Privacy Policy
Bart - Your Personal AI Accountant
Effective Date: 4 February 2026 | Last Updated: 4 February 2026
1. Introduction
This Privacy Policy explains how HELLO BART LTD ("we", "us", "our", or "Company") collects, uses, stores, and protects your personal data when you use Bart ("Service" or "Application").
We are committed to protecting your privacy and processing your personal data in accordance with:
- The UK General Data Protection Regulation (UK GDPR)
- The Data Protection Act 2018
- The Privacy and Electronic Communications Regulations 2003 (PECR)
Please read this Privacy Policy carefully. By using Bart, you acknowledge that you have read and understood this Policy.
2. Data Controller
The data controller responsible for your personal data is:
HELLO BART LTD
- Registered Address: 64a Cathnor Road, London, W12 9JA
- Company Number: 16844864
- Email: dpo@hellobart.com
- Data Protection Officer: dpo@hellobart.com
You may contact our Data Protection Officer for any privacy-related enquiries.
3. Personal Data We Collect
3.1 Data You Provide Directly
| Data Category | Examples | Purpose |
|---|---|---|
| Account Information | Email address, name | Account creation, authentication, communications |
| Identity Information | National Insurance Number (NINO) | HMRC identification, tax submissions |
| Authentication Data | Google/Apple account identifiers | Passwordless sign-in |
3.2 Data from Third Parties
| Source | Data Category | Examples |
|---|---|---|
| HMRC (via Government Gateway OAuth) | Business details | Self-employment business name, trade type, accounting period, UTR, obligation periods, submission history |
| Your Bank (via Finexer Open Banking) | Transaction data | Transaction descriptions, amounts, dates, merchant names, account balances |
| Google/Apple (if used for sign-in) | Basic profile | Email address, name |
3.3 Data Generated Through Use
| Data Category | Examples | Purpose |
|---|---|---|
| Categorisation Data | Transaction categories, AI confidence scores, manual overrides | Tax categorisation and submission |
| Chat Conversations | Messages with Bart AI assistant | Categorisation assistance, service improvement |
| Usage Data | Features used, submission history, app interactions | Service improvement, support |
| Technical Data | IP address, device type, operating system, browser type | Security, fraud prevention, troubleshooting |
3.4 HMRC Fraud Prevention Data
To comply with HMRC's fraud prevention requirements for Making Tax Digital, we collect and transmit header data with each API request. This may include:
- Device identifiers and characteristics
- Operating system and browser information
- Screen resolution and timezone
- IP address and connection metadata
- User agent strings
This data is required by HMRC and transmitted directly to HMRC with submissions. See HMRC's fraud prevention guidance for details: https://developer.service.hmrc.gov.uk/guides/fraud-prevention/
4. How We Use Your Data
4.1 Purposes and Legal Bases
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation and management | Email, name, authentication data | Contract performance |
| HMRC integration and submissions | NINO, business details, transaction data, categorisations | Contract performance |
| Open Banking transaction retrieval | Bank connection tokens, transaction data | Contract performance (with your explicit consent for bank access) |
| AI-powered categorisation | Transaction data, chat conversations | Contract performance, legitimate interests (service improvement) |
| Chat assistance | Chat messages, transaction context | Contract performance |
| Billing and payments | Email, payment method details (via payment processor) | Contract performance |
| Customer support | Account data, usage data, communications | Contract performance, legitimate interests |
| Security and fraud prevention | Technical data, usage patterns, HMRC fraud headers | Legal obligation (HMRC requirements), legitimate interests |
| Service improvement | Anonymised usage data, aggregated statistics | Legitimate interests |
| Legal compliance | All relevant data as required | Legal obligation |
| Communications | Email address | Contract performance (service messages), consent (marketing) |
4.2 Legitimate Interests
Where we rely on legitimate interests, we have conducted a balancing assessment to ensure our interests do not override your rights. Our legitimate interests include:
- Maintaining security and preventing fraud
- Improving and developing our Service
- Understanding how users interact with our Service
- Providing customer support
You may object to processing based on legitimate interests. See Section 9.
