DIY Accounting Submit is a lightweight web application that helps you submit UK VAT returns via HMRC's Making Tax Digital (MTD) service. We aim to collect the minimum data necessary to operate the service, comply with legal requirements, and monitor performance.
What we collect
Account and Authentication Data
- Cognito user profile: Email address, name, and unique user identifier (sub) from Google OAuth sign-in
- Authentication tokens: JWT access, identity, and refresh tokens stored in your browser's localStorage for session management
- HMRC OAuth tokens: Temporary access tokens obtained when you authorize HMRC access (not stored long-term)
VAT Submission Data
- VAT return data: The figures you enter for submission (processed but not stored beyond the request)
- HMRC submission receipts: Confirmation receipts from HMRC including form bundle number, processing date, and timestamp
- Subscription bundles: Records of your service entitlements and expiry dates
HMRC Fraud Prevention Data
When you submit a VAT return, we are legally required to collect and transmit fraud prevention data to HMRC. See the HMRC Fraud Prevention Headers section below for full details.
Real User Monitoring (RUM)
We use Amazon CloudWatch RUM to collect performance and error data from your browser. This helps us improve the application's speed, reliability, and user experience. RUM only starts after you click "Accept" in the consent banner.
Data Collected by RUM
- Performance Metrics: Page load times, render times, interaction delays (Core Web Vitals: LCP, INP, CLS)
- JavaScript Errors: Unhandled exceptions and error messages
- HTTP Requests: API request URLs (without query parameters), status codes, durations
- Navigation Events: Pages visited, route changes
- Device Information: Browser type/version, operating system, screen resolution, viewport size
- Session Information: Anonymous session ID, hashed user ID (if logged in - we hash your identifier in the browser before sending)
Data NOT Collected by RUM
- Form input data (e.g., VAT numbers, financial figures)
- Passwords or authentication tokens
- Full URLs with query parameters or personal identifiers
- IP addresses (AWS receives them for request routing but we do not store or process them for RUM)
Infrastructure and Operational Data
- API Gateway access logs: Request metadata including timestamps, paths, response codes, and request IDs
- CloudFront/WAF logs: Edge request logs including IP addresses for security monitoring and rate limiting
- Lambda execution logs: Structured operational logs with correlation IDs for debugging (sensitive data excluded)
- HMRC API audit trail: Masked records of API requests and responses for compliance and troubleshooting (sensitive data redacted)
HMRC Fraud Prevention Headers
Under Making Tax Digital (MTD) regulations, HMRC requires all software providers to collect and transmit fraud prevention data with each VAT return submission. This is a legal requirement that we cannot opt out of.
Legal Basis
The collection and transmission of fraud prevention data is mandated by HMRC under the HMRC Fraud Prevention Specification. HMRC uses this data to:
- Identify and prevent fraudulent VAT submissions
- Support criminal prosecutions for tax fraud
- Verify the authenticity of submissions
- Monitor for suspicious patterns across the MTD ecosystem
Data Points Collected
The following data is collected and transmitted to HMRC with each VAT return submission:
| Data Point | Description | How Collected |
|---|---|---|
| Public IP Address | Your internet-facing IP address | Detected via WebRTC or external IP services, or extracted from request headers |
| Device ID | A unique identifier for your browser session | Generated fresh for each submission using crypto.randomUUID(); not stored persistently |
| Browser User Agent | Your browser type, version, and operating system | From navigator.userAgent |
| Timezone | Your local timezone offset (e.g., UTC+00:00) | Calculated from JavaScript Date API |
| Screen Information | Screen resolution, color depth, and device pixel ratio | From window.screen properties |
| Window Size | Browser window dimensions | From window.innerWidth and window.innerHeight |
| User Identifier | Your Cognito user ID (or "anonymous" if not logged in) | From authentication token claims |
| Vendor Information | Our application name and version | From application configuration |
| Connection Method | How you connect to HMRC (WEB_APP_VIA_SERVER) | Fixed value for this application type |
How Device ID Works
The device ID is not stored persistently. A new UUID is generated for each VAT return submission using your browser's cryptographic random number generator. This means:
- No cookies are used for device tracking
- No localStorage is used for device ID storage
- Each submission generates a fresh, unique device identifier
HMRC Consent
When you authorize this application to submit VAT returns on your behalf, you do so through HMRC's own OAuth authorization flow. HMRC's authorization screen explains that fraud prevention data will be collected. By completing the authorization, you consent to this data collection as required by HMRC.
For more information about HMRC's fraud prevention requirements, see the HMRC Fraud Prevention Documentation.
How and when we collect it
- Account data: Collected when you sign in with Google OAuth and stored in AWS Cognito and browser localStorage.
