Privacy

How Kountr handles your data.

This policy explains what Kountr collects, where it comes from, why we use it, who receives it, and how you can exercise your UK data-protection rights.

Last updated: 12 July 2026

We use data to provide Kountr

Account, business, tax, transaction, document, billing, and HMRC data powers the service.

You control HMRC access

You connect through HMRC, review information, and confirm submissions or corrections.

We protect your records

We use encryption, account-scoped controls, and limited access to protect financial and tax data.

1. Who we are

Kountr is a bookkeeping and Making Tax Digital for Income Tax service operated by Kountr Limited, company number 02994226, whose registered office is 6 Ridgeway, Epsom, Surrey, KT19 8LB. Kountr Limited is the controller of the personal data described in this policy. You can contact us at privacy@kountr.co.uk.

2. Information we collect

Account and contact data: name, email address, authentication details, preferences, and support communications.

Identity and tax data: National Insurance number, Self Assessment Unique Taxpayer Reference, HMRC business identifiers, ITSA status, and tax years.

Business and financial data: business and property details, income, expenses, transactions, invoices, clients, assets, bookkeeping entries, and tax calculations.

Employment and whole-person tax data: employment history and identifiers, PAYE and pension income, relevant benefits, tax deducted or refunded, National Insurance information, losses, allowances, and adjustments held by HMRC.

Documents: receipts, statements, invoices, and other files you upload, together with information extracted from them.

HMRC connection and submission data: encrypted OAuth tokens, permissions, obligations, request and response records, submission identifiers, read-backs, and audit information.

Billing data: plan, subscription and Stripe customer references, billing status, and limited payment-related records. Kountr does not receive full card details.

Technical and security data: IP address, device and browser information, timestamps, logs, and information needed for HMRC fraud-prevention headers.

Most information comes from you when you create an account, enter or import records, upload files, use a feature, contact us, or authorise a submission. We also create information from your use of Kountr, such as calculations, categorisation suggestions, logs, and submission records.

When you connect HMRC through Government Gateway, HMRC supplies connection credentials and may return business, obligation, employment, income, tax, National Insurance, calculation, and other Self Assessment information within the permissions you granted. Payment and email providers return limited service-status information to us. Your browser and network provide technical data.

3. Why we use data and our lawful bases

Provide your account and bookkeeping toolsContractCreate and manage your account; import, organise, calculate, display, export, and report on your records.
Connect to HMRC and support MTDContract and legal obligationUse your HMRC authorisation to retrieve relevant records, check obligations, prepare and make user-confirmed updates, calculations, corrections, and declarations, and keep appropriate evidence.
Billing and service messagesContract and legitimate interestsManage subscriptions and send account, deadline, security, and service communications.
Security, support, and improvementLegitimate interestsPrevent abuse, diagnose faults, answer support requests, maintain auditability, and improve the reliability of Kountr, balanced against your rights.
Meet legal requirementsLegal obligationKeep records, respond to lawful requests, and meet tax, accounting, data-protection, and regulatory duties that apply to us.

The precise basis may depend on the feature and circumstances. We do not sell personal data or use tax and financial records to build advertising profiles.

4. HMRC access and submissions

HMRC access begins only after you authorise Kountr through HMRC's OAuth journey.

Within Kountr's supported scope, we use HMRC APIs to identify linked self-employment and UK non-FHL property businesses; read obligations and ITSA status; send and read back business updates; handle business-source adjustments, losses, and related tax-liability adjustments; request and retrieve calculations; and make a final declaration after your confirmation.

We also retrieve HMRC-held whole-person information about employment, income, tax, and National Insurance so you can review the figures used in your tax position. Supported employment information can be created, reviewed, corrected, or deleted through Kountr. Kountr's initial 14-API scope does not cover every Self Assessment income source, relief, or specialist case.

HMRC OAuth access and refresh tokens are encrypted before storage. We use them for authorised HMRC requests, including status and obligation synchronisation, until the connection ends or the tokens expire or are revoked.

5. HMRC fraud-prevention data

HMRC requires software such as Kountr to send fraud-prevention headers with applicable API requests. These can include a persistent device identifier, IP addresses, browser and device information, screen and window sizes, timezone, timestamps, and details about how the request reached Kountr. Kountr and its hosting environment also supply server and vendor information required by HMRC.

The browser identifier is stored in a cookie named kountr_device_id. This information is sent to HMRC for applicable features and is necessary to use those features; it is not used for advertising. See HMRC's fraud-prevention guidance.

