Privacy Policy

Who We Are

DoneVAT is a product of DoneLabs Ltd, a company registered in England and Wales (Company No. 17056937). We are registered with the Information Commissioner's Office (ICO Reg. No. ICO-0001353294). Our registered address is available upon request. You can contact us at hello@donevat.co.uk.

What Data We Collect

We collect the following data when you use DoneVAT: your email address, your VAT Registration Number (VRN), your HMRC OAuth access and refresh tokens, your VAT transaction records including dates, descriptions, amounts and VAT rates, your VAT return records and submission history, and your Stripe customer ID and subscription status. We do not collect your HMRC password or banking credentials.

How We Use Your Data

We use your data solely to provide the DoneVAT service. This includes authenticating you with HMRC via OAuth 2.0, fetching your VAT obligations and submitting your VAT returns to HMRC, calculating your 9 box VAT return from your transaction records, processing your subscription payments via Stripe, and communicating with you about your account. We do not sell your data to third parties. We do not use your data for advertising purposes.

How We Store and Protect Your Data

Your VRN and HMRC tokens are encrypted at rest using AES-256-GCM encryption. All data is stored on Neon PostgreSQL servers located in the AWS Europe West 2 (London) region. All data in transit is encrypted using TLS. Access to your data is restricted to authenticated sessions only.

Third Party Services

We use the following third party services to operate DoneVAT: HMRC MTD API for VAT return submission, Stripe for payment processing, Neon for database hosting, and Vercel for application hosting. Each of these providers has their own privacy policy and data processing agreements in place.

Data Retention

We retain your data for as long as your account is active. If you close your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes.

Your Rights

Under UK GDPR you have the right to access the personal data we hold about you, correct any inaccurate data, request deletion of your data, object to processing of your data, and request a copy of your data in a portable format. To exercise any of these rights, contact us at hello@donevat.co.uk.

Cookies

DoneVAT uses a single session cookie to maintain your login state. We do not use advertising cookies or third party tracking cookies.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email. Continued use of DoneVAT after changes constitutes acceptance of the updated policy.

Data protection complaints

You have the right to raise a formal data protection complaint if you are unhappy with how DoneLabs Ltd handles your personal data. This right is established under the Data (Use and Access) Act 2025 and UK GDPR.

To raise a complaint, sign in to your DoneVAT account and visit Settings - your complaint form is in the Data Protection Complaint section. If you are unable to access your account, you can email us directly at privacy@donelabs.co.uk with the subject line 'Data Protection Complaint'.

We will acknowledge your complaint within 30 days of receipt and will keep you informed of progress and expected timeframes for resolution.

If you are not satisfied with our response, or if we have not responded within a reasonable time, you have the right to escalate your complaint to the Information Commissioner's Office (ICO). The ICO can be contacted at ico.org.uk or by calling 0303 123 1113.

Contact

For any privacy related queries, contact us at hello@donevat.co.uk or write to DoneLabs Ltd at our registered address.