Privacy Policy

Last updated: June 2026 · SFTWARES LTD · Applies to invoice4you.app and the Invoice4You mobile app

1. Who We Are

SFTWARES LTD ("we", "us", "our") operates Invoice4You — a cloud-based invoicing and Making Tax Digital (MTD) application available at invoice4you.app and as a mobile app on iOS and Android.

We are the data controller for personal data you provide to us. Where we transmit data to HMRC on your instruction, HMRC acts as a separate and independent data controller for the data they receive.

2. Data We Collect

Account Data

Full name, email address, password (stored as a secure hash — never in plain text)
Business type (sole trader, limited company, etc.)

Business & Company Data

Company name, address, phone number, email
Bank account details (bank name, sort code, account number) — used for payment details on invoices
VAT number, VAT scheme, flat rate percentage
UTR (Unique Taxpayer Reference) number
NINO (National Insurance number) — for MTD for Income Tax Self Assessment
Company registration number

Invoice, Client & Quote Data

Client names, email addresses, phone numbers, postal addresses
Invoice amounts, line items, due dates, payment status, notes
Quote values and proposal details
Expense records and receipts

HMRC Connection Data

When you connect your company to HMRC via Making Tax Digital:

HMRC OAuth 2.0 access token and refresh token (stored encrypted using AES-256-GCM — never in plain text)
Token expiry timestamp and granted scopes
VAT obligation periods and submission history cached from HMRC

Fraud Prevention Data (Required by Law)

HMRC's fraud prevention specification legally requires us to collect and transmit device and connection information with every MTD API call. This includes:

A persistent device identifier (UUID generated on first use, stored securely on your device)
Device screen dimensions and pixel density
Device timezone
Your device's local IP address(es) and the timestamp they were collected
Your public IP address
Your device's user agent string
Browser plugin list and Do Not Track preference (web users only)
Connection method (mobile app or web browser)
App version number

This data is transmitted to HMRC as HTTP headers on every MTD API request. We do not store it ourselves beyond the duration of the API call.

Usage & Diagnostic Data

App interactions, device type, operating system version
Error logs and crash reports (retained for 90 days)

3. How We Use Your Data

Purpose	Data used
Providing the Invoice4You service	Account, business, invoice, client data
Sending invoices and reminders by email	Client email, invoice details, company details
Submitting VAT & Income Tax (ITSA) returns to HMRC (MTD)	VAT and Income Tax data, NINO/UTR/VRN, HMRC tokens, fraud prevention data
HMRC fraud prevention compliance	Device ID, IP, screen info, user agent
Account security and authentication	Email, hashed password, session tokens
Customer support	Account data, error logs
Improving the service	Anonymised usage statistics

We do not use your data for advertising, behavioural profiling, or selling to third parties.

4. Legal Basis for Processing

Processing activity	Legal basis
Providing the service you signed up for	Contract performance (UK GDPR Art. 6(1)(b))
Submitting MTD VAT & Income Tax (ITSA) returns to HMRC	Legal obligation (UK GDPR Art. 6(1)(c)) — Making Tax Digital legislation
Transmitting fraud prevention headers to HMRC	Legal obligation (UK GDPR Art. 6(1)(c)) — HMRC fraud prevention specification
Sending marketing communications	Consent (UK GDPR Art. 6(1)(a))
Diagnosing errors and improving the service	Legitimate interests (UK GDPR Art. 6(1)(f))

We share data only as necessary to provide the service:

Provider	Purpose	Data shared
Supabase (database & auth)	Hosting your account, invoices, and company data	All user data (encrypted at rest, EU region)
Resend	Sending transactional emails (invoices, reminders)	Client email address, invoice content
HMRC	Making Tax Digital VAT & Income Tax (ITSA) submission	VAT/Income Tax figures, NINO/UTR/VRN, fraud prevention headers — see Section 6
Apple / Google (mobile stores)	App distribution	None — they process their own analytics separately

We never sell your data. Data may be disclosed to law enforcement or courts if required by a valid legal obligation.

