Terms of Use

These Terms of Use ("Terms") govern your access to and use of DIY Accounting Submit ("the Service"), provided by DIY Accounting Limited. By using the Service, you agree to these Terms and our Privacy Policy.

1. Service Description

DIY Accounting Submit is a web application that helps UK businesses submit VAT returns to HMRC via the Making Tax Digital (MTD) APIs. The Service enables you to:

• View VAT obligations
• Submit VAT returns to HMRC
• View submission receipts and history
• Manage feature bundles and entitlements

2. Eligibility and Account

• You must be a UK business registered for VAT or an authorized agent acting on behalf of such a business
• This Service is intended for business use only. If you are a sole trader, you are contracting in your business capacity, not as a consumer. Consumer protection laws (including the Consumer Rights Act 2015) may not apply to your use of this Service
• You must have valid HMRC Government Gateway credentials
• You are responsible for maintaining the confidentiality of your login credentials
• You must not share your account with others or allow unauthorized access

3. HMRC Integration and OAuth

• The Service uses HMRC's OAuth 2.0 authorization flow. When you authorize the Service, you grant us permission to access HMRC APIs on your behalf
• We will never request or store your HMRC Government Gateway password
• We store OAuth access tokens securely to enable API calls. You can revoke authorization at any time through your HMRC authorized applications page
• You are responsible for the accuracy of data you submit to HMRC through the Service

4. Acceptable Use

You agree not to:

• Use the Service for any unlawful purpose or in violation of any regulations
• Submit false, inaccurate, or misleading information to HMRC
• Attempt to gain unauthorized access to the Service, other users' accounts, or connected systems
• Interfere with or disrupt the Service or servers
• Use the Service to transmit malware, viruses, or harmful code
• Reverse engineer, decompile, or attempt to extract source code (except where permitted by applicable open source licenses)
• Use automated tools, bots, or scripts to access the Service without our written permission
• Attempt to circumvent rate limits or other technical restrictions
• Use the Service to build a competing product or resell API access to third parties without our express written consent
• Scrape, harvest, or collect data from the Service for commercial purposes

5. Data Processing and Privacy

• We process your personal data in accordance with UK GDPR and our Privacy Policy. Please review it carefully
• Data is encrypted at rest and in transit using industry-standard protocols (TLS 1.2+, AES-256)
• We use Amazon Web Services (AWS) as our infrastructure provider. Data is processed in the EU West (London) region. AWS is a GDPR-compliant data processor
• You have the right to access, export, and delete your data. Contact admin@diyaccounting.co.uk to exercise these rights. We will respond within 30 days

6. Data Retention

• User bundles: Retained while your account is active; deleted within 30 days of account closure
• HMRC submission receipts: Retained for 7 years in line with UK tax record-keeping requirements (HMRC requirement under VAT regulations)
• HMRC API audit logs: Retained for 30 days for compliance and troubleshooting; sensitive data is masked
• Authentication data: OAuth tokens expire per HMRC policy; refresh tokens deleted on logout or revocation
• Performance monitoring data: Raw events retained for 30 days; aggregated metrics (anonymized) longer
• Infrastructure logs: Retained for 30-90 days for security and operational purposes

7. Fraud Prevention Headers

In compliance with HMRC Making Tax Digital (MTD) regulations, the Service collects and transmits fraud prevention headers with each VAT return submission. This is a legal requirement for all MTD-compliant software.

Data collected includes:

• Public IP address
• Device identifier (generated fresh for each submission, not stored persistently)
• Browser user agent, timezone, screen resolution, and window size
• User identifier (Cognito user ID)
• Vendor information (application name and version)

This data helps HMRC identify and prevent fraudulent VAT submissions and supports criminal prosecutions for tax fraud. You consent to this collection when you authorize the Service through HMRC's OAuth flow. For full details, see the HMRC Fraud Prevention section of our Privacy Policy.

8. HMRC Software Vendor Status

DIY Accounting Submit is developed to comply with HMRC's Making Tax Digital for VAT requirements. The Service uses HMRC's official APIs and implements all required fraud prevention headers.

Current status: The Service is fully functional with HMRC's sandbox (test) environment and has been tested against HMRC's fraud prevention header validation endpoint. Production credentials are being sought from HMRC.

We are committed to maintaining compliance with all HMRC requirements for MTD software vendors, including ongoing fraud prevention header compliance and security standards.

