Privacy Policy

Last updated: 1 April 2026

MTDPilot ("we", "us", "our") is committed to protecting the privacy of our users. This policy explains how we collect, use, store, and protect personal data when you use MTDPilot.

1. Who we are

MTDPilot is a UK-based software service that helps accountants manage Making Tax Digital compliance for their clients. Our contact email is hello@mtdpilot.co.uk.

2. What data we collect

We collect and process the following types of data:

• Accountant account data: name, email address, and hashed password when you create an account.
• Client data: client name, email, and phone number as entered by the accountant.
• Bank transaction data: transaction date, description, amount, and type (credit/debit), retrieved via Plaid's open banking service with the client's explicit consent.
• Gig platform earnings data: income summaries uploaded by the accountant from platforms such as Uber, Deliveroo, and Amazon Flex.
• Mileage records: date, distance, and description of business journeys as entered by the accountant.

3. How we collect data

• Directly from accountants: when they register, add clients, upload gig earnings data, or enter mileage records.
• Via open banking (Plaid): when a client authorises read-only access to their bank account through a secure link. The client must explicitly consent via their bank's authentication process (Strong Customer Authentication).

4. Why we process data (lawful basis)

• Consent: clients provide explicit consent when they connect their bank account via Plaid Link.
• Legitimate interest: accountants use MTDPilot to provide professional accounting services to their clients, including Making Tax Digital compliance.
• Legal obligation: data is processed to support HMRC reporting requirements under Making Tax Digital for Income Tax.

5. How we use data

We use the data to:

• Retrieve and display bank transaction data for accountants to review.
• Automatically categorise transactions for tax reporting purposes.
• Generate HMRC-ready quarterly reports.
• Calculate mileage expenses using HMRC simplified expense rates.
• Aggregate gig platform income for tax preparation.
• Flag likely personal expenses for accountant review.

6. Data sharing

We do not sell, rent, or share personal data with any third party for marketing or commercial purposes.

We share data only with:

• Plaid Inc: to facilitate open banking connections. Plaid acts as a data processor and is FCA-regulated. See Plaid's privacy policy.
• Hosting provider: our servers are hosted on managed infrastructure with encryption at rest and in transit.

7. Data security

• All data is transmitted over HTTPS (TLS 1.2 or higher).
• Passwords are hashed using bcrypt and are never stored in plain text.
• API credentials are stored as environment variables, never in source code.
• Bank account access is read-only. MTDPilot cannot initiate payments, transfers, or any changes to a bank account.
• Access to client data is restricted to the accountant who added the client.

8. Data retention

• Bank transaction data is retained for the duration of the accountant-client relationship and up to 5 years in line with HMRC record-keeping requirements.
• When an accountant deletes a client, all associated data (transactions, mileage, gig imports) is permanently deleted.
• Plaid access tokens are revoked when a client is removed.

9. Your rights

Under UK GDPR, you have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate data.
• Erasure: request deletion of your data.
• Restriction: request that we limit how we use your data.
• Portability: request your data in a machine-readable format.
• Object: object to our processing of your data.

To exercise any of these rights, contact us at hello@mtdpilot.co.uk. We will respond within 30 days.

10. Cookies

MTDPilot uses a session cookie to keep you logged in. This cookie is essential for the application to function and is not used for tracking or advertising. No third-party cookies are used.

11. Open banking consent

When a client connects their bank account, they are redirected to their bank's secure login page via Plaid. They must authenticate using their bank's own security measures (Strong Customer Authentication). Under current open banking regulations, this consent is valid for 90 days, after which the client must re-authorise.

12. Children

MTDPilot is not intended for use by anyone under the age of 18.

13. Changes to this policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated date. We encourage you to review this policy periodically.

14. Contact

If you have any questions about this privacy policy or how we handle your data, please contact us:

• Email: hello@mtdpilot.co.uk
• Website: mtdpilot.co.uk

15. Supervisory authority

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.