TradeKit™ Privacy Policy

Effective Date: 18 May 2026

1. Data Controller

TradeKit™ is operated by KIH Technologies Ltd, a company registered in England and Wales (company number 17214671). Registered office: 12 Itchen Close, Bettws, Newport, NP20 7AL. Registered with the UK Information Commissioner’s Office (ICO), registration number: C1946370. Data protection contact: support@tradekitapp.co.uk.

2. Data We Collect

We collect information necessary to provide trade management services:

• Account Info: Name, email address, trade type.
• Trade Data: Quotes, invoices, expenses, job records and customer contact details you input.
• Media: Photos of receipts or job sites uploaded to our secure storage (EXIF metadata is automatically stripped).
• Payment Data: Processed securely via Stripe. We do not store credit card numbers.
• Device Info: A random device identifier for session management (max 2 devices).
• Error Logs: Anonymised error messages to help us fix bugs. Personal data is automatically redacted.
• HMRC Integration Data (optional): If you connect your Government Gateway account to enable Making Tax Digital for Income Tax (MTD ITSA) submissions, we collect and store: your National Insurance Number (encrypted at rest with AES-256-GCM), your HMRC business identifier and trading name, OAuth access and refresh tokens (encrypted), and an audit log of submissions made on your behalf. This data is collected only after you authorise the connection and is deleted when you disconnect HMRC or delete your account.
• Two-Step Sign-in Data (optional): If you enable Two-Step Sign-in, we generate and store an encrypted TOTP secret (AES-256-GCM, separate encryption key from HMRC data), a counter that prevents reuse of one-time codes, hashed (one-way) recovery codes, and the timestamp and reference of your most recent challenge. We never see your authenticator app codes in plaintext after verification. Disabling Two-Step Sign-in or deleting your account erases all of this data within 24 hours.
• Fraud Prevention Headers: When you submit data to HMRC under MTD, HMRC requires us to send a set of technical headers describing your browser and device (timezone, screen size, public IP at the time of submission, browser user-agent). These are forwarded to HMRC for fraud-prevention purposes only and are not stored by us. This is mandated by HMRC and is not optional once you connect.

3. Lawful Basis for Processing

• Contract: Processing your trade data is necessary to provide the TradeKit service you signed up for.
• Legal Obligation / Contract: Where you connect TradeKit to HMRC under Making Tax Digital, the processing of your tax data is necessary for compliance with your statutory tax obligations and for the performance of the service you have requested.
• Legitimate Interest: Error logging and security measures to maintain service quality.
• Consent: Marketing communications (if you opt in).

4. How We Use Your Data

• To provide and maintain the TradeKit™ app and all its features.
• To calculate CIS deductions and VAT estimates (note: these are estimates only, not professional tax advice).
• To sync your data across your devices using Firebase.
• To process your Founder or Pro subscription payments via Stripe.
• To send you service-related emails (password resets, verification).
• To submit your authorised quarterly updates, end-of-period statements, and final declarations to HMRC under Making Tax Digital for Income Tax (MTD ITSA).
• To retrieve your business details, obligations, and tax calculations from HMRC on your authorisation.

5. Third-Party Processors and HMRC

Your data is shared with the following providers to make the app work:

• Google Firebase (Google LLC): Database hosting, authentication, file storage and App Check security. Data processed in accordance with Google Cloud terms. Privacy
• Stripe Inc: Payment processing and subscription management. Privacy
• postcodes.io (Ideal Postcodes): UK postcode lookups for address autofill. No personal data sent beyond the postcode entered.
• Google Fonts: Font delivery (your IP address may be logged by Google).
• OCR.space: Receipt text extraction for expense scanning. Only the receipt image is sent; no personal data is included. Privacy
• ipify: A public IP-address reflector service. Used at submission time to capture the public IP that HMRC requires in fraud prevention headers. Only your IP address is exchanged.
• TrueLayer (if Open Banking is connected): UK Open Banking provider used to import bank transactions you authorise. Privacy

HM Revenue & Customs (HMRC): When you authorise an MTD ITSA connection, we transmit data you have entered (income totals, allowable expenses by HMRC category, mileage claims, business details, and the fraud prevention headers HMRC mandates) to HMRC's Making Tax Digital APIs over encrypted connections (TLS 1.2+). HMRC is the data controller for the data they receive under their statutory authority. You can disconnect at any time from Settings, which revokes our access tokens and deletes your stored HMRC linkage data within 24 hours.

6. Data Retention

• Your account data is retained as long as your account is active.
• If you delete your account, all your data including jobs, quotes, expenses, media, error logs and feedback is permanently deleted.
• Error logs are retained for a maximum of 90 days.
• HMRC submission audit logs (date of submission, period covered, totals submitted) are retained for 7 years to meet HMRC record-keeping requirements, even after account deletion. Personal identifiers in these logs are pseudonymised after account deletion.
• HMRC OAuth access and refresh tokens, your encrypted NINO, and stored business details are deleted within 24 hours of you disconnecting the integration or deleting your account.

7. Your Rights (UK GDPR / Data Protection Act 2018)

You have the right to:

• Access: Request a copy of all data we hold about you (use "Download My Data" in Settings).
• Rectification: Update your profile information at any time in Settings.
• Erasure: Delete your account and all associated data (use "Delete Account" in Settings).
• Portability: Export your data in JSON format.
• Restriction: Contact us to restrict processing of your data.
• Object: Contact us to object to processing based on legitimate interest.
• Withdraw Consent: For any consent-based processing, withdraw at any time.
• Disconnect HMRC: You can revoke TradeKit's HMRC access at any time from Settings → HMRC → Disconnect, or directly from your Government Gateway account. Disconnecting does not delete your TradeKit account or the trade data you have entered.
• Disable Two-Step Sign-in: You can turn off Two-Step Sign-in at any time from Settings, providing a current authenticator code or recovery code to confirm. Your encrypted TOTP secret and recovery codes are deleted on disable.

8. Cookies & Local Storage

TradeKit uses browser localStorage (functionally equivalent to cookies) for:

• Essential: Authentication tokens, device ID, app settings. These are strictly necessary for the app to function.
• Functional: Dark mode preference, onboarding status.

We do NOT use tracking cookies or analytics cookies. The landing page uses a Google Ads conversion tag to measure ad campaign performance. This tag does not track your activity within the TradeKit app itself.

9. International Transfers

Firebase (Google) and Stripe may process data in the United States. The primary lawful basis for these transfers is the UK-US Data Bridge (also called the UK Extension to the EU-US Data Privacy Framework), which is the UK Government’s adequacy arrangement for personal data transfers to certified US organisations. Both Google and Stripe are certified under the Data Privacy Framework. Standard Contractual Clauses (SCCs) approved by the UK ICO remain in place as a fallback safeguard. HMRC processes your submitted tax data within the UK only. TrueLayer (when Open Banking is connected) processes data in the UK.

10. Children

TradeKit is designed for business use by adults aged 18 and over. We do not knowingly collect data from anyone under 18.

11. Data Breaches

In the event of a data breach, we will notify the ICO within 72 hours as required by UK GDPR and will notify affected users without undue delay.

12. Complaints

If you have concerns about how we handle your data, you can contact the Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint

13. Changes to This Policy

We may update this policy from time to time. The effective date at the top will be updated accordingly.

Contact: support@tradekitapp.co.uk

Back to TradeKit