9. Service Availability

• We strive to maintain high availability but do not guarantee uninterrupted access
• The Service may be unavailable during maintenance windows (we will notify users where possible)
• HMRC API availability is outside our control. HMRC typically has planned maintenance periods
• We reserve the right to modify, suspend, or discontinue features with reasonable notice

10. Fees and Bundles

• The Service offers different feature bundles (e.g., guest, test, production)
• Some bundles may be free; others may require payment or approval
• Pricing changes: We will provide at least 30 days' notice before any price increases for paid bundles
• Existing entitlements: Paid bundles remain valid for their purchased duration regardless of subsequent price changes
• Refunds: No refunds will be provided except where required by law or in cases of Service unavailability exceeding 7 consecutive days

11. Intellectual Property

• The Service is open source software licensed under AGPL-3.0. See the LICENSE file in the repository
• If you modify the Service and run it on a server for others to access, you must make your modified source code available under AGPL-3.0
• Third-party trademarks, including HMRC and AWS, are property of their respective owners

12. Limitation of Liability

To the fullest extent permitted by law:

• The Service is provided "as is" without warranties of any kind, express or implied
• We do not warrant that the Service will be error-free, secure, or uninterrupted
• We are not liable for any indirect, incidental, special, consequential, or punitive damages arising from your use of the Service
• Our total liability to you for any claims arising from the Service shall not exceed the greater of: (a) the amount you paid for the Service in the 12 months preceding the claim, or (b) fifty pounds (£50)
• You are responsible for ensuring the accuracy of data submitted to HMRC and compliance with all tax obligations. We are not tax advisors
• Nothing in these Terms excludes or limits our liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded by law

13. Indemnification

You agree to indemnify and hold harmless DIY Accounting Limited, its officers, employees, and agents from any claims, damages, or expenses arising from your use of the Service, your violation of these Terms, or your violation of any laws or regulations.

14. Force Majeure

Neither party shall be liable for delays or failures in performance resulting from circumstances beyond reasonable control, including but not limited to:

• HMRC system outages, maintenance, or API changes
• Changes to Making Tax Digital regulations or requirements
• Government or regulatory actions
• Natural disasters, pandemics, or other acts of God
• Cyber attacks, denial of service attacks, or security incidents affecting third-party infrastructure
• Failures of third-party infrastructure providers (including AWS)
• Internet or telecommunications failures

In the event of a force majeure event, the affected party shall notify the other party as soon as reasonably practicable and use reasonable efforts to mitigate the impact.

15. Security Incidents

• We implement industry-standard security measures to protect your data, including encryption, access controls, Web Application Firewall (WAF) protection, and regular security monitoring
• In the event of a data breach affecting your personal data, we will notify you and the ICO within 72 hours as required by UK GDPR
• We will also notify HMRC within 72 hours if the breach affects HMRC-related data or OAuth credentials

16. Termination

• You may terminate your account at any time by contacting admin@diyaccounting.co.uk
• We may suspend or terminate your access if you violate these Terms, for security reasons, or if required by law or by HMRC
• Upon termination, your user data (bundles and authentication tokens) will be deleted within 30 days. HMRC receipts will be retained for 7 years per legal requirements

17. Dispute Resolution

If a dispute arises between you and DIY Accounting Limited:

• Good faith negotiation: Both parties agree to attempt to resolve the dispute through good faith negotiation for a period of 30 days before initiating any formal proceedings
• Mediation: If negotiation fails, either party may propose mediation through an agreed mediator or a service such as the Centre for Effective Dispute Resolution (CEDR). Mediation costs shall be shared equally unless otherwise agreed
• Small claims: For disputes under £10,000, either party may bring a claim in the Small Claims Court of England and Wales
• Court proceedings: If mediation is unsuccessful or inappropriate, either party may commence court proceedings in accordance with Section 18 (Governing Law)

This clause does not prevent either party from seeking urgent injunctive relief where necessary.

18. Changes to Terms

• We may update these Terms from time to time. The "Last updated" date will reflect the most recent changes
• Material changes (including changes to fees, liability, or data processing) will be notified via email at least 30 days before they take effect
• Continued use of the Service after changes constitutes acceptance of the updated Terms
• If you do not agree to updated Terms, you may close your account before the changes take effect

19. Governing Law and Jurisdiction

• These Terms are governed by the laws of England and Wales
• Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales, subject to the dispute resolution process in Section 17

20. Contact and Legal Entity

For questions about these Terms, data requests, or account issues:

As required by the Companies Act 2006, our company registration details are displayed above and on all official correspondence.

21. Open Source

The source code for this Service is available at github.com/antonycc/submit.diyaccounting.co.uk under the AGPL-3.0 license. Contributions and issue reports are welcome.