Privacy Statement - TaxReturned

PRIVACY POLICY

Contents

INTRODUCTION
CONTACT DETAILS
CHANGES TO THIS POLICY OR YOUR INFORMATION
INFORMATION WE COLLECT ABOUT YOU
HOW WE COLLECT YOUR INFORMATION
PURPOSES FOR WHICH WE WILL PROCESS YOUR INFORMATION
LEGAL GROUNDS FOR USING YOUR DATA
SHARING YOUR INFORMATION
DIGITAL TAX RECORDS
AUTOMATED DECISION MAKING AND PROFILING
MARKETING
COMPLETING YOUR APPLICATION
SERVICE MESSAGES
COOKIES
CHANGE OF PURPOSE
INTERNATIONAL TRANSFERS
DATA SECURITY
OUR DATA RETENTION POLICY
YOUR LEGAL RIGHTS
GLOSSARY

INTRODUCTION

At Tax Returned Limited we are committed to protecting the privacy of our customers and potential customers in all circumstances. This privacy policy explains how we collect and deal with your personal information, otherwise called personal data, when you use our services or website. Please review this policy and do not share your information with us unless you agree with this policy.

Our services and website are not intended to be used by children (meaning anyone under the age of 18), and we do not knowingly collect information relating to children.

It is important you read this policy together with any other privacy policy or fair processing notice we may provide on specific occasions when collecting or processing your personal data so that you are fully aware of how and why we are using your data. If you provide us with data relating to any other person you should inform them of this policy, although we will make reasonable efforts to contact any such person directly to refer them to this policy. This policy supplements any other applicable notices and does not override them.

We have appointed a Data Protection Manager who is responsible for responding to any questions or requests in relation to this policy. If you have any questions about this policy, including any requests to exercise any legal rights relating to data, please contact the Data Protection Manager using the details set out below.

CONTACT DETAILS

We are Tax Returned Limited, an English company number 08828062. Our postal address is PO Box 68031, London NW4 9JB.

You can contact our Data Protection Manager by emailing dataprotection@taxreturned.co.uk.

CHANGES TO THIS POLICY OR YOUR INFORMATION

This policy was updated on 12 January 2021.

It is important that the information that we hold about you is accurate and current. Please keep us informed of any changes to your details during your relationship with us.

We routinely update this policy to clarify our practices and to reflect new or different privacy practices, such as when we add new services, functionality, or features. We will contact you to inform you of any significant updates. However, you should also check back here periodically.

INFORMATION WE COLLECT ABOUT YOU

We collect and use certain information relating to you and your use of our services or any version of our website (which might be accessed through different device types) as follows:

  • Analytics data which includes cookies, user identifiers, and advertising identifiers.
  • Contact data which includes postal address, email address, and telephone number.
  • Employment data which includes employment history, sector, and job title.
  • Financial data which includes bank details and transaction data.
  • Identity verification data which includes nationality, place of birth, sex, photo, driver’s licence details, passport number, driver’s licence number, next of kin, relatives, spouse, civil partner, place of birth, place of death, nature of death, time of death, officiating persons, witnesses, and contact details of mentioned persons.
  • Identity data which includes first name, last name, former names, title, date of birth, National Insurance number, Unique Tax Reference number, customer reference number, IP address and marriage or civil partnership status.
  • Pension data which includes details of pension contributions, state pension and name of pension fund.
  • Preferences data which includes marketing, prize draw, and communication preferences.
  • Technical data which includes login details and authentication tokens.
  • Trade union data which includes name of union and membership fees.
  • Tax data which includes income, tax paid, tax expenses, tax account balance, source of income, and student loan repayments.

The only special category of personal data that we will collect from you is trade union data, and possibly data related to your marriage/civil partner status (the former only if you consent to us using that data to pursue a refund for any relevant trade union fees). We do not collect any other types of special category data from customers. If you inadvertently or intentionally provide us with other special category data, we will consider you to have explicitly consented to us processing that data to delete it.

HOW WE COLLECT YOUR INFORMATION

We use different methods to collect your data, including:

  • Direct interactions with you. You may give us your data when you use our website, fill in forms, or correspond with us by post, phone, or email. This includes the data you provide when you:
    • Apply for a tax refund
    • Contact us
    • Enter additional expenses for your claim
  • Automated interactions with you. We may automatically collect Analytics data about your equipment, browsing actions and patterns when you use our website. We collect this information using cookies, server logs, and other similar technologies. Please see our cookie policy https://www.taxreturned.co.uk/cookies/ for further details.
  • Direct or automated interactions with third parties
    • We may receive your data from HMRC as set out in the DIGITAL TAX RECORDS section below as well as via general correspondence.
    • We may receive your data from payment processors when making or receiving your payments.