6. AI-assisted features

When you use an AI-assisted feature, Kountr may send relevant information to Anthropic. Depending on the feature, this can include transaction descriptions and amounts, receipt or document contents, categories, business context, submission figures, and report data. We limit the information sent to what is needed to provide the requested suggestion, extraction, or report.

AI output can be incomplete or wrong. Categorisations, extracted fields, summaries, and reports are suggestions or drafts for you to review. You remain responsible for checking your records and tax submissions. Kountr does not use AI to make solely automated decisions about you that produce legal or similarly significant effects.

7. Storage, security, and sharing

Kountr uses Supabase for database, authentication, and file-storage services and Railway to run the application. We use encrypted connections, provider encryption at rest, additional encryption for HMRC tokens, account-scoped access controls, and access limited to people and systems that need it. No internet service can guarantee absolute security.

Service providers acting for Kountr

SupabaseDatabase, authentication, file storage, and related account infrastructure.
RailwayApplication hosting and server runtime.
AnthropicAI processing for features described below when you use them.
StripeSubscription billing, payment processing, and billing records.
ResendTransactional and service email delivery.

Other recipients

HMRCReceives authorised tax updates, declarations, identifiers, and required fraud-prevention information, and returns tax records and results.
Professional advisers and authoritiesOnly where needed to obtain advice, establish or defend legal rights, comply with law, or respond to a valid request.
A buyer or successorIf Kountr is reorganised, sold, or transferred, subject to confidentiality and data-protection safeguards.

8. International transfers

Our providers may process or support personal data from the UK, the EEA, the United States, or other countries depending on the service configuration and support location. Where personal data is transferred outside the UK without UK adequacy regulations, we require an appropriate safeguard, such as the UK International Data Transfer Agreement, the UK Addendum to approved standard contractual clauses, or another lawful transfer mechanism, together with risk-based technical and organisational measures where appropriate. You can ask us for more information about safeguards relevant to your data.

9. Retention and account deletion

Account and bookkeeping recordsKept while your account is active and afterwards only for as long as needed to provide exports, resolve queries, meet tax or accounting duties, or establish and defend legal claims.
HMRC connections and tax recordsOAuth tokens are kept while the connection is active or needed to complete an authorised journey. Submission, calculation, read-back, and audit records may be retained for the relevant statutory record-keeping and dispute periods.
Billing recordsKept for subscription administration and for the tax, accounting, chargeback, fraud-prevention, and legal periods that apply. Stripe may retain records under its own legal duties.
Support, security, and operational logsKept for periods proportionate to investigating incidents, preventing abuse, supporting users, and maintaining reliable audit trails, then deleted or anonymised where appropriate.
Uploaded filesKept while linked to your account or records and then removed through our deletion processes, subject to technical recovery and backup cycles.
BackupsMay persist for a limited recovery cycle after live data is deleted and are then overwritten or removed under the relevant provider's backup process.

When you delete your account, Kountr removes the live account and associated application records and attempts to cancel an active Stripe subscription. Some information may remain where the law requires it, a provider must retain its own billing or anti-fraud record, or data remains temporarily in secure backups or deletion queues. Uploaded files are held in managed object storage and may follow a separate deletion cycle; contact privacy@kountr.co.uk if you want us to verify removal. Deleting Kountr does not delete records already held by HMRC.

10. Cookies

Kountr uses cookies and similar browser storage needed for authentication, security, HMRC compliance, and user preferences. We do not use these cookies for third-party behavioural advertising.

sb-*Supabase authentication cookies used to keep you signed in and protect your session.
kountr_device_idA persistent random identifier used for HMRC fraud-prevention device identification.
kountr_selected_tax_yearStores the tax year you selected for convenience.

Blocking necessary cookies may prevent sign-in or HMRC features from working. Your browser controls let you remove stored cookies.

11. Your rights

Ask for access to the personal data we hold about you.

Ask us to correct inaccurate or incomplete data.

Ask us to erase data, subject to legal and operational retention requirements.

Restrict or object to certain processing where the law gives you that right.

Receive eligible data in a structured, commonly used, machine-readable format.

Withdraw consent where a particular activity relies on consent; this does not affect earlier lawful processing.

Rights depend on the circumstances and exemptions may apply. To make a request, email privacy@kountr.co.uk. We normally respond within one month and may need to verify your identity. You may also complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint. We would appreciate the opportunity to address your concern first.

12. Updates and contact

We may update this policy when Kountr, our providers, or legal requirements change. We will update the date above and provide additional notice where a change materially affects you. Questions and requests should be sent to privacy@kountr.co.uk.

Learn more about Kountr