PrompTax
Verify Login | Register
BETA
BETA
📱 For the best experience, rotate to landscape or use a desktop device.

Privacy Notice

How we handle your data and protect your privacy

Privacy Notice

How we handle your data and protect your privacy

Version 3.1 | Last updated: February 2026

Who We Are

PrompTax Ltd is the data controller for the personal information described in this notice. We are a UK company that provides CGT calculation software for accountancy professionals.

Company number: 16908139

Registered office: 6 Marlborough Drive, Sandbach, CW11 1SP

Data protection contact: privacy@promptax.com

ICO Registration Number: ZC092274

PrompTax Ltd is registered with the Information Commissioner’s Office under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

What We Collect, Why, and Our Legal Basis

Under the UK GDPR (as retained in UK law and supplemented by the Data Protection Act 2018), we need a lawful basis for each type of processing. Here’s what we collect and the basis we rely on:

Your Account

When you sign up, we collect:

Email address — so you can log in and we can contact you

Password — stored securely (hashed, never readable by us)

Name and organisation details — so we know who you are

Legal basis: Performance of our contract with you (UK GDPR Article 6(1)(b)). We need this data to provide you with the PrompTax service.

Your Clients’ Data

When you use PrompTax, you may upload:

Broker statements (PDFs and CSVs)

Trade and transaction data

Client names and tax references (UTRs, NI numbers)

Account numbers and balances

Legal basis: Performance of our contract with you (UK GDPR Article 6(1)(b)). We process this data on your instructions to provide the CGT calculation service. You are the data controller for your clients’ data; we are the data processor. Our Data Processing Agreement governs this relationship.

Usage and Token Data

We collect basic information about how you use PrompTax (pages visited, features used, errors encountered) to improve the service and fix problems. We also track AI extraction token usage (input tokens, output tokens, model used, and associated costs) for billing purposes and to provide you with transparent cost breakdowns.

Legal basis: Legitimate interests (UK GDPR Article 6(1)(f)) for usage analytics; performance of our contract with you (Article 6(1)(b)) for token tracking. We have assessed that usage analytics processing does not override your rights and freedoms given the minimal and non-intrusive nature of the data collected. We don’t use third-party analytics trackers.

Payment Data

When you top up your Extraction Credit Wallet or (after beta) subscribe to a paid plan, payment processing is handled by Stripe. We store a record of your wallet balance, transaction history, and payment status, but we do not see or store your full card details. Stripe processes your payment information directly and securely.

Legal basis: Performance of our contract with you (UK GDPR Article 6(1)(b)).

Where Your Data Goes

Storage: Your data is stored on AWS servers in London (eu-west-2), encrypted both in transit (TLS/HTTPS) and at rest (AES-256). It stays in the UK.

AI Processing (International Transfer)

To extract data from your documents, we send them to AI providers based in the United States. This is an international data transfer, and we have appropriate safeguards in place as required by UK data protection law. We have conducted a transfer risk assessment for each provider to evaluate the level of protection afforded to personal data in the destination country, in accordance with ICO guidance.

Anthropic (primary AI provider) — processes document images to extract trade data. They do not use your data to train their AI models. Data is retained for up to 30 days for trust and safety purposes, then deleted. Transfer mechanism: Standard Contractual Clauses with the UK International Data Transfer Addendum.

Google Gemini API (secondary/fallback AI provider) — same purpose as above. Google does not use paid API data to train their models. Data retained for up to 30 days for security purposes. Transfer mechanism: Google Cloud Data Processing Addendum with Standard Contractual Clauses.

Payments: Stripe (US/EU) handles payment processing under their own DPA with Standard Contractual Clauses.

Emails: We send emails through AWS Simple Email Service (SES) hosted in the UK (London region).

A full list of our sub-processors, including their locations and transfer mechanisms, is available on our Subprocessors page.

AI and Automated Processing

PrompTax uses AI to extract trade data from your uploaded documents and to perform CGT calculations. We want to be transparent about how this works:

What the AI does: It reads broker statement images and extracts structured trade data (dates, quantities, prices, instrument names). Our software then applies HMRC matching rules to calculate CGT.