- VAT submission data: Collected when you submit a VAT return; receipts are stored in DynamoDB for 7 years.
- Fraud prevention data: Collected at the moment of VAT return submission and transmitted immediately to HMRC.
- RUM data: Only collected after you click "Accept" in the consent banner.
- Infrastructure logs: Collected automatically by AWS services when you use the site, for security and operational reasons.
What we use it for
- VAT submissions: To submit your VAT returns to HMRC and provide you with confirmation receipts.
- Authentication: To verify your identity and manage your session.
- Entitlements: To track your subscription bundles and service access.
- Fraud prevention compliance: To fulfill our legal obligations under Making Tax Digital regulations.
- Performance monitoring: To improve site speed, reliability, and user experience.
- Error detection: To identify and fix bugs and issues.
- Security: To protect the service and users from abuse, attacks, and unauthorized access.
- Compliance auditing: To maintain audit trails for regulatory compliance.
Data retention
Application Data
| Data Category | Retention Period | Reason |
|---|---|---|
| HMRC submission receipts | 7 years | UK tax record-keeping requirements |
| User bundles (entitlements) | 1 month after expiry | Service access management |
| HMRC API audit logs (masked) | 30 days | Compliance and troubleshooting |
| Async request tracking | 1 hour | Request processing |
| Cognito user profile | While account active | Authentication |
| Browser tokens (localStorage) | Until logout or expiry | Session management |
Monitoring and Infrastructure Data
| Data Category | Retention Period |
|---|---|
| CloudWatch RUM events | 30 days (raw), longer for aggregated metrics |
| API Gateway access logs | 30-90 days (configurable per environment) |
| CloudFront/WAF logs | 30 days |
| Lambda execution logs | 30-90 days |
| CloudTrail audit logs | 90 days (configurable) |
Cookies and browser storage
This application does not use cookies.
We use browser localStorage and sessionStorage instead:
localStorage (persistent until cleared)
- Authentication tokens: Cognito access, identity, and refresh tokens for session management
- User info: Parsed user profile from Cognito (sub, name, email)
- Consent preferences: Your RUM and analytics consent choices
- Auth state: OAuth state parameter for CSRF protection during login
sessionStorage (cleared when browser tab closes)
- MFA metadata: Multi-factor authentication information for fraud prevention headers (if applicable)
RUM may use cookies or localStorage to establish session information, but only after you consent via the banner. You can clear all stored data using your browser's "Clear site data" function.
Your choices
- RUM consent: You can decline analytics in the consent banner. You can change your choice by clearing site data in your browser and revisiting.
- HMRC authorization: You can revoke HMRC access at any time through your HMRC authorized applications page.
- Account deletion: Contact us to request deletion of your account and associated data (subject to legal retention requirements).
Note: You cannot opt out of fraud prevention data collection for VAT submissions. This is a legal requirement mandated by HMRC for all MTD-compliant software.
Your data rights (UK GDPR)
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate data
- Right to erasure ("right to be forgotten"): Request deletion of your account and personal data
- Right to data portability: Request to export your data in a structured, machine-readable format (JSON or CSV) to transfer to another service
- Right to object: Object to processing of your personal data
- Right to restrict processing: Request temporary restriction of data processing
How to Exercise Your Rights
To exercise any of these rights, contact us at admin@diyaccounting.co.uk with:
- Your name and email address associated with your account
- The specific right you wish to exercise
- Any additional details to help us process your request
We will respond to your request within 30 days. For data deletion, we will delete your bundles, authentication data, and audit logs within 30 days. HMRC submission receipts will be retained for 7 years per UK tax record-keeping requirements, but will be anonymized where possible.
Data recipients
HMRC (Data Controller)
When you submit a VAT return, your VAT figures and fraud prevention data are transmitted directly to HMRC. HMRC is an independent data controller for this data and processes it according to their own privacy policy. We do not control how HMRC uses this data after transmission.
- Data shared: VAT return figures, fraud prevention headers (see above)
- Purpose: VAT return processing and fraud prevention
- Legal basis: Legal obligation (Making Tax Digital regulations)
- HMRC Privacy Notice: HMRC Data Protection Information
Amazon Web Services (Data Processor)
We use Amazon Web Services (AWS) to host and operate the website, API, and monitoring services. AWS acts as a data processor on our behalf under a Data Processing Agreement. All data is processed in the EU West (London) region unless otherwise noted.
AWS services we use include:
- Amazon Cognito: User authentication and identity management
- Amazon DynamoDB: Data storage for receipts, bundles, and audit logs
- AWS Lambda: Serverless API functions
- Amazon CloudFront: Content delivery and edge caching (global edge locations)
- Amazon CloudWatch: Logging, monitoring, and RUM
- AWS WAF: Web application firewall and rate limiting
- AWS Secrets Manager: Secure storage of API credentials
AWS is GDPR-compliant. See AWS GDPR Center for details.
