Privacy Policy

Last updated: March 2026

1. Introduction

TaxWhizz.ai Ltd (“TaxWhizz”, “we”, “us”, or “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access or use our website at taxwhizz.ai, our AI-powered tax intelligence platform, and any associated services (collectively, the “Service”).

This Privacy Policy is issued in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). Please read this policy carefully to understand our practices regarding your personal data.

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use our Service.

2. Data Controller

The data controller responsible for your personal data is:

  • Company: TaxWhizz.ai Ltd
  • Registered in: England & Wales
  • Email: privacy@taxwhizz.ai

If you have any questions about this Privacy Policy or our data practices, please contact us at privacy@taxwhizz.ai.

3. Information We Collect

We collect and process the following categories of personal data:

3.1 Information You Provide Directly

  • Account Registration Data: When you create an account, we collect your full name, email address, and password (stored in hashed form). If you register via a third-party authentication provider (such as Google OAuth), we receive your name and email address from that provider.
  • Profile Information: Any additional information you voluntarily add to your account profile, such as a display name or profile picture.
  • Chat Content: The messages, queries, and prompts you submit through our AI tax chat interface, including any personal or financial information you choose to include in your questions.
  • Tax Calculation Inputs: Data you enter into our tax calculators, including but not limited to income figures, expense amounts, property values, capital gains data, dividend income, pension contributions, and other financial information necessary to perform tax calculations.
  • Payment Information: When you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your full credit or debit card details on our servers. We receive and store a transaction reference, the last four digits of your card, card type, and billing address for record-keeping purposes.
  • Communications: Any correspondence you send to us via email, support tickets, or feedback forms, including your name, email address, and the content of your message.

3.2 Information Collected Automatically

  • Usage Data: We automatically collect information about how you interact with our Service, including pages visited, features used, buttons clicked, time spent on pages, navigation paths, search queries, and the date and time of your visits.
  • Device and Technical Data: We collect information about the device and browser you use to access our Service, including your IP address, browser type and version, operating system, device type, screen resolution, language preferences, and referring URL.
  • Log Data: Our servers automatically record information when you access our Service, including your IP address, access times, pages viewed, and system activity.
  • Cookies and Similar Technologies: We use cookies, local storage, and similar tracking technologies to collect information about your browsing activity. For full details, please see our Cookie Policy.

3.3 Information from Third Parties

  • Authentication Providers: If you sign in using a third-party service (e.g., Google), we receive your name and email address as authorised by you through that provider.
  • Payment Processor: Stripe may provide us with transaction confirmations, payment status updates, and limited card information as described above.

4. Lawful Basis for Processing

Under the UK GDPR, we must have a valid lawful basis to process your personal data. We rely on the following legal bases depending on the specific processing activity:

4.1 Performance of a Contract (Article 6(1)(b))

We process your account registration data, chat content, calculation inputs, and payment information as necessary to perform our contract with you — namely, to provide you with access to the TaxWhizz.ai platform and its features, process your subscription, deliver AI-powered tax guidance, and run tax calculations on your behalf.

4.2 Consent (Article 6(1)(a))

We rely on your consent to:

  • Set non-essential cookies (analytics, marketing, and functional cookies) on your device;
  • Send you marketing communications and newsletters (where you have opted in);
  • Process any special category data you voluntarily provide in chat or calculator inputs.

You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4.3 Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include:

  • Improving and optimising our Service, including AI model quality and accuracy;
  • Detecting, preventing, and addressing fraud, security incidents, and technical issues;
  • Understanding how users interact with our Service through analytics;
  • Ensuring network and information security;
  • Administering our business, including financial reporting and internal record-keeping.

4.4 Legal Obligation (Article 6(1)(c))

We may process your data where necessary to comply with a legal obligation to which we are subject, such as retaining financial transaction records for tax and accounting purposes, or responding to lawful requests from regulatory authorities.

5. How We Use Your Data

We use the personal data we collect for the following purposes:

  • Service Delivery: To create and manage your account, authenticate your identity, provide access to our platform features, process your AI chat queries, and execute tax calculations.
  • Payment Processing: To process subscription payments, manage billing cycles, handle upgrades, downgrades, and cancellations, and issue invoices and receipts.
  • Service Improvement: To analyse usage patterns, identify bugs and performance issues, improve the accuracy of our AI models, and develop new features and functionality.
  • Communication: To send you service-related notifications (such as account confirmations, security alerts, subscription changes, and support responses), and, where you have opted in, marketing communications.
  • Security and Fraud Prevention: To monitor for and prevent unauthorised access, detect suspicious activity, protect against abuse, and maintain the integrity and availability of our Service.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes, including responding to court orders or lawful government requests.
  • Analytics and Research: To generate aggregated, anonymised insights about usage trends and Service performance. Anonymised data is not personal data under UK GDPR.

6. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. Our specific retention periods are:

  • Account Data (name, email, profile information): Retained for the duration of your active account plus two (2) years following account closure or deletion. This allows us to handle any post-closure enquiries and comply with legal record-keeping requirements.
  • Chat History (AI chat messages and responses): Retained for two (2) years from the date of creation, after which it is permanently deleted.
  • Calculation Data (tax calculator inputs and results): Retained for one (1) year from the date of creation, after which it is permanently deleted.
  • Payment Records (transaction references, invoices): Retained for seven (7) years in accordance with HMRC requirements and applicable financial regulations.
  • Usage and Log Data: Retained for up to twelve (12) months from the date of collection.
  • Cookies: Retention periods vary by cookie type. Please see our Cookie Policy for specific details.
  • Marketing Consent Records: Retained for the duration of your account plus three (3) years to demonstrate compliance with PECR and UK GDPR consent requirements.

