Vibe Books: Privacy Policy
Last updated: 18 April 2026
Vibe Books ("we", "us", "our") is the trading name of Mr Mark Purmal, a sole trader based in the United Kingdom. For UK data protection law, we are the data controller in respect of personal data you provide when you use the Service. We are committed to protecting your data and being transparent about what we collect and why.
We are registered with the Information Commissioner's Office (ICO) as a data controller. Registration reference: ZC124963. Registered 15 April 2026; registration expires 14 April 2027.
1. What data we collect
Depending on how you use the Service, we process identifiers and financial data needed for Making Tax Digital (MTD) for Income Tax, including:
- Tax Identifiers: National Insurance number (NINO) and Unique Taxpayer Reference (UTR).
- HMRC Source IDs: Identifiers associated with your MTD income source registration.
- Financial Data: Income and expenses (amounts, dates, descriptions, categories).
- Technical Data: IP address, device type, and browser details (required for fraud prevention).
2. How we use your data
We use your personal data solely to operate the Service and communicate with HM Revenue & Customs (HMRC).
- MTD Submissions: To transmit quarterly updates and final declarations.
- Mandatory Fraud Prevention: As an HMRC-integrated software provider, we are legally required to transmit specific technical "Fraud Prevention Headers" to HMRC with every submission. This includes your IP address and device identifiers to protect the integrity of the UK tax system.
- No Marketing: We do not use your tax identifiers or financial data for profiling, advertising, or third-party marketing.
3. UK Data Protection Framework
We process data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025, ensuring your right to digital data portability and secure access.
4. Legal Basis (UK GDPR)
- Contract performance: To provide the bookkeeping service you signed up for.
- Legal obligation: To comply with HMRC’s Making Tax Digital (MTD) requirements and mandatory fraud reporting standards.
- Legitimate interests: To maintain application security and prevent unauthorised access.
5. Third-party services
We use a limited number of trusted services to operate:
- HMRC (Making Tax Digital API): To submit updates. Data shared: Financial totals, NINO, UTR, and mandatory Fraud Prevention Headers.
- Stripe: For payment processing. (Handled entirely by Stripe).
- Railway: Application and database hosting. (Data is stored in secure UK/EU regions).
- Google (Gmail SMTP): For transactional emails (e.g., password resets).
6. Cookies
We use a single, strictly necessary session cookie to keep you logged in. We do not use any analytics, tracking, or advertising cookies.
7. Data Retention (The "5-Year Rule")
In accordance with HMRC MTD regulations, we retain your records to facilitate your statutory duty to keep business records for at least five years after the 31 January deadline following the relevant tax year.
Account Deletion: If you delete your account, we remove your personal data from our live (active) systems within 30 days. That is not always the same as erasing every record that has ever existed: where UK law requires retention — including HMRC Making Tax Digital record-keeping — we may retain or archive certain information for the required period (see above). You are responsible for exporting your records (CSV/PDF) before deletion if you need copies for your own files and continuing HMRC obligations.
8. Data Security and Encryption
We employ bank-grade technical measures:
- Encryption in Transit: All data is protected via HTTPS with TLS 1.2 or higher.
- Encryption at Rest: Our database uses AES-256 encryption.
- Tax ID Security: Sensitive identifiers (NINO and UTR) and HMRC OAuth tokens are separately encrypted at the database field level for an additional layer of security.
- Passwords: Hashed using bcrypt (cost factor 12).
9. Automated Suggestions
Vibe Books may suggest categories for imported transactions. These are automated aids only; they do not submit data to HMRC. You must explicitly review and confirm all data before any official MTD submission.
10. Your Rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights in respect of your personal data (in each case subject to applicable law and exemptions):
- Access: To obtain confirmation of whether we process your data and a copy of the personal data we hold.
- Rectification: To have inaccurate data corrected and incomplete data completed.
- Erasure: To have your data erased in certain circumstances (“right to be forgotten”).
- Restriction of processing: To require us to restrict processing of your data in certain circumstances (for example while a dispute is resolved).
- Data portability: To receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract and is carried out by automated means.
- Object: To object to processing based on legitimate interests or for direct marketing (we do not use your data for marketing, but you may object where applicable).
You can exercise many of these rights, and delete your account, through the Service settings. For other requests, contact us using the details below.
11. Complaints to the ICO
If you are unhappy with how we have handled your personal data, please contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection: ico.org.uk (including make a complaint).
12. Personal data breaches
In the event of a personal data breach that is likely to affect your rights and freedoms, we will notify you without undue delay where required by UK GDPR, and we will notify the ICO when we are required to do so.
13. Contact Us
Email: support@vibebooks.co.uk
Telephone: 01330 824021