SelfSubmit is designed to help you stay compliant with HMRC Making Tax Digital requirements. You remain responsible for ensuring the information you submit is accurate.

← Home
Sign inSign up

GDPR & UK data protection

UK organisations must comply with the UK GDPR (as tailored by the Data Protection Act 2018) and the Privacy and Electronic Communications Regulations (PECR) where relevant. This page summarises how SelfSubmit approaches those duties in plain language—it is not legal advice.

Last updated: 16 April 2026

Principles we follow

  • Process personal data lawfully, fairly, and transparently.
  • Collect data for specified, explicit, legitimate purposes and not reuse it incompatibly.
  • Keep data adequate, relevant, and limited to what is necessary.
  • Keep data accurate and erase or rectify when needed.
  • Keep data only as long as necessary (retention schedules).
  • Protect data with appropriate technical and organisational measures.
  • Demonstrate accountability (records, assessments, and contracts with processors).

Lawful bases (examples)

Depending on the feature, we may rely on contract (providing the service you asked for), legal obligation (where the law requires retention or reporting), legitimate interests (fraud prevention or product improvement, balanced against your rights), or consent (for example optional marketing or non-essential cookies). The privacy policy will map each processing activity to a basis when we go live.

Your rights

In the UK, individuals generally have the following rights in respect of personal data:

  • Right to be informed (this page plus the privacy policy).
  • Right of access (subject access request).
  • Right to rectification.
  • Right to erasure (“right to be forgotten”) in certain cases.
  • Right to restrict processing in certain cases.
  • Right to data portability for certain automated processing based on contract or consent.
  • Right to object to processing based on legitimate interests or direct marketing.
  • Rights related to automated decision-making and profiling where applicable.

To exercise a right, use the contact route on our Contact page once published. We will respond within statutory timeframes (normally one month, extendable in complex cases).

International transfers

If we host data outside the UK, we will use appropriate safeguards (for example UK International Data Transfer Agreement or adequacy regulations) and document them.

Supervisory authority

You may complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues: ico.org.uk.

Data Protection Officer

We will publish a DPO or privacy lead contact if required by law or if we choose to appoint one voluntarily.