We use data to provide Kountr
Account, business, tax, transaction, document, billing, and HMRC data powers the service.
This policy explains what Kountr collects, where it comes from, why we use it, who receives it, and how you can exercise your UK data-protection rights.
Last updated: 12 July 2026
Account, business, tax, transaction, document, billing, and HMRC data powers the service.
You connect through HMRC, review information, and confirm submissions or corrections.
We use encryption, account-scoped controls, and limited access to protect financial and tax data.
Kountr is a bookkeeping and Making Tax Digital for Income Tax service operated by Kountr Limited, company number 02994226, whose registered office is 6 Ridgeway, Epsom, Surrey, KT19 8LB. Kountr Limited is the controller of the personal data described in this policy. You can contact us at privacy@kountr.co.uk.
Account and contact data: name, email address, authentication details, preferences, and support communications.
Identity and tax data: National Insurance number, Self Assessment Unique Taxpayer Reference, HMRC business identifiers, ITSA status, and tax years.
Business and financial data: business and property details, income, expenses, transactions, invoices, clients, assets, bookkeeping entries, and tax calculations.
Employment and whole-person tax data: employment history and identifiers, PAYE and pension income, relevant benefits, tax deducted or refunded, National Insurance information, losses, allowances, and adjustments held by HMRC.
Documents: receipts, statements, invoices, and other files you upload, together with information extracted from them.
HMRC connection and submission data: encrypted OAuth tokens, permissions, obligations, request and response records, submission identifiers, read-backs, and audit information.
Billing data: plan, subscription and Stripe customer references, billing status, and limited payment-related records. Kountr does not receive full card details.
Technical and security data: IP address, device and browser information, timestamps, logs, and information needed for HMRC fraud-prevention headers.
Most information comes from you when you create an account, enter or import records, upload files, use a feature, contact us, or authorise a submission. We also create information from your use of Kountr, such as calculations, categorisation suggestions, logs, and submission records.
When you connect HMRC through Government Gateway, HMRC supplies connection credentials and may return business, obligation, employment, income, tax, National Insurance, calculation, and other Self Assessment information within the permissions you granted. Payment and email providers return limited service-status information to us. Your browser and network provide technical data.
The precise basis may depend on the feature and circumstances. We do not sell personal data or use tax and financial records to build advertising profiles.
HMRC access begins only after you authorise Kountr through HMRC's OAuth journey.
Within Kountr's supported scope, we use HMRC APIs to identify linked self-employment and UK non-FHL property businesses; read obligations and ITSA status; send and read back business updates; handle business-source adjustments, losses, and related tax-liability adjustments; request and retrieve calculations; and make a final declaration after your confirmation.
We also retrieve HMRC-held whole-person information about employment, income, tax, and National Insurance so you can review the figures used in your tax position. Supported employment information can be created, reviewed, corrected, or deleted through Kountr. Kountr's initial 14-API scope does not cover every Self Assessment income source, relief, or specialist case.
HMRC OAuth access and refresh tokens are encrypted before storage. We use them for authorised HMRC requests, including status and obligation synchronisation, until the connection ends or the tokens expire or are revoked.
HMRC requires software such as Kountr to send fraud-prevention headers with applicable API requests. These can include a persistent device identifier, IP addresses, browser and device information, screen and window sizes, timezone, timestamps, and details about how the request reached Kountr. Kountr and its hosting environment also supply server and vendor information required by HMRC.
The browser identifier is stored in a cookie named kountr_device_id. This information is sent to HMRC for applicable features and is necessary to use those features; it is not used for advertising. See HMRC's fraud-prevention guidance.
When you use an AI-assisted feature, Kountr may send relevant information to Anthropic. Depending on the feature, this can include transaction descriptions and amounts, receipt or document contents, categories, business context, submission figures, and report data. We limit the information sent to what is needed to provide the requested suggestion, extraction, or report.
AI output can be incomplete or wrong. Categorisations, extracted fields, summaries, and reports are suggestions or drafts for you to review. You remain responsible for checking your records and tax submissions. Kountr does not use AI to make solely automated decisions about you that produce legal or similarly significant effects.
Kountr uses Supabase for database, authentication, and file-storage services and Railway to run the application. We use encrypted connections, provider encryption at rest, additional encryption for HMRC tokens, account-scoped access controls, and access limited to people and systems that need it. No internet service can guarantee absolute security.
Our providers may process or support personal data from the UK, the EEA, the United States, or other countries depending on the service configuration and support location. Where personal data is transferred outside the UK without UK adequacy regulations, we require an appropriate safeguard, such as the UK International Data Transfer Agreement, the UK Addendum to approved standard contractual clauses, or another lawful transfer mechanism, together with risk-based technical and organisational measures where appropriate. You can ask us for more information about safeguards relevant to your data.
When you delete your account, Kountr removes the live account and associated application records and attempts to cancel an active Stripe subscription. Some information may remain where the law requires it, a provider must retain its own billing or anti-fraud record, or data remains temporarily in secure backups or deletion queues. Uploaded files are held in managed object storage and may follow a separate deletion cycle; contact privacy@kountr.co.uk if you want us to verify removal. Deleting Kountr does not delete records already held by HMRC.
Kountr uses cookies and similar browser storage needed for authentication, security, HMRC compliance, and user preferences. We do not use these cookies for third-party behavioural advertising.
sb-*Supabase authentication cookies used to keep you signed in and protect your session.kountr_device_idA persistent random identifier used for HMRC fraud-prevention device identification.kountr_selected_tax_yearStores the tax year you selected for convenience.Blocking necessary cookies may prevent sign-in or HMRC features from working. Your browser controls let you remove stored cookies.
Ask for access to the personal data we hold about you.
Ask us to correct inaccurate or incomplete data.
Ask us to erase data, subject to legal and operational retention requirements.
Restrict or object to certain processing where the law gives you that right.
Receive eligible data in a structured, commonly used, machine-readable format.
Withdraw consent where a particular activity relies on consent; this does not affect earlier lawful processing.
Rights depend on the circumstances and exemptions may apply. To make a request, email privacy@kountr.co.uk. We normally respond within one month and may need to verify your identity. You may also complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint. We would appreciate the opportunity to address your concern first.
We may update this policy when Kountr, our providers, or legal requirements change. We will update the date above and provide additional notice where a change materially affects you. Questions and requests should be sent to privacy@kountr.co.uk.
Learn more about Kountr