Privacy Policy
Last updated: 14 March 2026
QuarterBridge ("we", "us", "our") is committed to protecting your personal data. This privacy policy explains how we collect, use, store, and share your information when you use our MTD bridging software service at quarterbridge.uk (the "Service").
1. Who We Are
QuarterBridge is a Making Tax Digital (MTD) bridging software service that helps sole traders and landlords submit quarterly income and expense updates to HMRC. We are the data controller for the personal data we process.
QuarterBridge is a trading name of Oneirix Ltd. Registered in England & Wales, Company No. 17005595. Registered with the Information Commissioner's Office (ICO), registration number: 00013470271.
Contact: support@quarterbridge.uk
2. What Data We Collect
| Data Type | Examples | Purpose |
|---|
| Account information | Name, email, phone number, password (hashed) | Account creation and authentication |
| Financial data | Income figures, expense amounts from your uploaded spreadsheets | Formatting and submitting your quarterly update to HMRC |
| HMRC credentials | OAuth access tokens, refresh tokens, NINO, business IDs | Authenticating with HMRC on your behalf |
| Submission history | Dates, amounts, HMRC references, tax years, quarters | Your records and audit trail |
| Payment information | Managed by Stripe — we never see or store your card details | Subscription billing |
| Device information | Browser type, timezone, screen size, connection method | HMRC fraud prevention headers (legally required) |
3. Lawful Basis for Processing
We process your data under the following lawful bases (UK GDPR Article 6):
- Contract (Art. 6(1)(b)): Processing your financial data and submitting to HMRC is necessary to perform the service you have subscribed to.
- Legal obligation (Art. 6(1)(c)): HMRC requires us to send fraud prevention headers with every API request. We are legally required to collect certain device data.
- Legitimate interest (Art. 6(1)(f)): Maintaining submission records, debugging issues, preventing fraud, and improving our service.
4. How We Use Your Data
- To create and manage your account
- To process your uploaded spreadsheet data and map it to HMRC categories
- To submit your quarterly update to HMRC via their API
- To generate audit reports and submission receipts
- To manage your subscription and billing via Stripe
- To comply with HMRC fraud prevention requirements
- To provide customer support
We never sell your data to third parties.
5. Data Sharing
We share your data only with:
- HMRC: Your income/expense figures and fraud prevention headers (required for MTD submission)
- Supabase: Our database and authentication provider (EU-based infrastructure, SOC2 compliant)
- Stripe: Payment processing only — we never handle your card details
- Cloudflare: Website hosting and DDoS protection
6. Data Security
- All data is transmitted over HTTPS (TLS 1.2+)
- HMRC OAuth tokens are encrypted at rest in our database
- Passwords are hashed using bcrypt (via Supabase Auth)
- Row Level Security (RLS) ensures users can only access their own data
- We never store your spreadsheet files — data is processed in your browser and only the summarised totals are sent to HMRC
7. Data Retention
- Account data: Retained while your account is active, deleted within 30 days of account deletion
- Submission history: Retained for 7 years (HMRC record-keeping requirement)
- HMRC tokens: Refreshed every 4 hours, deleted when you disconnect from HMRC or delete your account
- Uploaded spreadsheet data: Never stored — processed entirely in your browser
8. Your Rights (UK GDPR)
You have the right to:
- Access your personal data — contact us for a data export
- Rectification — update your profile information at any time
- Erasure ("right to be forgotten") — delete your account and all associated data from your dashboard settings
- Restrict processing — contact us to limit how we use your data
- Data portability — request your data in a machine-readable format
- Object — contact us if you wish to object to any processing
- Withdraw consent — where processing is based on consent, you can withdraw at any time
To exercise any of these rights, email support@quarterbridge.uk. We will respond within 30 days.
9. Data Breach Policy
In the event of a personal data breach, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, where required
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms
- Document all breaches, their effects, and the remedial action taken
10. Cookies
We use minimal cookies:
- Authentication cookies: Essential — required to keep you logged in (Supabase session tokens)
- No third-party tracking cookies — we do not use Google Analytics, Facebook Pixel, or any advertising trackers
11. Children
Our Service is not directed to individuals under 18. We do not knowingly collect data from children.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes via email or an in-app notification. The "Last updated" date at the top will reflect the latest revision.
13. Contact & Complaints
If you have questions or concerns about this privacy policy or how we handle your data:
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).