Legal
Privacy Policy
Last updated: 30 March 2026
Who we are
Varro (varro-tax.co.uk) is a UK self-assessment tax filing service for freelancers and sole traders. Varro is the data controller for the personal data processed through this service. For data protection queries, contact privacy@varro-tax.co.uk.
What data we collect
We collect the following personal data when you use Varro: Account information: • Email address and username (on sign-up) • Multi-factor authentication details (encrypted TOTP secret) Tax and financial data: • Income, expense, and deduction information you provide • Bank account transaction history and balances (via Open Banking, with your consent) • Uploaded documents (bank statements, invoices, receipts) • HMRC submission records and tax calculations Payment information: • Subscription and billing data processed securely via Stripe — we never store card details ourselves Technical data: • Device information, browser type, IP address, and usage data for security, fraud prevention, and HMRC compliance (HMRC requires us to send fraud prevention headers with every API request) We do not collect special category data as defined under UK GDPR (such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or sexual orientation). We do not use your data for advertising.
How we use your data
Your data is used solely to: • Provide the Varro tax filing service, including submitting data to HMRC on your behalf • Categorise your transactions using AI to assist with tax preparation • Extract data from uploaded documents using AI • Verify bank balances for accuracy • Send transactional emails (verification, submission confirmations, payment receipts) • Fulfil our legal obligations under HMRC regulations • Comply with HMRC fraud prevention requirements (device and connection data) • Protect against fraud and abuse We will never sell or share your personal data with third parties for marketing purposes.
AI processing
Varro uses Anthropic Claude (an AI language model) for two purposes: 1. Transaction categorisation — your transaction descriptions and dates (without amounts) are sent to the AI to suggest expense/income categories. 2. Document extraction — the text content of uploaded bank statements and invoices is sent to the AI to extract structured transaction data. Important information about AI processing: • AI outputs are suggestions only — you review and confirm all categorisations before they are used • Data sent to Anthropic is processed under a data processing agreement • Anthropic does not retain your data beyond the processing request • Anthropic does not use your data to train AI models • AI processing is not used to make automated decisions that have legal effects on you You can review all AI categorisations before they are included in any HMRC submission.
Open Banking data
When you connect your bank account, Varro uses TrueLayer (authorised by the FCA) to access your bank data via Open Banking. We access: • Account balance • Transaction history (descriptions, dates, amounts) Your bank login credentials are never shared with or stored by Varro. TrueLayer uses secure OAuth tokens to access your data. Bank connection tokens are encrypted at rest using pgcrypto. You can disconnect your bank at any time from your settings, which revokes access immediately. Varro has read-only access — we cannot move money or make payments from your account.
HMRC data sharing
When you use Varro to file your tax return, we submit data directly to HMRC via their MTD ITSA APIs. This includes: • Your income and expense summaries (quarterly updates) • Annual income declarations (employment, dividends, savings, etc.) • Tax calculation requests • Final declaration (crystallisation) HMRC also requires us to send fraud prevention headers with every API request, which include device identifiers, IP address, browser information, and multi-factor authentication timestamps. This is a legal requirement under HMRC's fraud prevention programme.
Legal basis for processing
We process your data under the following lawful bases (UK GDPR Article 6): • Contract — to provide the service you signed up for • Legal obligation — to comply with HMRC requirements and fraud prevention regulations • Legitimate interests — for security, fraud prevention, and service improvement • Consent — for Open Banking connection and optional communications (you may withdraw consent at any time)
Data storage and security
Your data is stored on Supabase infrastructure hosted in the EU (Ireland). Security measures include: • All data in transit encrypted using TLS • Bank tokens encrypted at rest using pgcrypto • Row Level Security (RLS) on all database tables ensuring users can only access their own data • Multi-factor authentication available for all accounts • Immutable audit trail of all HMRC submissions We do not transfer your data outside the UK/EEA without appropriate safeguards (such as the UK-US Data Bridge or Standard Contractual Clauses).
Data breach notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will: • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33 • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms • Provide details of the nature of the breach, the data affected, and the measures taken to address it We maintain incident response procedures and regularly review our security measures to minimise the risk of data breaches.
Third-party sub-processors
Varro uses the following sub-processors to deliver the service. Each provider is bound by data processing agreements consistent with UK GDPR.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Ireland) |
| Anthropic | AI categorisation and document extraction | US (UK-US Data Bridge) |
| TrueLayer | Open Banking bank connections | UK / EU |
| Stripe | Payment processing | US / EU |
| Resend | Transactional email delivery | US |
| Vercel | Application hosting | EU |
| HMRC | Tax submission (government) | UK |
Data retention
We retain your personal data for as long as your account is active or as required by law: • Tax records and HMRC submissions: up to 7 years (HMRC requirement) • Account data: until you delete your account • Bank transaction data: until you delete your account or disconnect your bank • Audit logs: 7 years (legal compliance) • Payment records: as required by financial regulations You may request deletion of your account and non-statutory data at any time. Statutory records (HMRC submissions, audit trail) must be retained as required by law.
Your rights
Under UK GDPR and the Data Protection Act 2018, you have the right to: • Access a copy of your personal data (Subject Access Request) • Correct inaccurate data • Request deletion of your data ("right to erasure") — subject to legal retention requirements • Restrict or object to processing • Data portability — receive your data in a machine-readable format • Withdraw consent at any time (e.g. for Open Banking connection) • Object to automated decision-making — note that Varro does not make automated decisions with legal effects; AI is used for suggestions only To exercise any of these rights, email privacy@varro-tax.co.uk. We will respond within 30 days.
Cookies
Varro uses the following cookies: Essential cookies (required for the service to function): • Session cookie — maintains your login session • CSRF token — prevents cross-site request forgery We do not use third-party advertising, tracking, or analytics cookies. You may disable cookies in your browser settings, but this will prevent you from staying signed in.
Children's privacy
Varro is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
Changes to this policy
We may update this policy from time to time. We will notify you by email of any material changes at least 14 days before they take effect. Continued use of Varro after notification constitutes acceptance of the updated policy.
Contact and complaints
For any privacy-related queries or to exercise your rights, contact us at privacy@varro-tax.co.uk. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): • Website: ico.org.uk • Helpline: 0303 123 1113