TaxPigeonTaxPigeon← Back to home

LEGAL

Privacy Policy

Last updated: April 2026·Version 1.0·UK GDPR Compliant

Controller: TaxPigeon (operated by Rivara Consulting Ltd, registered in England & Wales)

Contact: privacy@taxpigeon.co.uk

Service: WhatsApp-based AI agent for expense & income tracking, and HMRC MTD submissions

This policy applies to all users of the TaxPigeon service.

1. Who We Are

TaxPigeon is operated by Rivara Consulting Ltd ("we", "us", "our"), a company registered in England and Wales. We are the data controller for personal data collected through the TaxPigeon service. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are responsible for deciding how and why your personal data is processed.

2. Data We Collect

2.1 Information You Provide Directly

  • WhatsApp phone number and display name, collected when you first message TaxPigeon
  • Unique Taxpayer Reference (UTR), provided by you to enable HMRC submissions
  • Receipt images, uploaded via WhatsApp for AI-powered categorisation
  • Income and expense amounts you log through the service
  • Business category preferences and any other information you choose to share

2.2 Information Collected Automatically

  • HMRC OAuth tokens, stored only if you explicitly authorise HMRC filing integration
  • Message timestamps and session metadata necessary to operate the service
  • Error logs and service usage data (anonymised where possible) for troubleshooting

2.3 Information We Do Not Collect

We do not collect payment card details, passwords, National Insurance numbers, or any biometric data. We do not use cookies or tracking technologies on any website or app surface.

3. How We Use Your Data

We process your personal data only for the purposes set out below. Each purpose is matched to a lawful basis under UK GDPR Article 6.

PurposeData UsedLawful Basis
Receipt categorisationReceipt images sent to Anthropic APIPerformance of contract (Art. 6(1)(b))
Financial record keepingStored on your account onlyPerformance of contract (Art. 6(1)(b))
HMRC MTD submissionsUTR, financial data sent to HMRCLegal obligation (Art. 6(1)(c)) / Contract (Art. 6(1)(b))
WhatsApp communicationPhone number sent to TwilioPerformance of contract (Art. 6(1)(b))
Service improvementNo personal data used (aggregated only)Legitimate interests (Art. 6(1)(f))
Legal complianceAs required by lawLegal obligation (Art. 6(1)(c))

We do not use your personal data for advertising, profiling for marketing, or any automated decision-making that produces legal or similarly significant effects on you.

4. Third-Party Processors

We share your data only with the following third parties, each acting as a data processor under a written agreement with us, or as an independent controller where noted:

Third PartyPurposeData SharedLocation / Safeguard
Twilio Inc.WhatsApp message deliveryPhone number, message contentUS — Standard Contractual Clauses (SCCs)
Anthropic PBCAI processing of receipt imagesReceipt images (not stored post-processing)US — Standard Contractual Clauses (SCCs)
Amazon Web ServicesCloud hosting and encrypted storageAll account data (encrypted at rest)UK (eu-west-2, London)
HMRCMTD quarterly submissions (independent controller)UTR, income/expense summariesUK — no transfer outside UK

We do not sell, rent, or otherwise transfer your personal data to any third party for their own commercial purposes.

5. International Transfers

Twilio and Anthropic are headquartered in the United States. Where we transfer your personal data outside the UK, we ensure an equivalent level of protection is in place through UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO), or adequacy decisions issued by the UK Secretary of State.

Receipt images sent to Anthropic are processed solely for the purpose of categorisation and are not retained by Anthropic beyond the processing of that specific request, in accordance with our data processing agreement.

6. Data Storage and Security

  • All data is stored on AWS servers located in the eu-west-2 (London) region
  • Receipt images are encrypted at rest using AES-256 encryption
  • All data in transit is encrypted using TLS 1.2 or higher
  • HMRC OAuth tokens are stored in encrypted form and are never logged
  • Access to production data is restricted to authorised personnel only, on a need-to-know basis
  • We conduct periodic security reviews and promptly address identified vulnerabilities

While we take appropriate technical and organisational measures to protect your data, no system is entirely immune to risk. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware.

7. Data Retention

  • Your data is retained for as long as your TaxPigeon account is active
  • Upon account deletion, all personal data is permanently removed within 30 days
  • HMRC submission records may be retained for up to 6 years to comply with HMRC record-keeping obligations under the Taxes Management Act 1970
  • Anonymised, aggregated analytics data (containing no personal identifiers) may be retained indefinitely for service improvement
  • Backup copies are purged on the same schedule as live data

8. Your Rights Under UK GDPR

As a data subject under the UK GDPR and Data Protection Act 2018, you have the following rights. You may exercise any of these rights by contacting us at privacy@taxpigeon.co.uk or by messaging us on WhatsApp.

Right of access (Article 15)

Request a copy of the personal data we hold about you (a Subject Access Request).

Right to rectification (Article 16)

Ask us to correct inaccurate or incomplete personal data.

Right to erasure (Article 17)

Request deletion of your personal data ('right to be forgotten'), subject to our legal retention obligations.

Right to restriction (Article 18)

Ask us to pause processing of your data in certain circumstances, for example while a dispute is resolved.

Right to data portability (Article 20)

Receive your data in a structured, machine-readable format and transfer it to another provider where technically feasible.

Right to object (Article 21)

Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

Rights related to automated decision-making (Article 22)

We do not make solely automated decisions that produce legal or similarly significant effects.

We will respond to your request within one calendar month. You also have the right to withdraw consent at any time where processing is based on consent (for example, HMRC OAuth authorisation).

9. Right to Complain

If you believe we have handled your personal data in a way that does not comply with UK data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). We would appreciate the opportunity to address your concern first — please reach out to us at privacy@taxpigeon.co.uk.

Information Commissioner's Office (ICO)

Website: ico.org.uk

Telephone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

10. Children

TaxPigeon is intended for use by adults who are self-employed, freelancers, or small business owners. The service is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us immediately at privacy@taxpigeon.co.uk and we will delete it promptly.

11. Automated Processing and AI

TaxPigeon uses artificial intelligence (provided by Anthropic) to analyse receipt images and categorise expenses. This automated processing is a core feature of the service and is necessary to provide the receipt categorisation functionality you have requested. It does not produce legal or similarly significant effects about you — you always retain the ability to review, correct, or override any categorisation.

We do not use your data to train AI models. Receipt images sent to Anthropic are processed under a data processing agreement that prohibits Anthropic from using your data for model training.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make material changes, we will notify you via WhatsApp at least 14 days before the changes take effect and update the 'Last updated' date at the top of this document. Your continued use of TaxPigeon after the effective date of any changes constitutes your acknowledgement of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

Email: privacy@taxpigeon.co.uk

WhatsApp: Message us directly via the TaxPigeon service

Post: Rivara Consulting Ltd, England & Wales

We aim to respond to all privacy enquiries within 5 business days.

TaxPigeon is operated by Rivara Consulting Ltd, registered in England & Wales. UK GDPR compliant.
© 2026 Rivara Consulting Ltd. All rights reserved.

← Back to TaxPigeon