Last updated: 2026-06-05

Privacy Policy

This Privacy Policy explains how Octillionsoft LIMITED (trading as Vupiy) collects, uses, shares and protects your personal data. It covers your rights under the UK GDPR and the Data Protection Act 2018, and how we comply with HMRC's requirements for software that integrates with Making Tax Digital.

Note: This Privacy Policy has been drafted with reference to ICO guidance, the UK GDPR, the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), and HMRC Developer Hub Terms of Use. It is reviewed periodically. If you have a question that is not answered here, contact [email protected].

Contents

  1. Who we are
  2. Our role: controller and processor
  3. What we collect
  4. Third-party marketplace integrations you authorise
  5. Why we collect it (lawful bases)
  6. Who we share it with
  7. International transfers
  8. Sending information to HMRC for fraud prevention
  9. Connecting Vupiy to HMRC
  10. Audit and HMRC submission records
  11. How long we keep your data
  12. Your rights
  13. Cookies
  14. How we protect your data
  15. Complaints
  16. Changes to this Privacy Policy
  17. Contact

1. Who we are

Octillionsoft LIMITED (trading as Vupiy, we, us, our) is the data controller of personal data described in this Privacy Policy.

  • Company name: Octillionsoft LIMITED
  • Trading as: Vupiy
  • Country of registration: England and Wales
  • Company registration number: 13312842
  • Registered office: 295 Caledonian Road, Islington, London, N1 1EG, United Kingdom
  • ICO registration: ZB676082 · valid until 17 April 2027 · Registration certificate (PDF)
  • VAT number: GB[XXXXXXXXX] (where applicable)

Contact our privacy team: [email protected]
Customer support: [email protected]
Security disclosures: [email protected]

We have not appointed a statutory Data Protection Officer under Article 37 UK GDPR because our processing does not meet the thresholds requiring one (we are not a public authority, our core activities do not consist of regular and systematic large-scale monitoring, and we do not process special category data as a core activity). Our Person Responsible for Data Protection, as recorded with the ICO, is Mr Ugur Tosun, who oversees compliance with this Privacy Policy and is the lead contact for data subject rights, complaints, and any other questions under UK data protection law. You can reach the privacy team at [email protected].

2. Our role: controller and processor

Vupiy plays two distinct roles in respect of personal data:

  • Controller for personal data of our customers, billing contacts, account administrators, prospects, and visitors to our website. This Privacy Policy describes that processing.
  • Processor for the personal data that our customers upload into the Service about their own clients, suppliers, employees, and other third parties (for example, the people who appear on invoices you raise, your payroll records, or the customers you message). For that data, our customer is the controller, and processing is governed by our Data Processing Agreement.

If you are a third party whose personal data has been added to Vupiy by one of our customers (e.g., you appear on an invoice raised through Vupiy), please contact our customer directly to exercise your data protection rights. We will assist our customer in responding to your request.

3. What we collect

We collect only what is needed to operate Vupiy and meet our legal obligations.

Account data

  • Name, email address, phone number (optional)
  • Login credentials (passwords are hashed; we cannot read them)
  • Two-factor authentication (2FA) secret (encrypted)
  • JWT session metadata

Company data

Where you create or manage a company in Vupiy:

  • Company name, VAT registration number (VRN), tax reference numbers (UTR, NI Number where applicable for sole traders / Self Assessment)
  • Registered office or trading address
  • Banking details (encrypted at rest)
  • Stripe API keys (encrypted at rest) for per-tenant payment links
  • Companies House data (where you connect a Companies House integration)
  • HMRC connection state (OAuth tokens, encrypted)

Operational data

Created by you while using Vupiy:

  • Customers, suppliers, products, services, invoices, estimates, automated invoices
  • Expenses, expense categories, receipts (file uploads)
  • Employee records (schedule, payroll details, expenses)
  • VAT submissions, audit log of HMRC interactions
  • Notifications, support tickets, in-app messages

Technical data

  • IP address (used for login security and HMRC fraud prevention headers)
  • Browser type, version and configuration
  • Screen size, timezone, device identifier (used for HMRC fraud prevention headers)
  • Usage logs (pages visited, actions taken — for security, debugging, and product analytics)

