Privacy Policy
Version 1.1 — Last updated: 2026-04-24
1. Who we are
Tickety is a trading name of SORTED BOOKKEEPING LIMITED, a company registered in England and Wales, company number 17152012.
We are the data controller for the personal data described in this policy, as defined under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
- Registered office: [TODO: add registered office address]
- Privacy contact: privacy@tickety.tax
- General contact: hello@tickety.tax
- ICO registration number: [TODO: add once issued]
We are registered with HM Revenue & Customs (HMRC) as a supervised business under the Money Laundering Regulations 2017 (MLR 2017), reference [TODO: add HMRC AML reference once issued].
2. What this policy covers
This policy describes how we collect, use, share, and retain personal data when you use the Tickety bookkeeping and tax filing service — including when you connect your bank account, have your transactions categorised, have your books reviewed by a qualified bookkeeping reviewer, and have your quarterly Making Tax Digital (MTD) Income Tax Self-Assessment (ITSA) returns submitted to HMRC.
This policy covers both the pre-launch waitlist and the full bookkeeping service. It does not cover the personal data of our contracted reviewers, which is governed by their individual contractor agreements.
3. What personal data we collect and why
For each category, we state the lawful basis under ICO guidance on lawful basis (UK GDPR Article 6).
3.1 Identity and account data
What: Full name, email address, trade or profession, business name (if any), VAT number (if registered).
Why: To create and manage your account, verify your identity, and communicate with you about your service.
Lawful basis: Contract (Article 6(1)(b)) — this data is necessary to deliver the service you have signed up for.
3.2 HMRC identifiers
What: Unique Taxpayer Reference (UTR); National Insurance Number (NINO); HMRC Business ID; HMRC OAuth access and refresh tokens.
Why: To authorise Tickety to act as your tax agent, submit quarterly MTD updates on your behalf, and file your Self Assessment return with HMRC.
Lawful basis: Contract (Article 6(1)(b)) — filing your tax returns is the core service you have contracted us to perform.
How we protect it: Your UTR and NINO are encrypted in our database using AES-256-GCM field-level encryption. The encryption key is managed by AWS Key Management Service (KMS) in the eu-west-2 (London) region. HMRC OAuth tokens are also encrypted at rest. These fields are never exposed to our contracted reviewers — reviewers see transaction data only, not your tax identifiers.
3.3 Bank transaction data
What: Bank account type; institution name; transaction dates; transaction amounts; merchant descriptions; merchant names. Retrieved via Plaid’s Open Banking connection following your explicit authorisation.
Why: To import your income and expenses, categorise them, and calculate your quarterly MTD figures.
Lawful basis: Contract (Article 6(1)(b)) — importing your bank transactions is the core mechanism by which we provide the bookkeeping service.
How we protect it: Bank OAuth tokens (used to refresh your transaction feed) are encrypted at rest. Raw transaction descriptions are processed through an automated PII-scrubbing pipeline before being passed to our AI categorisation system or presented to reviewers. We strip sort codes, account numbers, card numbers, and names appearing in payment references before any human reviewer sees your transactions.
Open Banking consent: Your bank connection is authorised by you directly with your bank, via Plaid’s FCA-authorised Open Banking infrastructure. You can revoke this connection at any time from within the Tickety dashboard or directly through your bank. Connections expire after 90 days and we will remind you to renew.
3.4 Receipt data
What: Receipt images you upload; data extracted from those images (vendor name, amount, date, VAT amount where present).
Why: To match receipts to transactions and provide a complete record for your reviewer and HMRC.
Lawful basis: Contract (Article 6(1)(b)).
3.5 Financial summaries and tax calculations
What: Aggregated income totals by category; aggregated expense totals by category; net profit; income tax liability; Class 2 and Class 4 National Insurance Contributions (NIC); payments on account; MTD quarterly update payloads; Self Assessment data.
Why: To prepare your MTD submissions and annual Self Assessment, and to provide you with monthly financial statements.
Lawful basis: Contract (Article 6(1)(b)) — these are the outputs of the service you have contracted us to perform. Legal obligation (Article 6(1)(c)) — once submitted to HMRC, records of those submissions must be retained for the periods required by law (see section 7 on retention).
3.6 Service and account administration
What: Subscription tier; Stripe customer and subscription IDs; payment event data (amounts, dates — not card numbers, which are held by Stripe); onboarding stage; login history; session tokens.
Why: To manage your subscription, process payments, and maintain the security of your account.
