Privacy Policy

Last updated: 13 May 2026

This Privacy Policy explains how Gateway Tax Limited (Company No. 17061194, registered in England and Wales) collects and uses personal and company information when you use Gateway Tax.

We are the data controller for the information described here. Our registered office and ICO data controller registration are listed in the Contact section at the end of this policy.

1. What we collect

When you use Gateway Tax, we collect and process:

• Account details — name, email address, and (when set) a hashed password. We never store passwords in cleartext.
• Company information — company name, registration number, registered office, accounting period, UTR (Unique Taxpayer Reference), and details retrieved on your behalf from Companies House.
• Financial information you enter — turnover, cost of goods sold, expenses, capital purchases, brought-forward losses, director's loan balances, balance sheet figures, and other amounts needed to prepare the CT600 and iXBRL accounts.
• Filing artefacts — generated CT600 XML and PDF, iXBRL accounts, HMRC correlation IDs, IRmark hashes, and HMRC response messages.
• Fraud-prevention data — device, browser, and session information that HMRC requires us to forward with every submission (mandatory under their fraud-prevention header programme).
• Usage data — basic logs (IP address, timestamps, actions taken) used to operate the service and investigate problems.

What we do not store: we never write your Government Gateway User ID or password to our database or logs. These are entered only at the point of submission, used in-memory to authenticate a single request to HMRC, and then discarded.

2. How we use it

We use your information to:

• Provide the filing service you signed up for (lawful basis: performance of contract).
• Submit returns and accounts to HMRC and, where applicable, Companies House (legal obligation triggered by your instruction).
• Process payments and issue receipts (performance of contract).
• Send service emails — account creation, password reset, filing confirmation, annual reminders (performance of contract, legitimate interest in keeping you informed).
• Comply with HMRC's fraud-prevention header requirements (legal obligation).
• Detect and prevent fraudulent or abusive use of the service (legitimate interest).
• Improve the product and fix bugs (legitimate interest).

3. Who we share it with

We share your information only with the following categories of third party, and only to the extent needed to operate the service:

• HM Revenue & Customs — we submit your CT600, iXBRL accounts, and accompanying metadata to HMRC's Corporation Tax Online service when you instruct us to file.
• Companies House — where the service files accounts alongside CT600, we transmit the same accounts data to Companies House on your instruction.
• Amazon Web Services (AWS) — our infrastructure provider. All Gateway Tax data is hosted in the UK (AWS region eu-west-2, London).
• AWS Simple Email Service (SES) — sends transactional email on our behalf (account creation, password reset, filing confirmation).
• Stripe — payment processor. Stripe receives the information needed to process your card payment; we do not see or store your card details. Stripe is the data controller for payment data.
• Anthropic (Claude API) — where the service uses AI to review your inputs for anomalies, the relevant inputs are sent to Anthropic's API for processing. Anthropic does not train on data submitted via their API.

We do not sell your data or share it for marketing purposes. We will not share your data with any other third party except where required by law (for example, a court order) or to protect our rights, property, or safety.

4. How long we keep it

We retain filing data for seven years after the end of the accounting period filed, in line with HMRC's Corporation Tax record-keeping requirements. You can request that we delete your account at any time; we will then delete personal data not required to comply with that statutory retention period.

5. Where it's stored

Your data is stored in the United Kingdom (AWS region eu-west-2, London). It is not transferred outside the UK except where one of our processors (for example, Stripe or Anthropic) operates from another jurisdiction; in those cases the transfer is governed by an appropriate UK GDPR transfer mechanism (Standard Contractual Clauses or adequacy decision).

6. Security

We protect your data with encryption in transit (HTTPS) and at rest, role-based access controls on our infrastructure, and regular security review. No system can guarantee absolute security, but we take all reasonable steps to protect the information you entrust to us.

7. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Have your data deleted (subject to the statutory CT retention period above).
• Restrict or object to certain processing.
• Receive a copy of your data in a portable format.
• Withdraw consent for any processing we do on a consent basis.
• Complain to the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email alexis@gatewaytax.co.uk.

8. Cookies

We use a minimal set of cookies, strictly necessary to operate the service:

• A session cookie set after you sign in, so the service knows who you are on subsequent requests.
• A device identifier stored in your browser's local storage, which we forward to HMRC as part of the mandatory fraud-prevention header data.

We do not use third-party analytics, advertising, or tracking cookies.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or through the service. The Last updated date at the top of this page indicates when this version took effect.

10. Contact

Gateway Tax Limited
Company No. 17061194, registered in England and Wales
Registered office: 40 Sandy Ridge, Chislehurst, England, BR7 5DR
ICO data controller registration: to be confirmed
Email: alexis@gatewaytax.co.uk