Collected | Purpose |
|---|---|---|
| Gov-Client-Timezone | Your device’s local timezone | Fraud detection |
| Gov-Client-Screens | Screen dimensions, colour depth, scaling factor | Device fingerprinting |
| Gov-Client-Window-Size | Browser window dimensions | Device fingerprinting |
| Gov-Client-Browser-Plugins | List of browser plugins | Device fingerprinting |
| Gov-Client-Browser-Do-Not-Track | Whether Do Not Track is enabled | Privacy preference indicator |
| Gov-Client-Local-IPs | Local network IP addresses (may include mDNS addresses) | Network identification |
| Gov-Client-Local-IPs-Timestamp | Timestamp of IP collection | Audit trail |
| Gov-Client-Browser-JS-User-Agent | Browser user agent string | Device identification |
| Gov-Client-Device-ID | A persistent unique device identifier (UUID) | Device continuity tracking |
| Gov-Client-Public-IP | Your public IP address as seen by our server | Network identification |
| Gov-Client-Public-Port | Your TCP source port | Session identification |
| Gov-Client-Multi-Factor | Multi-factor authentication details (if used) | Authentication verification |
This data is collected at the point of submission and transmitted to HMRC as HTTP headers alongside your tax data. We do not use this data for any purpose other than HMRC compliance. We retain this data for the period specified in Section 5 of this policy.
Usage Data
- Pages visited and features used within FlowForm
- Workflow creation and completion events
- Timestamps of interactions
- Error logs and diagnostic data
2.3 Data We Receive from Third Parties
HMRC
When you authorise FlowForm to connect to your HMRC account, HMRC provides us with OAuth 2.0 access tokens and refresh tokens that allow us to make API calls on your behalf. HMRC may also return calculation results, acknowledgement references, and obligation period details in response to our API calls.
Google Calendar (if enabled)
If you choose to connect your Google Calendar to FlowForm for scheduling workflow triggers, we access calendar event data (event titles, dates, and times) for calendars you specifically designate. We do not access or read the content of events on any other calendars.
3. How We Use Your Data
3.1 Legal Bases for Processing
Under the UK GDPR, we process your personal data on the following legal bases:
| Purpose | Legal Basis (UK GDPR) | Details |
|---|---|---|
| Providing our services (account management, workflow execution, MTD submissions) | Article 6(1)(b) — Performance of a contract | Processing is necessary to deliver the services you have subscribed to. |
| HMRC fraud prevention header collection and transmission | Article 6(1)(c) — Legal obligation | We are legally required by HMRC’s MTD regulations to collect and transmit fraud prevention data with every API request. |
| Tax data submission to HMRC | Article 6(1)(b) — Performance of a contract | You instruct us to submit your tax data to HMRC as part of the service. |
| Service improvement and error diagnosis | Article 6(1)(f) — Legitimate interests | We have a legitimate interest in improving our service and resolving technical issues. We minimise the data used for this purpose. |
| Billing and payment processing | Article 6(1)(b) — Performance of a contract | Processing is necessary to manage your subscription and collect payment. |
| Communication (service notifications, deadline reminders) | Article 6(1)(b) — Performance of a contract | Notifications about your MTD deadlines and submission status are integral to the service. |
| Security monitoring and fraud prevention | Article 6(1)(f) — Legitimate interests | We have a legitimate interest in protecting our systems and your data from unauthorised access. |
3.2 Special Category Data
We do not intentionally collect any special category data (such as health data, racial or ethnic origin, political opinions, or biometric data). Our services are designed to process financial and tax information only. If you inadvertently include special category data in free-text fields (for example, in workflow notes), we will not use that data for any purpose and will delete it upon request.
3.3 National Insurance Numbers
Your National Insurance number is classified as a “special identifier” under UK data protection practice. We process your National Insurance number solely for the purpose of identifying you to HMRC for MTD submissions. It is stored in an encrypted form (AES-256) and is never used for any other purpose, shared with any third party other than HMRC, or included in application logs.
