Privacy Policy — TaxHeaven ChatGPT App

1. About This App

The TaxHeaven ChatGPT App ("the App") is a set of eight UK tax tools available within ChatGPT. It provides tax estimates (including Scottish rates), MTD eligibility checks, expense categorisation, deadline tracking, payment-on-account calculations, VAT calculations, capital allowance estimates, and receipt scanning.

The App runs as an MCP (Model Context Protocol) server that receives your inputs from ChatGPT, performs calculations, and returns results. It operates entirely within the ChatGPT conversation — there are no user accounts, no login, and no separate website to visit.

2. Data We Process

2.1 Input Data (Processed, Not Stored)

When you use the App through ChatGPT, the following data may be sent to our server for processing:

• Income figures: Self-employment income, rental income, employment income, dividend income
• Expense descriptions: Text descriptions of business expenses for categorisation
• Tax year selection: Which UK tax year to calculate for
• Previous year tax liability: For payment-on-account calculations
• VAT details: Net amounts, VAT scheme type, and flat rate percentages
• Asset information: Cost, type, and date of business assets for capital allowance calculations
• Receipt data: Vendor names, dates, amounts, and VAT figures extracted by ChatGPT from uploaded receipt images (only text data is sent to TaxHeaven — no images)

2.2 Data We Do NOT Collect

The App does not collect, store, or have access to:

• Your ChatGPT account information or conversation history
• Your name, email, or contact details
• Your NINO, UTR, or other tax identifiers
• Cookies, device fingerprints, or tracking data
• IP addresses (beyond standard web server request handling)
• Payment or financial account details

3. How Data Flows

4. Data Retention

We do not retain your data. The App is stateless — there is no database, no user accounts, and no persistent storage. Your inputs exist in server memory only for the duration of the calculation (typically under 1 second) and are then discarded.

Standard web server access logs may temporarily record HTTP request metadata (timestamps, HTTP status codes) for operational monitoring, but these do not contain your tax inputs or calculation results. Access logs are rotated and deleted within 30 days.

5. Third Parties

5.1 OpenAI

You interact with the App through ChatGPT, which is operated by OpenAI. Your conversation with ChatGPT (including your tax questions and our tool responses) is subject to OpenAI's Privacy Policy. We have no access to your ChatGPT account or conversation history.

5.2 Hosting Provider

The App is hosted on cloud infrastructure that may process HTTP request metadata (IP addresses, request headers) as part of standard web hosting. We do not use this data for tracking or profiling.

5.3 No Other Third Parties

The App does not share data with any other third parties. There are no analytics services, advertising networks, or data brokers involved.

6. Legal Basis for Processing (UK GDPR)

Under UK GDPR Article 6, our legal basis for processing the limited data described above is:

• Legitimate Interest (Article 6(1)(f)): Processing your tax inputs to perform calculations and return results is necessary for providing the service you requested through ChatGPT. The processing is minimal (stateless, no storage) and proportionate.

Given that we process no personal data (no names, no NINOs, no identifiers), UK GDPR obligations are minimal. We maintain this policy for transparency and because income figures, while not directly identifying, could be considered personal data in context.

7. Your Rights (UK GDPR)

Under UK GDPR, you have the following rights:

• Right to Access (Article 15): You may request a copy of any personal data we hold. Since we do not store your data, there is nothing to provide.
• Right to Erasure (Article 17): You may request deletion of your data. Since we do not store your data, no action is needed.
• Right to Object (Article 21): You may object to our processing. You can stop using the App at any time — simply don't invoke the TaxHeaven tools in ChatGPT.
• Right to Complain: You may complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

8. Security

We implement the following security measures:

• HTTPS: All communication between ChatGPT and our server uses TLS encryption
• CORS restrictions: Only requests from authorised ChatGPT origins are accepted
• Rate limiting: Protection against abuse (60 requests per minute per IP)
• Input validation: All inputs are validated using strict schemas before processing
• Security headers: Helmet middleware sets CSP, HSTS, and other protective headers
• No data at rest: Since we store nothing, there is no data to protect at rest

9. Children

The App is not intended for individuals under 18. Tax calculation services are relevant to individuals of legal working and tax-filing age in the UK.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last Updated" date at the top of this page. Since the App has no user accounts, we cannot send email notifications — please review this page periodically.

11. Relationship to Main TaxHeaven Privacy Policy

This policy covers only the TaxHeaven ChatGPT App. If you also use the main TaxHeaven platform at taxheaven.app, that service has its own Privacy Policy covering HMRC integration, accounts, payment processing, and data retention.

12. Contact Us