4.3 Consent
Where we rely on consent (e.g., marketing communications), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
5. Special Category and Sensitive Data
5.1 National Insurance Numbers
Your NINO is not special category data under UK GDPR but is considered sensitive personal data. We implement enhanced protections:
- Encryption at rest and in transit
- Strict access controls
- Audit logging of access
- No logging of full NINOs in application logs
5.2 Financial Data
Transaction data may reveal sensitive information about your life and habits. We:
- Process this data only for tax-related purposes
- Do not analyse transactions for non-tax purposes
- Do not sell or share transaction data for marketing
6. Data Sharing
6.1 Third-Party Service Providers
We share data with the following categories of service providers:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| HMRC | Tax submissions, business retrieval, obligations | NINO, business details, categorised transactions, fraud prevention headers | UK |
| Finexer (Open Banking) | Bank account connection, transaction retrieval | Bank connection tokens, account identifiers | UK |
| Anthropic (AI Provider) | Transaction categorisation, chat assistance | Transaction descriptions, chat messages (no NINO) | USA |
| Supabase (Infrastructure) | Database, authentication, storage | All account and transaction data | UK |
| Stripe | Subscription billing | Email, payment method tokens | USA |
| Resend | Transactional emails | Email address, name | USA |
6.2 Data Processing Agreements
We have Data Processing Agreements with all third-party processors that include:
- Processing only on our documented instructions
- Confidentiality obligations
- Security requirements
- Sub-processor restrictions
- Data subject rights assistance
- Audit rights
6.3 Other Disclosures
We may disclose your data:
- To comply with legal obligations or lawful requests from authorities
- To protect our rights, property, or safety, or that of our users
- In connection with a merger, acquisition, or sale of assets (with notice to you)
- With your explicit consent
6.4 No Sale of Data
We do not sell your personal data to third parties.
7. International Data Transfers
7.1 Transfers Outside the UK
Some of our service providers are located outside the UK, including the United States. When we transfer personal data internationally, we ensure appropriate safeguards:
| Destination | Safeguard |
|---|---|
| USA (Anthropic, Stripe, Resend) | UK International Data Transfer Agreement (UK IDTA) with EU Standard Contractual Clauses |
| European Economic Area | UK adequacy decision |
7.2 Your Rights
You may request a copy of the safeguards we use for international transfers by contacting our Data Protection Officer.
8. Data Retention
8.1 Retention Periods
We retain your data for the following periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account + 6 years | Legal/tax record requirements |
| NINO | Duration of account + 6 years | Tax records |
| Transaction data | 6 years from end of relevant tax year | HMRC record-keeping requirements |
| HMRC submissions | 6 years from submission date | Tax records, audit trail |
| Chat conversations | 2 years from creation | Service improvement, support |
| Technical/usage logs | 12 months | Security, troubleshooting |
| Payment records | 6 years | Legal/accounting requirements |
8.2 Tax Records Requirement
HMRC requires you to keep business records for 5 years after the 31 January submission deadline. Our 6-year retention period ensures compliance with this requirement.
8.3 After Retention Period
After the retention period expires, we will securely delete or anonymise your data. Some data may be retained in anonymised form for statistical analysis.
8.4 Account Deletion
If you delete your Account, we will delete your personal data except:
- Data required for legal compliance (tax records)
- Data required for legitimate purposes (fraud prevention records)
- Anonymised data used for statistics
9. Your Rights
Under UK GDPR, you have the following rights:
9.1 Right of Access
You may request a copy of the personal data we hold about you. We will respond within one month and provide data in a commonly used electronic format.
9.2 Right to Rectification
You may request correction of inaccurate or incomplete personal data. You can update most information directly in the app.
9.3 Right to Erasure
You may request deletion of your personal data where:
- It is no longer necessary for the purposes collected
- You withdraw consent (where consent is the legal basis)
- You object to processing and there are no overriding legitimate grounds
- The data was unlawfully processed
Note: We cannot delete data required for tax record-keeping during the retention period.
9.4 Right to Restrict Processing
You may request restriction of processing in certain circumstances, such as while we verify accuracy of data you have contested.
9.5 Right to Data Portability
You may request your data in a structured, commonly used, machine-readable format. You can export your transaction data and submissions through the app at any time.
9.6 Right to Object
You may object to processing based on legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds.
You have an absolute right to object to direct marketing at any time.
9.7 Rights Related to Automated Decision-Making
Our AI categorisation is not solely automated decision-making with legal effects. You can manually override any categorisation, and you must approve all submissions to HMRC.
9.8 How to Exercise Your Rights
To exercise your rights:
- In-app: Use the privacy settings and data export features
- Email: Contact dpo@hellobart.com
- Post: Write to our Data Protection Officer at 64a Cathnor Road, London, W12 9JA
We will respond within one month. Complex requests may take up to three months (we will inform you).
We will verify your identity before processing requests.
9.9 No Fee
In most cases, we will not charge a fee. We may charge a reasonable fee for manifestly unfounded or excessive requests.