Lawful basis: Contract (Article 6(1)(b)) for subscription management; Legitimate interests (Article 6(1)(f)) for security logging and fraud prevention. Our legitimate interest is in protecting our customers and the integrity of the service.
3.7 Audit trail
What: A tamper-evident, append-only log of significant actions taken in your account (e.g. submissions made, reviewer sign-offs completed, data exports).
Why: To provide an auditable record of service delivery, support dispute resolution, and meet HMRC agent obligations.
Lawful basis: Legitimate interests (Article 6(1)(f)) and Legal obligation (Article 6(1)(c)) for HMRC agent record-keeping requirements.
3.8 Pre-launch waitlist data
What: First name; email address; estimated annual turnover band (e.g. “Under £30k”, “£30k–£50k”); trade or profession (optional); online selling platform (optional, sellers only); the page you signed up from; UTM campaign parameters; submission timestamp; and your browser’s user-agent string.
Why: To manage the waitlist, send you a confirmation email, recommend the appropriate service tier, assess Making Tax Digital (MTD) eligibility based on your turnover band, and understand which types of sole traders are interested in Tickety so we can prioritise development.
Lawful basis: Consent (Article 6(1)(a)) — you provide this data voluntarily when you submit the waitlist form. You can withdraw at any time by replying REMOVE to any waitlist email or contacting privacy@tickety.tax.
Retention: If you do not convert to a paying customer, we delete your waitlist data within 12 months of collection. If you do convert, the data is subsumed into your account record (section 3.1) and retained under that schedule.
4. Special category data
We do not intentionally collect special category personal data (health, biometric, political, religious, or similar data). If any such data appears incidentally in a bank transaction description or receipt — for example, a payment to a medical provider — it is processed through the same pipeline as all other transaction data and is not used for any purpose beyond categorisation. We do not flag or record it as special category data.
If you are concerned about a specific transaction, you can redact it before it is reviewed by contacting privacy@tickety.tax.
5. How AI is used
We use Claude (developed by Anthropic) to categorise your bank transactions and extract data from receipt images. Before any transaction data is passed to Claude:
- Sort codes, account numbers, card numbers, NINOs, UTRs, and names appearing in payment references are automatically stripped.
- The data passed to Claude contains amounts, dates, and cleaned merchant descriptions only — no identifiers linking the transaction to you personally.
We have a Zero Data Retention (ZDR) agreement with Anthropic, meaning transaction data sent to Claude is not retained by Anthropic beyond the processing of the immediate request. For Anthropic’s current Privacy Policy, see anthropic.com/legal/privacy.
6. Automated decision-making and your rights
This section explains how we use artificial intelligence (AI) to make decisions about your transactions, what that means for you, and what rights you have. These disclosures are required by UK GDPR Article 13(2)(f), which (as amended by the Data (Use and Access) Act 2025) requires meaningful information about automated decision-making subject to the safeguards under Article 22C.
6.1 What automated decisions are made
When your bank transactions are imported, Claude (Anthropic’s AI model) automatically assigns each transaction to a tax expense category from the HMRC Self Assessment SA103 schedule — for example, “office costs”, “travel”, or “professional fees”. This categorisation is carried out without a human reviewer looking at each individual transaction at that stage.
6.2 How the AI categorisation works
The AI uses the following information to assign a category to each transaction:
- The cleaned merchant description (after our Personally Identifiable Information (PII)-scrubbing pipeline has removed names, sort codes, card numbers, and similar identifiers)
- The transaction amount and date
- A prompt that explains the HMRC SA103 expense categories and their definitions
The AI produces a category assignment and a confidence score for each transaction. Low-confidence categorisations are flagged for closer attention during the human review stage.
6.3 What this means for you
The category the AI assigns to a transaction determines which HMRC expense bucket that transaction is counted in. Because expense categorisation directly affects the calculation of your taxable profit, it has a consequential effect on your tax liability. This is why we treat this process as significant and subject it to the safeguards described below.
6.4 Human oversight — why this is not solely automated processing
No AI categorisation is used in a tax submission without a qualified human reviewer checking it first.
Before any quarterly Making Tax Digital (MTD) update or annual Self Assessment return is submitted to HMRC, a contracted qualified bookkeeping reviewer assigned to your account reviews all categorisations for that period. The reviewer can, and does, override AI categorisations where they disagree. The final categorisation used in any HMRC submission is always the result of the reviewer’s sign-off, not the AI output alone.
