GDPR Compliance Statement

Simplicity Upload LTD is the data controller for personal data processed via this website and service. We comply with the UK GDPR and the Data Protection Act 2018.

Lawful bases

• Contract: to provide VAT submission services and your account.
• Legal obligation: to retain invoices and VAT submission records as required by law.
• Legitimate interests: to maintain service security, prevent fraud, and improve reliability.

Data we process

• Account details: name, email, phone, company and address
• VAT details: VRN, period dates, submission values, HMRC references
• Payments: invoice metadata via Stripe (we do not store full card numbers)
• Security: essential cookies, CSRF tokens, and device/session identifiers

Security & encryption

• SSL/TLS for data in transit; restricted access and secure storage
• Access/refresh tokens stored securely and deleted on account erasure
• Strong password policy and optional 2-factor authentication

Retention

• Account data: retained while your account is active
• Invoices & VAT submissions: retained as required by law (e.g., up to 6 years)
• Tokens: deleted when you disconnect HMRC or delete your account

Your rights

• Access, portability, rectification, erasure, restriction, and objection
• You can delete your account from the dashboard; we will anonymise your account and delete HMRC tokens while retaining legally required records

Contact & security reporting

Email: support@simplicity-upload.co.uk
Security contact: see /.well-known/security.txt on this site. We will notify HMRC (SDSTeam@hmrc.gov.uk) and the ICO within 72 hours of becoming aware of any personal data breach, as required.