PURPOSES FOR WHICH WE WILL PROCESS YOUR INFORMATION

We will process your information to:

  • process your application for our services
  • process your claim
  • annually review your tax affairs (if you connect your Personal Tax Account to our HMRC Agent Account) and inform you of our findings
  • process payments and fees
  • notify you about changes to our privacy policy and our terms and conditions
  • ask you to leave a review or take a survey (and where necessary, respond to your feedback)
  • maintain our business and website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and data hosting)
  • use analytics to improve our website, services and customer service
  • maintain records of your file for the exercise and defence of legal claims
  • comply with legislation, law enforcement, and regulatory bodies

LEGAL GROUNDS FOR USING YOUR DATA

We rely on the following legal bases for processing your personal data:

  • Consent: We will process your data where you give us your informed consent (you may withdraw this consent at any time).
  • Contract: We will process your data to enter and perform our contract with
  • Legal Obligations: We will process your data where we are legally obliged to do
  • Legitimate Interests: We will process your data where we have a legitimate interest to doing so (this may include using third parties for the provision of business services and analytics)

Generally, we will use contract as the legal basis for processing your personal data. Sometimes we rely on legitimate interests – such as processing analytics data to improve our business services and or processes.

Whenever we process special category personal data – such as trade union data – we will obtain specific consent from you to do so.

The table below indicates which legal bases we rely on when processing different categories of personal data.

Type of Data Legal basis or bases for processing
Analytics data Legitimate interests
Contact data Consent, Contract, Legitimate interests
Employment data Consent, Contract, Legitimate interests
Financial data Contract, Legitimate interests
Identity data Consent, Contract, Legitimate interests
Identity verification data Consent, Contract, Legitimate interests
Preferences data Contract, Legitimate interests
Tax data Consent, Contract, Legitimate interests
Technical data Consent
Trade union data Consent

We will also process any of your personal data that is necessary for us to comply with our legal obligations (see GLOSSARY for more information).

For more information regarding our bases for processing your personal data or to find out why we use a particular basis for processing a specific category of data, please email us at dataprotection@taxreturned.co.uk

SHARING YOUR INFORMATION

We use several carefully selected data processors to help us manage our services. These include printing and postal delivery companies whom we use to distribute our claim packs. Please note some of these companies are data controllers with their own responsibilities. For more information on our third-party data processors please see the GLOSSARY.

We require all third parties to respect the security of your information and treat it in accordance with the law. We do not allow our third-party processors to use your information for their own purposes and we only permit them to deal with your information for specified purposes and in accordance with our instructions.

We may share your information with third parties in the event that we sell, transfer, or merge parts of our business or our assets. Alternatively, we may acquire other businesses or merge with them. If a change happens to our business, the new owners may use your information in the same way as set out in this privacy policy.

DIGITAL TAX RECORDS

HMRC has digitised some tax records through its Making Tax Digital programme. HMRC has also created several digital services, including the Personal Tax Account, to help you manage your tax details online. In this section, we will outline how and why we will use these digital tax records to perform our services.

Personal Tax Account

A Personal Tax Account (PTA) is an HMRC service that allows you to view and manage your tax details online. We will invite you to connect your PTA to our HMRC agent account, enabling us to view some of your digital tax records. Our Data Retention Policy details our retention periods for the information we collect during this process.

We are obliged by HMRC to conduct certain basic checks to assess the merits of your claim before we submit it to HMRC. The most effective way for us to complete these checks is to connect your PTA to our agent account. Once connected, we will use the information within your PTA to determine whether to submit your claim. We will also use this access annually to review your tax details and contact you to let you know the outcome of this review.

You can remove our access to your PTA at any time by emailing us at connect@taxreturned.co.uk or by logging in to your PTA and removing our access directly.

HMRC Agent Account

An agent account is an HMRC service that allows an agent, like us, to view customers’ tax details if authorised to do so. You can authorise us to view some of your tax details through your PTA as set out above. Alternatively, you can authorise us to view some details by signing a Tax Agent Authority.

Self-Assessment Pre-population APIs

The Self-Assessment Pre-population APIs are a set of Application Programming Interfaces (APIs) that HMRC created to allow agents to access certain tax details (including historical data) online. You can authorise us to access your tax details through the Self-Assessment Pre-population APIs by signing a Tax Agent Authority. We will use these APIs to understand your tax status and investigate any potential overpaid tax.