4. Who We Share Your Data With
We share your personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes:
| Recipient | Data Shared | Purpose | Legal Safeguard |
|---|---|---|---|
| HM Revenue & Customs (HMRC) | Tax data (income, expenses, adjustments), fraud prevention headers, UTR, NI number | Statutory MTD submissions on your instruction | Legal obligation (MTD regulations) |
| Stripe, Inc. | Email address, payment card details (processed directly by Stripe) | Subscription billing | Data Processing Agreement; PCI DSS Level 1; Standard Contractual Clauses for any US transfer |
| Resend (email delivery) | Email address, notification content | Sending service notifications and deadline reminders | Data Processing Agreement |
| Twilio (if you enable SMS/WhatsApp) | Phone number, notification content | Sending SMS or WhatsApp notifications | Data Processing Agreement; Standard Contractual Clauses |
| Hetzner Online GmbH | All service data (hosted on Hetzner infrastructure) | Infrastructure hosting | Data Processing Agreement; data stored in EU data centres |
| Google (if you connect Google Calendar) | OAuth tokens; calendar event metadata | Calendar-based workflow triggers | Data Processing Agreement; Standard Contractual Clauses |
We do not sell your personal data to any third party. We do not share your data with advertisers, data brokers, or marketing platforms. We do not use your financial data for any purpose other than providing the services you have subscribed to.
4.1 International Transfers
Where any of our sub-processors transfer personal data outside of the United Kingdom, we ensure that appropriate safeguards are in place in accordance with UK GDPR Article 46. These safeguards include the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable.
Our primary infrastructure (Hetzner) is located within the European Union. HMRC’s API servers are located within the United Kingdom.
5. Data Retention
We retain your personal data for only as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are as follows:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account information (name, email, business details) | Duration of your subscription plus 12 months after account closure | To allow for reactivation and to resolve any post-cancellation queries |
| Tax submission data (income, expenses, quarterly updates) | 7 years from the end of the relevant tax year | HMRC may enquire into a tax return for up to 6 years (12 years in cases of fraud); 7 years provides a reasonable compliance margin |
| HMRC submission confirmations and acknowledgement references | 7 years from the date of submission | Proof of submission in the event of an HMRC enquiry |
| HMRC OAuth tokens | Duration of your subscription; securely deleted upon account closure or disconnection | Required for ongoing API access; no value after disconnection |
| Fraud prevention header data | 13 months from the date of collection | HMRC’s recommended retention period for transaction monitoring data |
| National Insurance number and UTR | Duration of your subscription; securely deleted within 30 days of account closure | Required for HMRC API calls; no legitimate purpose after account closure |
| Payment and billing records | 7 years from the date of transaction | UK tax and accounting obligations for our own business records |
| Usage logs and diagnostic data | 12 months from collection | Service improvement and error diagnosis |
| Device ID (persistent UUID) | Until you clear your browser storage or close your account | HMRC fraud prevention compliance |
| Google Calendar data | Not retained; accessed in real-time and not stored beyond transient processing | Only event dates and titles are read; no persistent copy is made |
When data reaches the end of its retention period, it is securely deleted using cryptographic erasure (for encrypted data) or secure overwrite (for unencrypted data). Deletion is performed automatically by scheduled processes and is verified by audit logs.
6. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:
6.1 Technical Measures
- Encryption in transit: All data transmitted between your browser and our servers, and between our servers and HMRC, is encrypted using TLS 1.3.
- Encryption at rest: Sensitive data (National Insurance numbers, UTRs, OAuth tokens) is encrypted using AES-256 with envelope encryption. Encryption keys are stored separately from the encrypted data.
- Multi-tenant isolation: All database queries are scoped to your tenant identifier using PostgreSQL Row Level Security. Your data is logically separated from all other users’ data at the database level.
- Authentication: Access to your account is protected by email-based magic link authentication. Sessions use short-lived JSON Web Tokens (15-minute expiry) with server-side refresh tokens.
- Infrastructure security: Our servers run hardened Docker containers with read-only filesystems, no root access, and minimal attack surface. Network access is restricted by firewall rules.