When personal data is no longer required, we securely delete or anonymise it. Anonymised data may be retained indefinitely for statistical and analytical purposes.

7. Data Sharing and Third-Party Processors

We do not sell your personal data to third parties. We share your data only in the following circumstances and with the following categories of recipients:

7.1 Third-Party Service Providers (Data Processors)

We engage trusted third-party service providers who process personal data on our behalf and under our instructions. These processors are contractually bound to use your data only for the purposes we specify and to implement appropriate security measures. Our key processors include:

  • Stripe, Inc.: Processes payment transactions, subscription management, and billing. Stripe acts as both a data processor (processing on our instructions) and an independent data controller for its own fraud prevention and legal compliance purposes. Stripe’s privacy policy is available at stripe.com/privacy.
  • Cloud Hosting Providers: We use cloud infrastructure services to host our platform, databases, and application servers. Data is stored on servers located within the United Kingdom or European Economic Area (EEA) where possible.
  • AI Service Providers (Anthropic / OpenAI): Your chat queries are processed by third-party AI providers to generate responses. We transmit the content of your queries (which may include personal or financial information you have entered) to these providers via secure, encrypted API connections. These providers process data under strict data processing agreements that prohibit them from using your data for their own model training purposes.

7.2 Legal and Regulatory Disclosures

We may disclose your personal data if required to do so by law or in response to valid legal process, including:

  • Court orders or subpoenas;
  • Requests from law enforcement or regulatory authorities;
  • To protect our rights, property, or safety, or the rights, property, or safety of others;
  • To investigate or prevent suspected fraud, security breaches, or violations of our Terms of Service.

7.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

8. International Data Transfers

Some of our third-party service providers, including AI providers and certain cloud infrastructure components, may be located outside the United Kingdom. Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements, including:

  • UK International Data Transfer Agreement (IDTA): We enter into the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses (SCCs) with recipients located in countries that have not received an adequacy decision from the UK Secretary of State.
  • Adequacy Decisions: Where the UK has recognised a country as providing an adequate level of data protection, transfers may take place on the basis of that adequacy decision.
  • Supplementary Measures: Where necessary, we implement additional technical and organisational measures to ensure the transferred data receives an essentially equivalent level of protection, including encryption in transit and at rest, access controls, and contractual obligations.

You may request details of the specific safeguards applied to international transfers of your personal data by contacting us at privacy@taxwhizz.ai.

9. Your Rights as a Data Subject

Under the UK GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, please contact us at privacy@taxwhizz.ai. We will respond to your request within one (1) month, which may be extended by a further two (2) months where necessary, taking into account the complexity and number of requests.

9.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, where that is the case, to request a copy of your personal data together with information about the processing, including the purposes, categories of data, recipients, retention periods, and the source of the data.

9.2 Right to Rectification (Article 16)

You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data. You can update most of your account information directly through your account settings.

9.3 Right to Erasure (Article 17)

You have the right to request the deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent (and there is no other legal basis for processing), or where you object to processing and there are no overriding legitimate grounds. Please note that we may be required to retain certain data to comply with legal obligations.

9.4 Right to Data Portability (Article 20)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance, where the processing is based on consent or contract and is carried out by automated means.

9.5 Right to Restriction of Processing (Article 18)

You have the right to request the restriction of processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where the processing is unlawful but you oppose erasure, or where you have objected to processing pending verification of our legitimate grounds.

9.6 Right to Object (Article 21)

You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing immediately. Where you object to processing based on legitimate interests, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

9.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Our AI-powered tax guidance is provided as informational assistance only and does not constitute automated decision-making that produces legal effects. However, if you believe any automated processing has significantly affected you, please contact us to discuss.

9.8 Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time. You can withdraw consent for cookies through our cookie consent tool, unsubscribe from marketing emails using the link provided in each email, or contact us at privacy@taxwhizz.ai.

9.9 Right to Lodge a Complaint

If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyse usage, and support our marketing efforts. For comprehensive information about the cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.

11. Children’s Privacy

Our Service is not intended for individuals under the age of eighteen (18). We do not knowingly collect personal data from children under 18. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at privacy@taxwhizz.ai. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include but are not limited to:

  • Encryption: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). Sensitive data at rest is encrypted using industry-standard encryption algorithms.
  • Access Controls: Access to personal data is restricted to authorised personnel on a need-to-know basis. We implement role-based access controls and multi-factor authentication for administrative access.
  • Password Security: User passwords are hashed using bcrypt with appropriate salt rounds and are never stored in plain text.
  • Infrastructure Security: Our cloud infrastructure is configured with firewalls, intrusion detection systems, and regular security patching.
  • Regular Testing: We conduct regular security assessments, vulnerability scanning, and penetration testing of our systems.
  • Incident Response: We maintain a data breach response plan and will notify you and the ICO of any qualifying personal data breach in accordance with UK GDPR requirements (within 72 hours of becoming aware of a breach that poses a risk to individuals’ rights and freedoms).

While we take all reasonable precautions, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data.

13. ICO Registration

TaxWhizz.ai Ltd is registered with the Information Commissioner’s Office (ICO) as a data controller in accordance with the Data Protection Act 2018. Our registration details are available on the ICO’s public register at ico.org.uk.

14. Third-Party Links

Our Service may contain links to third-party websites, services, or resources that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our website with a revised “Last updated” date and, where appropriate, by sending you an email notification or displaying a prominent notice within our Service.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of our Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

We aim to respond to all privacy-related enquiries within one (1) month of receipt.