Making Tax Digital APIs

The Making Tax Digital APIs are a set of Application Programming Interfaces (APIs) that HMRC created to allow agents, like us, to access certain tax details (including historical data) online. You can authorise us to access your tax details through the Making Tax Digital APIs by connecting your Personal Tax Account to our agent account. We may use these APIs to understand your tax status and investigate any potential overpaid tax.

AUTOMATED DECISION MAKING AND PROFILING

We are obliged by HMRC to assess the merit of your claim before we submit your claim to HMRC. If you do not grant us access to your digital tax records, we will use alternative methods to verify the merit of your claim before submitting it to HMRC. We will process your data to create a temporary profile and compare your claim to those claims previously submitted on behalf of other customers. We will then make an automated assessment of your profile to decide whether to submit your claim to HMRC.

There are specific laws that govern automated decision making and profiling. While we do not believe that this processing has legal effects or significantly affects you, we are treating it as though it does because your privacy is important to us. Therefore:

  1. You can opt out of the temporary profiling. Please understand that if you also refuse to grant us access to your digital tax records, we cannot pursue a claim on your behalf, and we will terminate your contract.
  2. If you are unhappy with an automated decision not to file your claim based on your temporary profile, you may request a manual review of your claim.

To opt out of profiling or to request a manual review, please contact dataprotection@taxreturned.co.uk.

MARKETING

We rely on explicit opt-in consent for marketing, in compliance with both the PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) and the Data Protection Act 2018. If you consent to receiving marketing from us, we may contact you about additional services that we provide.

You may opt-out of marketing communications at any time by utilising the opt-out links on marketing communications, or by contacting us at info@taxreturned.co.uk. If you opt-out of marketing communications, you will continue to receive service communications related to your ongoing contract.

We use pixels to identify social media traffic. Pixels show us which pages you have visited on our website, and we use this information to create custom marketing audiences on social media. We may market our services on Facebook, Instagram, Google, Bing, Twitter, LinkedIn, Pinterest, TikTok, or Snapchat. To opt-out from the pixel on those platforms you will need to go through the marketing preferences sections on those platforms.

COMPLETING YOUR APPLICATION

When you begin an application on our website but do not complete it, we retain the data that you provide to us for the purpose of allowing you to resume your application at a later date. We will delete this data 30 days from the date on which you began your application.

If you visit our website and begin the application process but do not complete it, we may send you a maximum of three reminders (these may be by SMS or email) containing a digital link to return and finish your application from where you left off. The link to complete your application will expire 30 days from the date on which you began your application on our website.

SERVICE MESSAGES

We may send you service messages related to your claim. Service messages may include invoices and reminders. You may receive service messages whether you have consented to marketing communications or not.

COOKIES

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, some parts of the website may become inaccessible or not function properly. For more information about the cookies we use, please see: https://www.taxreturned.co.uk/cookies/.

CHANGE OF PURPOSE

We will only use your information for the purposes for which we collected it. However, we may use it for another purpose if that purpose is compatible with the original purpose. If you believe that we are using your data for a purpose other than the one for which we originally collected it, please contact us at dataprotection@taxreturned.co.uk for a full explanation.

If we need to use your information for an unrelated purpose, we will notify you and explain the legal reason which we believe allows us to use it for that purpose.

Please note that where we have a legal requirement to do so, we may process your information without your knowledge or consent, in compliance with the above rules.

INTERNATIONAL TRANSFERS

We may share your personal data with some of our employees and contractors who may be outside of the United Kingdom (UK). They may be:

  • in countries outside the UK which the Information Commissioner’s Office (the data regulator in the UK) has confirmed have adequate data laws to protect your personal data there as it would be protected in the UK; or
  • in countries outside the UK which the Information Commissioner’s Office (the data regulator in the UK) has not confirmed have adequate data laws to protect your personal data there as it would be protected in the UK. In this case, we will only share your personal data under standard contractual clauses approved by the Information Commissioner’s Office which ensures through a contract we have with those employees and contractors (rather than through the law of that country) that your data is subject to the same protections it would receive within the UK. That contract also gives you rights against any third party contractors.

DATA SECURITY

We have put in place appropriate technical and security measures to prevent accidental loss, unauthorised use, access, alteration, or disclosure of your information. In addition, we limit access to your information to those employees, agents, contractors and other third parties who have a business need to know. They will only process such information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected breach of security. We will notify you and any applicable regulator of a breach where we have a legal requirement to do so.

OUR DATA RETENTION POLICY

We are legally obliged for anti-financial crime purposes to retain customer information for five years after the end of our business relationship with you. We may retain information for a further year (to a total of six) from the end of our contract with you for the exercise and defence of legal claims. Please visit our Data Retention policy for further information.