- Dependency monitoring: We continuously scan our software dependencies for known vulnerabilities and apply security patches promptly.
6.2 Organisational Measures
- Access to personal data is limited to personnel who require it to provide the service.
- All personnel with access to personal data are bound by confidentiality obligations.
- We maintain an incident response procedure to detect, report, and investigate personal data breaches.
- We conduct periodic reviews of our security measures and update them as necessary.
6.3 HMRC Fraud Prevention Data Security
The fraud prevention data we collect on behalf of HMRC is transmitted directly to HMRC as HTTP headers at the time of each API request. This data is not used for any purpose other than statutory compliance. We retain a log of which headers were transmitted (but not the full header values) for audit purposes for 13 months.
7. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data. You can exercise any of these rights by contacting us at the details provided in Section 11.
| Right | Description | Any Limitations |
|---|---|---|
| Right of access (Article 15) | You can request a copy of all personal data we hold about you. | We will provide this within 30 days of your request. |
| Right to rectification (Article 16) | You can ask us to correct any inaccurate or incomplete personal data. | You can also update most information directly within FlowForm. |
| Right to erasure (Article 17) | You can ask us to delete your personal data. | We may be unable to delete data that we are legally required to retain (e.g., tax submission records for 7 years, or data subject to an active HMRC enquiry). We will inform you of any such limitations. |
| Right to restriction (Article 18) | You can ask us to restrict how we process your data in certain circumstances. | For example, while we verify the accuracy of data you have disputed. |
| Right to data portability (Article 20) | You can request your data in a structured, commonly used, machine-readable format. | We provide data exports in JSON format. |
| Right to object (Article 21) | You can object to processing based on our legitimate interests. | We will stop processing unless we demonstrate compelling legitimate grounds. |
| Right to withdraw consent | Where processing is based on consent, you can withdraw it at any time. | Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Right to lodge a complaint | You can complain to the Information Commissioner’s Office (ICO). | ICO website: ico.org.uk. Telephone: 0303 123 1113. |
7.1 Right to Erasure and HMRC Data
If you request deletion of your account, we will:
- Immediately revoke your HMRC OAuth tokens and disconnect FlowForm from your HMRC account.
- Delete your account information, contact details, and preferences within 30 days.
- Securely delete your National Insurance number and UTR within 30 days.
- Retain HMRC submission confirmations and the financial data included in those submissions for the statutory retention period of 7 years, after which it will be automatically deleted.
- Delete all fraud prevention header data within 13 months of its collection, regardless of your account status.
We will confirm the actions taken in writing within 30 days of your request.
8. Cookies and Local Storage
8.1 Essential Cookies and Storage
We use a minimal set of cookies and browser local storage that are strictly necessary for the operation of FlowForm:
| Name / Key | Type | Purpose | Duration |
|---|---|---|---|
| session_token | Cookie (HttpOnly, Secure, SameSite=Strict) | Authenticates your session with our servers | 15 minutes (refreshed automatically) |
| flowform_device_id | Local Storage | Stores your persistent device UUID for HMRC fraud prevention compliance | Persistent (until you clear browser data) |
| flowform_preferences | Local Storage | Stores your UI preferences (e.g., notification settings, display options) | Persistent |
8.2 No Third-Party Tracking
We do not use any third-party analytics cookies, advertising cookies, or tracking pixels. We do not use Google Analytics, Facebook Pixel, or any similar third-party tracking technology. All usage analytics are collected server-side using our own infrastructure.
9. AI-Assisted Processing and Automated Decision-Making
9.1 How We Use AI
FlowForm uses artificial intelligence to assist you in capturing and structuring your workflow data, including income and expense information for MTD submissions. Specifically:
- Our AI elicitation system uses a three-agent deliberation process to help you describe and capture your business workflows and financial data through guided conversation.
- AI may suggest categories for your expenses or income based on your descriptions. These suggestions are always presented for your review and approval before any data is submitted.
- AI may identify potential gaps or inconsistencies in your data and prompt you to review them.
