Sub-Processors
Last updated: 25 April 2026
TaxMTD uses the following sub-processors to deliver our service. We notify users at least 30 days before adding a new sub-processor by email and via an in-app notice.
This list is the authoritative companion to Section 7 of our Privacy Policy.
Last updated: 25 April 2026.
Current Sub-Processors
| Sub-processor | Service provided | Data accessed | Region | DPA |
|---|---|---|---|---|
| Plaid Financial Ltd | Open Banking aggregation (FCA AISP, FRN 804718) | Bank account identifiers, transaction history, balances | UK / EU | plaid.com/legal |
| Stripe Payments UK Ltd | Subscription billing and merchant payment import | Card metadata, billing email, payout data | UK / US (SCCs) | stripe.com/dpa |
| Cloudflare, Inc. | CDN, edge compute (Workers), DDoS protection | All app traffic in transit (TLS-encrypted), IP, request metadata | Global, UK edge preferred | cloudflare.com/cloudflare-customer-dpa |
| Google LLC (Gemini) | AI transaction categorisation, receipt OCR, AI assistant | Transaction descriptions, amounts, categories; receipt images; redacted financial summaries | US (EU-US Data Privacy Framework) | cloud.google.com/terms/data-processing-addendum |
| Anthropic PBC (optional) | AI assistant - only when user selects Anthropic in settings | Conversation context, redacted financial summaries | US (SCCs / DPF) | anthropic.com/legal/dpa |
| OpenAI, L.L.C. (optional) | AI assistant - only when user selects OpenAI in settings | Conversation context, redacted financial summaries | US (SCCs / DPF) | openai.com/policies/data-processing-addendum |
| Resend, Inc. | Transactional email delivery (account, billing, breach notices) | Recipient email address and message content | US (DPF) / EU edge | resend.com/legal/dpa |
| HMRC | Statutory tax submission | Tax-return content, UTR, NINO, VAT number, business details, fraud-prevention metadata | UK | Statutory; no DPA - public authority |
| Companies House | Company and officer lookup | Company numbers (queries only - public data) | UK | N/A - public registry |
Data Hosting
TaxMTD's database and file storage are operated for us by an EU-based hosting provider regulated under EU GDPR. We do not publish the operator's name on this page; it is available on request to data subjects exercising their rights and to enterprise customers as part of their own DPIAs. Email privacy@taxmtd.uk for the current operator name and a copy of the DPA.
Notification of Changes
We will notify you by email and via an in-app notice at least 30 days before adding any new sub-processor or replacing an existing one with a different supplier. You may object to a change by writing to privacy@taxmtd.uk; we will work with you to find an alternative or, if none exists, allow you to terminate without penalty.
Exercising Your Rights
To exercise GDPR rights regarding any sub-processor, contact privacy@taxmtd.uk. For complaints, you may also contact the Information Commissioner's Office at ico.org.uk or 0303 123 1113.