Privacy Policy

Effective date: 5 April 2026

Vibe Books ("we", "us", "our") is operated by a sole trader based in the United Kingdom. We are committed to protecting your personal data and being transparent about what we collect and why.

This policy explains how we handle your information when you use our website at www.vibebooks.co.uk and the Vibe Books application (the "Service").

1. What data we collect

Data	When collected	Purpose
Name	Registration	Personalise your account
Email address	Registration	Account login, verification, password resets, service communications
Password	Registration	Account security (stored securely hashed, never in plain text)
Financial transactions (income, expenses, descriptions, amounts, dates)	When you add them	Provide bookkeeping and MTD functionality
HMRC OAuth tokens	When you connect to HMRC	Submit quarterly updates and declarations to HMRC on your behalf
Business details (UTR, NINO, business name)	When you enter them in settings	Required for HMRC submissions
Stripe customer/subscription ID	When you subscribe to a paid plan	Manage your billing and subscription

2. How we use your data

We use your personal data solely to:

Provide, operate and maintain the Service
Create and manage your account
Process your financial records and generate reports
Submit Making Tax Digital updates and declarations to HMRC on your behalf
Process payments through Stripe
Send transactional emails (verification, password resets, deadline reminders)
Respond to support queries

We do not sell, rent or share your personal data with third parties for marketing purposes.

3. Legal basis (GDPR)

We process your data on the following legal bases under the UK General Data Protection Regulation (UK GDPR):

Contract performance — Processing is necessary to provide the Service you signed up for (Article 6(1)(b)).
Legitimate interests — To maintain security, prevent fraud and improve the Service (Article 6(1)(f)).
Legal obligation — Where we are required to retain data by law (Article 6(1)(c)).

4. Third-party services

We use a limited number of trusted third-party services to operate:

Service	Purpose	Data shared
HMRC (Making Tax Digital API)	Submit income/expense data to HMRC	Financial summaries, UTR, NINO
Stripe	Payment processing	Email, payment details (handled entirely by Stripe)
Railway	Application and database hosting	All application data (stored in the EU/UK region)
Google (Gmail SMTP)	Sending transactional emails	Your email address, email content

Each third party processes data in accordance with their own privacy policies. We do not share your data with any other third parties.

5. Cookies

We use a single session cookie to keep you logged in. This is a strictly necessary, functional cookie and does not track you across other websites.

We do not use any analytics, advertising or tracking cookies.

6. Data retention

Your account data and financial records are retained for as long as your account is active.
If you delete your account, all your data (including transactions, settings and HMRC tokens) is permanently deleted from our database.
Stripe may retain payment records independently in accordance with their own retention policy and legal obligations.

7. Data security

We take appropriate measures to protect your data:

Passwords are hashed using bcrypt with a cost factor of 12
All connections use HTTPS/TLS encryption
The database is hosted on a private network not directly accessible from the internet
Session tokens are HTTP-only and secure
HMRC OAuth tokens are stored encrypted at rest in the database

8. Your rights under UK GDPR

You have the right to:

Access — Request a copy of the personal data we hold about you.
Rectification — Ask us to correct inaccurate or incomplete data.
Erasure — Ask us to delete your data (you can also delete your account directly).
Data portability — Request your data in a machine-readable format.
Restriction — Ask us to restrict processing in certain circumstances.
Object — Object to processing based on legitimate interests.

To exercise any of these rights, contact us using the details below. We will respond within 30 days.

9. Children

The Service is not intended for individuals under the age of 18. We do not knowingly collect data from children.

10. Changes to this policy

We may update this privacy policy from time to time. If we make significant changes, we will notify you by email or through the Service. The "Effective date" at the top of this page indicates when it was last updated.

11. Contact us

If you have questions about this privacy policy or wish to exercise your data rights, please contact us at:

Email: support@vibebooks.co.uk