9.2 No Solely Automated Decisions
We do not make any decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you (within the meaning of UK GDPR Article 22). In particular:
- No tax calculation, quarterly update, or final declaration is submitted to HMRC without your explicit review and approval.
- AI-generated suggestions for expense categorisation or data completeness are advisory only and require your confirmation.
- Your HMRC submissions are always presented to you in plain language for review before the “Submit” action is taken.
9.3 AI and Your Data
Your financial data is processed by our AI systems solely within our infrastructure. We do not send your financial data to any third-party AI providers. Your data is not used to train AI models. Conversations with our AI elicitation system are processed in memory and are not retained beyond the workflow session unless you explicitly save the resulting workflow.
10. Children’s Privacy
FlowForm is a business and tax management service and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.
11. Contact Information
If you have any questions about this Privacy Policy, wish to exercise any of your rights, or have concerns about how we handle your personal data, you can contact us using the following details:
Data Controller: Neuro-Symbolic Ltd
Email: privacy@neuro-symbolic.co.uk
Postal Address: 3rd Floor, 86-90 Paul Street, London EC2A 4NE
We aim to respond to all privacy-related enquiries within 14 days and to all formal data subject requests within 30 days, as required by the UK GDPR.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or best practices. When we make material changes, we will:
- Notify you by email at least 14 days before the changes take effect.
- Display a prominent notice within FlowForm.
- Update the “Effective Date” and “Last Reviewed” dates at the top of this document.
Non-material changes (such as typographical corrections or clarifications that do not alter the substance of the policy) may be made without advance notice but will be reflected in the “Last Reviewed” date.
Previous versions of this Privacy Policy are available upon request.
13. HMRC-Specific Disclosures
This section provides additional transparency about our interaction with HMRC, as required for software providers participating in the Making Tax Digital programme.
13.1 Our Role as an HMRC-Recognised Software Provider
Neuro-Symbolic Ltd is registered with HMRC as a software provider for Making Tax Digital for Income Tax Self Assessment. Our HMRC application name is [APPLICATION NAME] and our application ID is [APPLICATION ID].
13.2 What HMRC Receives
When you instruct FlowForm to submit a quarterly update or final declaration, we transmit the following to HMRC:
- Your income and expense figures for the relevant period.
- Your Unique Taxpayer Reference and National Insurance number (as identifiers).
- Fraud prevention headers as detailed in Section 2.2 of this policy.
- OAuth 2.0 bearer tokens that authenticate the request as authorised by you.
13.3 HMRC’s Use of Fraud Prevention Data
HMRC uses the fraud prevention data we transmit to support the detection and prosecution of tax fraud. HMRC’s collection of this data is authorised by the Income Tax (Digital Requirements) Regulations 2021. For more information about how HMRC handles your data, please refer to HMRC’s own privacy notice at gov.uk/government/publications/data-protection-act-dpa-information-hm-revenue-and-customs-hold-about-you.
13.4 Your Control Over HMRC Submissions
You retain full control over what data is submitted to HMRC through FlowForm:
- No submission is made without your explicit instruction (clicking “Submit” after reviewing the data).
- You can review the exact figures that will be submitted before confirming.
- You can disconnect FlowForm from your HMRC account at any time by revoking access in your HMRC Government Gateway settings or by contacting us.
- You remain legally responsible for the accuracy of the data submitted to HMRC, as required by the MTD regulations. FlowForm is a submission tool, not a tax adviser.
13.5 HMRC Enquiries
In the event of an HMRC enquiry into any submission made through FlowForm, we will:
- Provide you with copies of all submission data and acknowledgement references we hold for the relevant period, upon your request.
- Co-operate with HMRC to the extent required by law, but we will not disclose your data to HMRC beyond what was included in the original submissions unless compelled to do so by a lawful order.
- Notify you promptly if we receive any direct request from HMRC for your data, unless prohibited from doing so by law.
14. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 01/02/2026 | Neuro-Symbolic Ltd | Initial version |
© Neuro-Symbolic Ltd 2026. All rights reserved.