Privacy Policy

Last updated: 13 February 2026

1. Who we are

Tofflo ("we", "us", "our") provides a mobile application that helps UK landlords comply with HMRC's Making Tax Digital for Income Tax Self Assessment (MTD ITSA).

2. What data we collect

We collect and process the following personal data:

• Account information: email address and password (via Firebase Authentication)
• Property business data: business name, property type, income, and expenses you enter
• Receipt images: photographs of receipts you upload (stored in Firebase Storage)
• HMRC connection: OAuth tokens to access your HMRC account on your behalf (encrypted at rest with AES-256-GCM)
• Device information: device type, operating system, and network details required by HMRC's fraud prevention regulations
• Waitlist email: if you sign up on our website before launch

3. Why we collect it

We process your data for the following purposes:

• To provide the Tofflo service — managing your property income/expenses and submitting quarterly updates to HMRC
• To authenticate you and keep your account secure
• To comply with HMRC's fraud prevention header requirements (a legal obligation for MTD software)
• To send you launch updates (waitlist only, with your consent)

4. Legal basis for processing

• Contract: processing necessary to provide the Tofflo service you've signed up for
• Legal obligation: HMRC fraud prevention headers are required by law for all MTD-compatible software
• Consent: waitlist email signups (you can unsubscribe at any time)

5. How we store your data

• All data is stored on Google Cloud Platform (Firebase) in the europe-west2 (London) region
• HMRC OAuth tokens are encrypted with AES-256-GCM before storage and are never accessible from client devices
• Receipt images are stored in Firebase Storage with access restricted to your account
• We use HTTPS/TLS for all data in transit

6. Who we share data with

• HMRC: your income, expense, and property data is submitted to HMRC as quarterly updates when you choose to submit
• Google Cloud / Firebase: our infrastructure provider, acting as a data processor

We do not sell your data or share it with advertisers.

7. Data retention

• Account and transaction data is retained while your account is active
• If you delete your account, we will delete your personal data within 30 days
• We may retain anonymised, aggregated data for analytics purposes

8. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict or object to processing
• Data portability — receive your data in a structured format
• Withdraw consent at any time (for consent-based processing)

To exercise any of these rights, email [email protected].

9. Cookies

The Tofflo website does not use cookies or third-party tracking. The mobile app does not use cookies.

10. Children

Tofflo is not intended for use by anyone under the age of 18.

11. Changes to this policy

We may update this privacy policy from time to time. We will notify you of significant changes via email or in-app notification.

12. Contact

If you have questions about this privacy policy or our data practices, email [email protected].