Google (Authentication Provider)
If you sign in with Google, Google processes your authentication data according to their privacy policy. We receive only your name, email address, and a unique identifier from Google.
International data transfers
The majority of your data is processed in the EU West (London) region. However, the following transfers may occur:
- CloudFront edge caching: Static assets may be cached at global edge locations for performance. No personal data is cached.
- IP detection services: For fraud prevention, we may use external services (ipify.org, ipapi.co) to detect your public IP if WebRTC detection fails. Only your IP address is sent to these services.
All AWS data processing is covered by AWS's Standard Contractual Clauses for international transfers where applicable.
ICO Registration Disclosure
This section provides a structured summary suitable for ICO (Information Commissioner's Office) registration and public disclosure.
Data Controller
- Organization: DIY Accounting Limited
- ICO Registration Number: ZB070902
- Contact Email: admin@diyaccounting.co.uk
- Website: https://submit.diyaccounting.co.uk
Categories of Data Subjects
- UK VAT-registered businesses and individuals using Making Tax Digital services
- Website visitors
Categories of Personal Data Processed
| Category | Examples |
|---|---|
| Identity data | Name, email address, user identifier |
| Technical data | IP address, browser type, device information, timezone |
| Financial data | VAT return figures (processed, not stored) |
| Transaction data | HMRC submission receipts, subscription records |
| Usage data | Page views, performance metrics, error logs |
Purposes of Processing
| Purpose | Legal Basis |
|---|---|
| VAT return submission to HMRC | Contract performance; Legal obligation |
| Fraud prevention data transmission | Legal obligation (MTD regulations) |
| User authentication | Contract performance |
| Subscription management | Contract performance |
| Receipt storage (7 years) | Legal obligation (tax records) |
| Performance monitoring (RUM) | Consent |
| Security and fraud prevention | Legitimate interests |
| Compliance auditing | Legal obligation |
Categories of Recipients
- HMRC: VAT return data and fraud prevention headers (data controller)
- Amazon Web Services: All processing and storage (data processor, EU-West London region)
- Google: Authentication provider (data controller for auth data)
International Transfers
Primary processing in EU West (London). CloudFront edge caching at global locations (no personal data cached). AWS Standard Contractual Clauses apply where required.
Retention Periods
- HMRC submission receipts: 7 years (legal requirement)
- User account data: Duration of account plus 30 days
- Subscription records: 1 month after expiry
- Audit logs: 30-90 days
- RUM data: 30 days (raw)
Data Subject Rights
Data subjects may exercise rights of access, rectification, erasure, portability, objection, and restriction by contacting admin@diyaccounting.co.uk. Requests are processed within 30 days.
Security Measures
- Encryption at rest and in transit (TLS 1.2+, AES-256)
- AWS WAF rate limiting and attack protection
- JWT-based authentication with token expiry
- Hashed user identifiers in database storage
- Masked sensitive data in audit logs
- Point-in-time recovery for critical data
Security measures
We implement industry-standard security measures including:
- Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
- Access controls: JWT-based authentication with automatic token expiry
- Rate limiting: AWS WAF protection against abuse (2000 requests per 5 minutes per IP)
- Data minimization: Hashed user identifiers in database, masked sensitive data in logs
- Monitoring: Real-time security monitoring and alerting
- Backup and recovery: Point-in-time recovery enabled for critical data
Content Security Policy
We use a Content Security Policy (CSP) to protect against cross-site scripting (XSS) and other code injection attacks. Our policy restricts content sources to trusted origins with the following accepted exceptions:
- script-src 'unsafe-inline': Required for inline event handlers used in form validation and dynamic UI components. Mitigated by: strict input validation, no user-generated content in scripts, and limited scope of inline handlers.
- style-src 'unsafe-inline': Required for dynamic styling of UI components and third-party integrations (CloudWatch RUM). Mitigated by: no user-controlled style values and strict output encoding.
These exceptions are documented as accepted risks in our security compliance process. We regularly review whether these can be eliminated through code refactoring.
Security incidents
In the event of a data breach affecting your personal data, we will notify you and the Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR. We will also notify HMRC within 72 hours if the breach affects HMRC-related data or OAuth credentials.
Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent changes. Material changes will be notified via email or prominent notice in the application. Continued use after changes constitutes acceptance of the updated policy.
Contact
For privacy questions, data requests, or security concerns, contact:
Email: admin@diyaccounting.co.uk
Company: DIY Accounting Limited
For issue reports, please include your browser, approximate time, and the page you were on.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
ICO Registration: DIY Accounting Limited is registered with the ICO. Registration number: ZB070902.