6. HMRC Making Tax Digital

What we send to HMRC

Your VAT Registration Number (VRN), and — for Income Tax Self Assessment (ITSA) — your National Insurance number (NINO) and Unique Taxpayer Reference (UTR), used to identify your business to HMRC
Your VAT return figures (the 9-box submission) calculated from your invoices and expenses
Your Income Tax (ITSA) submission figures — quarterly updates, annual submissions, and your final declaration — calculated from the records you enter and confirm
Fraud prevention headers (device and connection data) required by HMRC's API specification
Your OAuth authorisation grant, which HMRC uses to confirm you have given Invoice4You permission to act on your behalf

What we do not send to HMRC

Individual invoice details, client names, or line items — only the figures required for your VAT or Income Tax submission
Any data beyond what HMRC's API requires

Tax agents

Where you authorise a tax agent (for example an accountant or bookkeeper) to act for you through HMRC's agent authorisation, that agent can access and submit the records and returns only for the clients who have authorised them. That authority is granted and controlled through HMRC, not within Invoice4You, and can be revoked at any time through your HMRC online account.

HMRC as a data controller

Once data reaches HMRC, it is processed under HMRC's own privacy notice (available at gov.uk). SFTWARES LTD is not responsible for HMRC's processing of data they receive.

Token security

Your HMRC access token and refresh token are stored in our database using AES-256-GCM encryption. The encryption key never leaves our server environment. Tokens can be revoked at any time by disconnecting your company from HMRC within the app. We never see or store your Government Gateway sign-in details — only the encrypted OAuth tokens HMRC issues.

7. Data Retention

Data type	Retention period
Account data	Retained while active + 30 days after deletion request
Invoice & client data	Deleted 30 days after account closure (or earlier on request)
Financial records (invoices, expenses)	Up to 7 years for tax compliance where required by law
HMRC tokens	Deleted immediately when you disconnect from HMRC, or when your account is deleted
HMRC VAT & Income Tax submission history	Deleted when your account is deleted
Fraud prevention headers	Not stored — transmitted to HMRC per API call only
Error logs & crash reports	90 days

8. Your Rights Under UK GDPR

You have the right to:

Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate data
Erasure — request deletion of your data (subject to legal retention requirements)
Restriction — limit how we process your data
Portability — receive your data in a machine-readable format (use the "Export My Data" feature in Settings)
Object — object to processing based on legitimate interests

To exercise any right, contact us at the address in Section 14. We will respond within 30 days (extendable by two months for complex requests).

To complain about our handling of your data, contact the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.

9. Cookies & Tracking

Website: Uses session storage only — no persistent cookies, no Google Analytics, no advertising pixels.
Mobile app: Uses your device's secure storage (iOS Keychain / Android EncryptedSharedPreferences) for login sessions. No third-party tracking SDKs.

10. Security

We implement the following security measures:

Encryption in transit: All data transmitted over HTTPS/TLS
Encryption at rest: Database encrypted at rest by Supabase (AES-256)
HMRC token encryption: Access and refresh tokens stored using AES-256-GCM application-level encryption
Session security: Login sessions stored in encrypted device storage (iOS Keychain / Android EncryptedSharedPreferences)
Row Level Security: Database policies ensure each user can only access their own data
Authentication: Passwords stored as secure hashes; PKCE OAuth 2.0 flow for HMRC authorisation
Breach notification: We will notify affected users and the ICO within 72 hours of discovering a personal data breach, as required by UK GDPR Article 33

11. Children's Privacy

Invoice4You is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that a child under 16 has created an account, we will delete their data promptly.

12. International Data Transfers

Your data is primarily stored within the UK and European Economic Area (EEA). Where we use US-based service providers (such as Resend for email delivery), transfers are protected by Standard Contractual Clauses (SCCs) approved by the UK ICO.

HMRC data is transmitted to HMRC's UK government infrastructure and remains within the UK.

13. Changes to This Policy

We will notify you of material changes by email or in-app notification at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of Invoice4You after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

SFTWARES LTD
Email: support@invoice4you.app
Website: invoice4you.app

We aim to respond to all privacy enquiries within 30 days. For complex requests, we may extend this by up to two months and will inform you accordingly.

Unresolved complaints may be escalated to the Information Commissioner's Office (ICO):

Information Commissioner's Office
Website: ico.org.uk
Helpline: 0303 123 1113