Privacy Policy

DoneSE is a product of DoneLabs Ltd, a company registered in England and Wales, company number 17056937. We provide Making Tax Digital (MTD) software for UK sole traders, enabling quarterly income tax submissions to HMRC.

For the purposes of UK data protection law, DoneLabs Ltd is the data controller for personal data collected through DoneSE.

Contact: hello@donese.co.uk

ICO Registration Number: ICO-0001353294

We collect and process the following categories of personal data:

• Identity data: Your name, email address, and National Insurance Number (NINO).
• HMRC data: Your MTD ID, self-employment business ID, and encrypted OAuth tokens.
• Financial data: Bank transactions, income, and allowable expenses synced via open banking.
• Submission data: Quarterly tax returns and Final Declarations submitted to HMRC.
• Technical data: IP address, device ID, browser information, and session data.

We process your data on the following lawful bases:

• Contractual necessity: Providing the DoneSE service, categorising transactions, and submitting MTD returns.
• Legal obligation: HMRC required fraud prevention headers (IP, device ID, etc.).
• Legitimate interests: Managing your subscription via Stripe and improving our application.

DoneSE uses OAuth 2.0 to connect to your HMRC and bank accounts. We never store your Government Gateway or banking passwords.

HMRC connections use encrypted tokens to manage your tax records. Bank connections via TrueLayer (FCA-authorised) provide read-only access to transaction history. We cannot move money from your account.

We share data only where necessary: HMRC (for filings), TrueLayer (for bank sync), Stripe (for payments), and our secure infrastructure providers.

We implement AES-256-GCM encryption for all sensitive data at rest and HTTPS/TLS for all data in transit. We do not sell or share your data for marketing purposes.

Under UK GDPR, you have the right to access, erase, or rectify your data. You can delete your account and all associated data via your profile settings.

Retention: Data is kept while your account is active. Post-deletion, data is removed within 30 days, except where law requires longer retention (e.g., 7 years for financial tax records).

We use strictly necessary cookies only for authentication and HMRC fraud prevention compliance. No advertising or tracking cookies are used.

Complaints can be lodged with the Information Commissioner's Office (ICO) at ico.org.uk.

If you choose to connect your DoneSE account to an accountant's practice via a practice code, your transaction data, submission history, and tax figures will be made accessible to that accountant through DoneTax+, our agent platform.

This sharing is entirely voluntary and initiated by you. You may revoke accountant access at any time via your account settings. DoneLabs Ltd is not responsible for how your accountant uses your data once access has been granted.