10. Data Security
10.1 Technical Measures
We implement appropriate technical measures to protect your data:
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
- Authentication: Secure passwordless authentication; OAuth 2.0 for third-party connections
- Access Controls: Role-based access; principle of least privilege
- Infrastructure: Secure cloud hosting with SOC 2 certification
- Monitoring: Security event logging and monitoring
- Testing: Regular penetration testing and vulnerability assessments
10.2 Organisational Measures
- Staff training on data protection
- Confidentiality agreements
- Access limited to those who need it
- Regular security reviews
10.3 Breach Notification
In the event of a personal data breach that poses a risk to your rights:
- We will notify the Information Commissioner's Office within 72 hours
- We will notify you without undue delay if there is high risk to your rights
- We will notify HMRC within 72 hours as required by their terms
10.4 Your Responsibilities
You are responsible for:
- Keeping your authentication methods secure
- Reporting suspected unauthorised access immediately
- Ensuring your email account is secure
11. Cookies and Tracking
11.1 What We Use
We use cookies and similar technologies for:
| Type | Purpose | Examples |
|---|---|---|
| Essential | Core functionality, authentication, security | Session cookies, authentication tokens |
| Functional | User preferences, settings | Language preferences, display settings |
| Analytics | Understanding usage patterns | Anonymised usage statistics |
11.2 Third-Party Cookies
Our website may include third-party cookies from:
- Analytics providers
- Authentication providers (Google, Apple)
11.3 Your Choices
- Browser settings: You can control cookies through your browser settings
- Essential cookies: Cannot be disabled as they are necessary for the Service
- Analytics: You can opt out of analytics cookies through our cookie settings or by contacting us
11.4 Mobile App
The mobile app does not use cookies but may use similar technologies (local storage, device identifiers) for essential functionality.
For more details, see our Cookie Policy.
12. Children's Data
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
13. Marketing Communications
13.1 Service Communications
We will send you essential service communications (e.g., submission confirmations, deadline reminders, security alerts) as part of the Service. These are not marketing and cannot be opted out of while using the Service.
13.2 Marketing
We will only send marketing communications with your consent. You can opt out at any time by:
- Clicking "unsubscribe" in any marketing email
- Updating your preferences in the app
- Contacting us at dpo@hellobart.com
13.3 Third-Party Marketing
We will not share your data with third parties for their marketing purposes without your explicit consent.
14. Changes to This Policy
14.1 Updates
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified via:
- Email to your registered address
- In-app notification
- Notice on our website
14.2 Review
We encourage you to review this Policy periodically. The "Last Updated" date indicates the most recent revision.
14.3 Previous Versions
Previous versions of this Policy are available upon request.
15. Complaints
15.1 Contact Us First
If you have concerns about how we handle your data, please contact our Data Protection Officer at dpo@hellobart.com. We take all complaints seriously and aim to resolve them promptly.
15.2 Information Commissioner's Office
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
- Website: https://ico.org.uk
- Helpline: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We encourage you to contact us first so we can try to resolve your concerns.
16. Contact Us
For any questions about this Privacy Policy or our data practices:
Data Protection Officer
- Email: dpo@hellobart.com
- Post: HELLO BART LTD, 64a Cathnor Road, London, W12 9JA
General Privacy Enquiries
- Email: dpo@hellobart.com
To Exercise Your Rights
- Email: dpo@hellobart.com
- Subject line: "Data Subject Request"
17. Additional Information for Specific Integrations
17.1 HMRC Integration
When you connect to HMRC:
- We access your data through HMRC's OAuth 2.0 process
- We never see or store your Government Gateway password
- You can revoke our access through your HMRC online account
- HMRC's own privacy notice applies to data they hold: HMRC Privacy Notice
17.2 Open Banking (Finexer)
When you connect your bank:
- Finexer is authorised by the FCA as an Account Information Service Provider
- We access only the accounts you select
- We cannot make payments or move money
- Connection is read-only
- You can revoke access through our app or directly with your bank
- Finexer's privacy policy: https://finexer.com/privacy-policy
17.3 AI Processing (Anthropic)
When Bart categorises transactions or responds to chat:
- Transaction descriptions and chat messages are sent to Anthropic's Claude AI
- We do not send your NINO, full name, or account numbers to AI processing
- Anthropic does not use your data to train their models (per our agreement)
- Anthropic's privacy policy: https://www.anthropic.com/privacy
By using Bart, you acknowledge that you have read and understood this Privacy Policy.
Document Version: 1.0