Under Article 22A of the UK GDPR (as substituted by the Data (Use and Access) Act 2025), a decision is “based solely on automated processing” only where there is no meaningful human involvement in the decision. Because every filing passes through a qualified reviewer who exercises independent professional judgment over the AI output, our process does not constitute solely automated processing. The AI produces a draft; the reviewer makes the decision.
As a matter of transparency best practice, we voluntarily apply the safeguards set out in Article 22C(2) of the UK GDPR regardless: we tell you what decisions are made, we enable you to make representations, we enable you to obtain human intervention, and we enable you to contest decisions. These are described in section 6.5 below.
6.5 Your rights regarding automated decisions
In line with Article 22C(2) UK GDPR, we provide the following safeguards (and would do so regardless of whether Art. 22C applied):
- Request human intervention — ask that a specific transaction or set of transactions be reviewed or re-reviewed by a human reviewer rather than relying on the AI categorisation alone
- Express your point of view — tell us why you think a particular categorisation is right or wrong, and have that view taken into account
- Contest a decision — challenge a categorisation that you believe is incorrect, including after a reviewer has signed off on it
To exercise any of these rights, email privacy@tickety.tax with the subject line “Automated decision review request”. Please describe the transaction(s) you are querying and, where possible, what you believe the correct category should be. We will respond within five working days and, if the categorisation needs to change, we will update it before any affected submission is made to HMRC.
You can also raise a categorisation query directly in the Tickety dashboard at any time before your reviewer submits your return.
7. How long we keep your data
| Data category | Retention period | Legal basis for retention |
|---|---|---|
| Account and identity data | Duration of your subscription + 12 months after termination | Contract; then legitimate interests (dispute resolution) |
| Bank transaction data | 5 years from the end of the tax year in which the transaction occurred | Legal obligation — s.12B Taxes Management Act 1970 (TMA 1970) |
| HMRC submission records | 5 years from the 31 January filing deadline for the relevant tax year | Legal obligation — s.12B TMA 1970; also MLR 2017 reg 40 |
| AML/Customer Due Diligence (CDD) records | 5 years from the end of the business relationship | Legal obligation — MLR 2017 reg 40 |
| Audit trail | 6 years | Legal obligation / legitimate interests (HMRC agent obligations; limitation period for legal claims) |
| Payment records | 7 years | Legal obligation — Companies Act 2006 accounting record requirements |
| Session tokens | Expire automatically; deleted when you log out or the session expires | Contract |
Important: The statutory retention obligations above mean we cannot always honour a request to delete all of your data immediately. See section 9 (your rights) for how we handle this tension.
8. Who we share your data with
We do not sell your personal data.
7.1 Contracted bookkeeping reviewers
We share a PII-scrubbed subset of your transaction data (amounts, dates, cleaned merchant descriptions, categories) with the contracted qualified bookkeeping reviewer assigned to your account. Your NINO, UTR, HMRC tokens, and bank OAuth tokens are never shared with reviewers.
Each reviewer is bound by a Data Processing Agreement (DPA) under Article 28 UK GDPR, which restricts them to processing your data solely to perform the review service.
7.2 Technology sub-processors
We use the following technology providers, each acting as a data processor under a DPA with us.
| Provider | What they receive | Purpose |
|---|---|---|
| Neon | All data stored in the production database | Primary relational database |
| Vercel | Request/response data transiting the application; anonymised analytics | Application hosting; privacy-friendly analytics |
| AWS KMS (eu-west-2) | Encryption Key Encryption Key (KEK) ciphertext only — not your data | Envelope key management |
| Plaid | Bank OAuth flow; raw transaction data fetched from your bank | Open Banking data connection |
| Stripe | Name, email, subscription details | Payment processing |
| Resend | Email address, name, email content | Transactional email delivery |
| Cloudflare | IP address, DNS query metadata | DNS resolution (and DDoS protection if proxy is enabled) |
| Anthropic (Claude) | PII-scrubbed transaction descriptions and receipt data | AI categorisation and receipt extraction |
7.3 HMRC
We submit your MTD quarterly updates and Self Assessment returns to HMRC on your behalf. HMRC is an independent data controller for the data it receives. See HMRC’s own privacy notice for how it handles your data.
7.4 Legal disclosures
We will disclose personal data if required to by law, court order, or regulatory authority — for example, HMRC (as our Anti-Money Laundering (AML) supervisor), the National Crime Agency (NCA) in connection with any Suspicious Activity Report, or a court of competent jurisdiction. We will notify you before disclosing wherever legally permitted.