Human oversight: We’ve built a verification interface so you can review and correct all AI-extracted data before it’s used for calculations. The AI is a tool to save time — you remain in control of the final output.

No fully automated decisions: PrompTax does not make decisions with legal or financial effects without your review. You verify the data, approve the calculations, and decide what goes on your client’s tax return.

Cost transparency: Every AI extraction is tracked at the token level. You can see exactly how many tokens were used, which AI provider processed your document, the per-token rate applied, and the total cost. This data is available in your extraction history within PrompTax.

How Long We Keep It

Your account data: We keep your account data while you’re a customer, plus up to 12 months after your account closes (in case you want to return, or we need to resolve any outstanding issues). After that, it’s deleted.

Client data: We keep your client data while your account is active. If you leave PrompTax, you can choose to have your client data returned to you (exported) or deleted. We’ll complete deletion within 30 days of your request.

Payment and billing records: We retain records of wallet top-ups, extraction costs, and payment transactions for up to 7 years after the transaction date, as required for accounting and tax compliance under UK law.

Logs and backups: System logs are kept for up to 90 days. Encrypted backups may persist for up to 90 days after deletion for disaster recovery, after which they are purged.

AI provider retention: Both Anthropic and Google may retain processed data for up to 30 days for trust, safety, and abuse detection purposes. After that period, data is automatically deleted by those providers.

Legal retention: We may retain certain records for longer if required by law or to support the defence of legal claims (for example, records of the services we provided may be retained for up to 7 years in line with HMRC limitation periods).

Your Rights

Under UK data protection law (the UK GDPR and the Data Protection Act 2018), you have the right to:

Access — request a copy of the personal data we hold about you

Rectification — ask us to correct inaccurate data

Erasure — ask us to delete your data (subject to any legal retention requirements)

Restriction — ask us to restrict how we process your data in certain circumstances

Portability — receive your data in a structured, machine-readable format

Objection — object to processing based on our legitimate interests

Complain to the ICO — if you’re unhappy with how we’ve handled your data, you can lodge a complaint with the Information Commissioner’s Office at ico.org.uk or call 0303 123 1113

To exercise any of these rights, email privacy@promptax.com. We’ll respond within 30 days. For complex or numerous requests, we may extend this by up to two further months in accordance with Article 12(3) of the UK GDPR, and we’ll let you know within the initial 30-day period if an extension is needed.

Your Clients’ Rights

When you upload your clients’ data to PrompTax, you’re the data controller for that data — you decide what to process and are responsible for your clients’ privacy. We’re the data processor — we process it on your instructions to provide the service.

If your clients have questions about their data, they should contact you (their accountant), not us. You need to make sure your clients know you use software like PrompTax as part of your practice — your professional body (ICAEW, ACCA, etc.) likely requires this in your engagement letters and privacy notices.

Cookies and Tracking

We keep things minimal:

Session cookies (strictly necessary) — these keep you logged in and track your calculation progress. They expire when you close your browser or after a set period. No consent required as they’re essential for the service to work.

CSRF token (strictly necessary) — a security cookie that prevents cross-site request forgery attacks.

Dark mode preference — stored in your browser’s localStorage (not a cookie), purely client-side.

No third-party tracking — we do not use Google Analytics or any other third-party analytics or advertising trackers.

Because we only use strictly necessary cookies, we do not need to ask for your cookie consent under the Privacy and Electronic Communications Regulations (PECR). If we ever add non-essential cookies in the future, we’ll implement a consent mechanism first.

Changes to This Notice

We may update this Privacy Notice from time to time. If we make material changes to how we process your data, we’ll email you directly and update this page. We won’t reduce your rights or change our processing purposes without telling you.

Questions?

If you have any questions about how we handle data, email privacy@promptax.com. We’re happy to explain anything that isn’t clear.

Beta Terms Data Processing Agreement Subprocessors
← Back to Home