You have the right to request erasure of your information in certain circumstances: see the Request Erasure section in the Glossary below for further details

We may anonymise your information in some circumstances for research or statistical purposes. Anonymised data is no longer considered personal data and therefore we may use this information indefinitely without providing you with further notice.

YOUR LEGAL RIGHTS

You have legal rights in relation to your personal data under certain circumstances.

  • Your right to request access to your data.
  • Your right to request correction of your data.
  • Your right to request erasure of your data.
  • Your right to object to processing of your data.
  • Your right to request restricted processing of your data.
  • Your right to request a transfer of your data.
  • Your right to withdraw consent.

Please see the Glossary for details about each of these. If you wish to exercise any of these rights, please contact us at dataprotection@taxreturned.co.uk.

No fees: You will not ordinarily have to pay a fee to exercise any of the rights listed above. However, we may charge a reasonable fee if we consider your request to be unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Confirming your identity: We may request a copy of your photographic identification from you to help us confirm your identity in the event you choose to exercise any of the rights above. This is a security measure to ensure the confidentiality of your data.

Clarification: We may contact you to ask for clarification in relation to your request if we do not understand the scope or the substance of your request.

Time limits: We will respond to all requests to exercise the above rights within one month. If we believe we need more time because your request is complex or you have made several requests, we will notify you of this and keep you updated.

GLOSSARY

REGULATIONS

Data Protection Act 2018 or DPA 2018 means the Data Protection Act 2018 which implements the UK GDPR. The DPA 2018 gives people specific rights and controls regarding their personal data.

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act 2018. PECR gives people specific privacy rights in relation to electronic communications (and particularly electronic marketing communications).

TECHNOLOGY

Pixel means a single pixel embedded in the code of a website or piece of digital content. The pixel ‘fires’ when the content loads. The owners of the pixel can see how many times and where users have accessed their content.

LAWFUL BASIS

Consent means you have directly instructed or permitted us to process your data after we requested your consent and provided you with details of the processing.

Legitimate Interest means we are processing your data to improve our service in the interests of our business. We consider and balance our interests with any potential impact on you and your rights before we commence processing on this basis. You can obtain further information about our legitimate interests by contacting us at dataprotection@taxreturned.co.uk.

Contract means we are processing your data where it is necessary to enter or perform a contract with you.

Legal means we are processing your data to provide the legal and regulatory authorities with specific information they appropriately request from us within their legal authority and to help ensure we are combatting Fraud and Financial Crime or where it is in our legal interests to do so.

THIRD PARTIES

  • Data processors based in or out of the UK providing IT and business administration services to us who may process personal data on our behalf for those purposes.
  • Professional advisers based in the UK including lawyers, bankers, auditors, and insurers.
  • HM Revenue & Customs (HMRC), regulators and other UK authorities.

YOUR LEGAL RIGHTS

You have the right to:

  • Request access to your data. This is commonly known as a “data subject access request”, which allows you to receive a copy of the personal data we hold about you.
  • Request correction of your data. You can correct incomplete or inaccurate data we hold about you, although we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your data. You can ask us to delete your personal data when there is no overriding reason for us continuing to process it. You can also ask us to delete your data if you have objected to our processing, if we have processed your data unlawfully, or if we must erase your data to comply with local law. However, we may not be able to comply with your request for specific legal reasons, and if so we will notify you in our response to your request. We will also interpret an erasure request to mean you object to our processing of your data, and we will restrict our processing accordingly. Please also refer to our Data Retention policy.
  • Object to our processing of your data. You can ask us to stop processing your data where we are relying on a legitimate interest and you feel our processing impacts your fundamental rights and freedoms. You may also object where we are processing your data for direct marketing purposes. However, we may have compelling overriding legitimate grounds to process your data.
  • Report us to the Information Commissioner’s Office. You can lodge a complaint with the ICO if you believe that we have contravened the DPA 2018, the PECR, or any other applicable data privacy law. The ICO’s helpline is 0303 123 1113.
  • Request restriction of processing of your data. You can ask us to suspend our processing of your data if:
  • You want us to establish the accuracy of the data.
  • Our use of the data is unlawful, but you do not want us to erase it.
  • You need us to hold the data although we no longer need it, as you need the data to establish, exercise or defend legal claims.
  • You object to our use of the data, but we need to verify whether we have overriding legitimate grounds to continue processing it.
  • Request the transfer of your data. Where we have processed your data based on consent or contract and the processing is automated, we will provide you or your nominated third party with your data in a structured, commonly used, machine-readable format.
  • Withdraw consent at any time. This will not affect the lawfulness of any processing performed before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you and we will advise you if this is the case.
Back to Top