9. Your rights under UK GDPR
You have the following rights. To exercise any of them, email privacy@tickety.tax. We will respond within one calendar month.
| Right | What it means | Limitations in Tickety’s context |
|---|---|---|
| Access (Article 15) | Receive a copy of all personal data we hold about you | None — we will provide a full data export |
| Rectification (Article 16) | Correct inaccurate data | We can correct your identity and contact data at any time |
| Erasure (Article 17) | Request deletion of your data | Statutory retention overrides apply. We cannot delete tax records, HMRC submission records, or AML records before the relevant statutory retention period expires. We will delete everything not covered by a legal retention obligation. |
| Restriction (Article 18) | Pause processing of your data | We can restrict processing during a dispute about accuracy; we cannot restrict processing required by law |
| Portability (Article 20) | Receive your data in a machine-readable format | Applies to data processed by contract or consent. We provide a full CSV/JSON export from the dashboard. |
| Objection (Article 21) | Object to processing based on legitimate interests | You can object; we will assess whether our legitimate interests are overridden by your specific circumstances |
| Withdraw consent | Where processing is based on consent, withdraw at any time | Withdrawal does not affect the lawfulness of processing before withdrawal |
10. International transfers
We transfer personal data outside the United Kingdom in the following circumstances:
| Transfer | Destination | Mechanism |
|---|---|---|
| Plaid (bank transaction data) | United States | [UNVERIFIED — confirm transfer mechanism from Plaid DPA] — expected UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) + UK Addendum |
| Vercel (application hosting) | United States (compute) | [UNVERIFIED — confirm from Vercel DPA] — expected SCCs + UK Addendum |
| Resend (email) | United States | [UNVERIFIED — confirm from Resend DPA] — expected SCCs + UK Addendum |
| Anthropic / Claude (AI categorisation) | United States | [UNVERIFIED — confirm from Anthropic DPA/ZDR agreement] — Zero Data Retention agreed; transfer mechanism to be confirmed |
| Stripe (payments) | Ireland / United States | Irish entity (Stripe Payments Europe, Ltd) — UK-EU adequacy for Ireland leg; confirm US transfer mechanism |
| Cloudflare (DNS) | Global edge network | [UNVERIFIED — confirm from Cloudflare DPA] — expected SCCs + UK Addendum |
AWS KMS and Neon are expected to be configured in UK/EU regions and should not transfer personal data outside the UK/EU. Founder must confirm actual deployment regions.
11. Security
We take the following technical and organisational measures to protect your data:
- Field-level encryption: Your NINO, UTR, HMRC tokens, and bank OAuth tokens are encrypted using AES-256-GCM with keys managed by AWS KMS (eu-west-2).
- Encryption in transit: All connections use TLS 1.2 or higher.
- Access controls: Role-based access control ensures bookkeeping reviewers can only access the data of customers specifically assigned to them. Reviewers never see your tax identifiers.
- PII scrubbing: Transaction data is automatically scrubbed of identifying references before it is processed by AI or presented to reviewers.
- Audit trail: A tamper-evident, hash-chained log records all significant actions in your account.
- Breach response: We have a written Incident Response Plan and test it regularly. If a breach puts your data at serious risk, we will notify the Information Commissioner’s Office (ICO) within 72 hours (UK GDPR Article 33) and notify you directly where required (Article 34).
No online service is completely immune to security incidents. We will tell you promptly if a breach affects your data.
12. Vulnerable users
Tickety is designed for sole traders and small business owners who are legally obligated to file their own tax returns. If you have concerns about how we handle your data in light of your specific circumstances — for example, if you are in a vulnerable situation — please contact privacy@tickety.tax and we will work with you directly.
13. Children
This service is not directed at anyone under 18. We do not knowingly collect personal data from children. If you believe a child has given us data, contact privacy@tickety.tax and we will delete it.
14. Complaints
If you are unhappy with how we have handled your data, contact us first at privacy@tickety.tax so we can try to put it right.
You also have the right to complain to the Information Commissioner’s Office (ICO):
- Online: ico.org.uk/make-a-complaint/
- Phone: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
15. Changes to this policy
We will update this policy as the service evolves. If we make material changes affecting your rights or how we use your data, we will notify you by email at least 30 days before the changes take effect.
16. Contact
SORTED BOOKKEEPING LIMITED (trading as Tickety)
Company number: 17152012
Email: privacy@tickety.tax
Registered office: [TODO: add address]
England and Wales