Payment data

  • Billing records (your Vupiy subscription fees)
  • Stripe handles your card number and CVV directly — Vupiy does not store full card numbers

Marketing data

  • Marketing preferences and consent records
  • Communication logs (which emails we sent you and when)
Sensitive identifiers note. We treat your National Insurance Number, Unique Tax Reference (UTR), and any related government tax identifiers as sensitive personal information. We encrypt them at rest, restrict internal access on a need-to-know basis, never display them in support correspondence beyond a masked form, and never use them for any purpose other than the tax filings you instruct us to make.

4. Why we collect it (lawful bases)

We rely on the following lawful bases under Article 6 of the UK GDPR:

ProcessingLawful basisArticle
Account creation, authentication, profile managementContractArt. 6(1)(b)
Subscription billing, Stripe payment processingContract + Legal obligationArt. 6(1)(b) + (c)
Transactional emails (password reset, invoice notifications, security alerts)ContractArt. 6(1)(b)
Customer support and ticket handlingContractArt. 6(1)(b)
Marketing to existing business customers about similar Vupiy servicesLegitimate interests (with PECR soft opt-in)Art. 6(1)(f)
Marketing to non-customer individualsConsent (PECR opt-in)Art. 6(1)(a)
Marketing to corporate subscribers (Ltd, plc, LLP)Legitimate interestsArt. 6(1)(f)
Security monitoring, fraud prevention, abuse detection, audit logsLegitimate interestsArt. 6(1)(f) — Recital 49
Product analytics and performance monitoringLegitimate interestsArt. 6(1)(f); PECR consent for non-essential cookies
HMRC submissions on your instruction (VAT MTD, ITSA, etc.)Legal obligation (yours) — we act as processorArt. 6(1)(c) for you
HMRC fraud prevention headers (mandatory)Legal obligationArt. 6(1)(c) — see Section 7
Retention of accounting records after account closureLegal obligationArt. 6(1)(c) — Companies Act 2006 s.388, VAT Act 1994
Defending legal claims, responding to court ordersLegitimate interests / Legal obligationArt. 6(1)(f) / (c)
Non-essential cookies (analytics, personalisation)ConsentArt. 6(1)(a) + PECR reg 6

Where we rely on legitimate interests (Art. 6(1)(f)), we have carried out a Legitimate Interests Assessment (LIA) for each activity, balancing our interest against your rights and freedoms. You can request a copy of any LIA by emailing [email protected].

You can withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.

3a. Third-party marketplace integrations you authorise

Vupiy offers optional integrations with third-party marketplaces and platforms. When you authorise an integration (for example, by connecting your Amazon Selling Partner account via OAuth), we receive data on your behalf under your explicit grant. We act as your data processor for this purpose.

Current and planned integrations:

  • Amazon Selling Partner API (SP-API) — UK marketplace (in approval as a Public Solution Provider).
  • Etsy Open API — planned (V2 roadmap).
  • Shopify Admin API — planned (V3 roadmap).
  • eBay Sell API — planned (V4 roadmap).

3a.1 What we receive from Amazon (when you connect)

  • Order information: order ID, dates, items, quantities, prices, taxes, fulfilment status, marketplace IDs.
  • Settlement information: payouts, fees, refunds, returns — used to reconcile your marketplace revenue against tax invoices.
  • Buyer information (restricted PII): buyer name, email address, and shipping address — retrieved only on-demand via Amazon's Restricted Data Token (RDT) system, and only when required to generate a UK-VAT-compliant tax invoice for that specific order.
  • Marketplace tax data: marketplace-facilitated VAT indicators (IOSS / UOSS / VCS), so we can correctly classify your VAT obligation per order.

We do not receive: buyer payment card details, buyer Amazon account credentials, listing performance data unrelated to tax, advertising data, or any other data outside the scope you authorise.

3a.2 How we use marketplace data

Data received from an authorised marketplace integration is used only to:

  • generate UK-VAT-compliant tax invoices on your behalf;
  • reconcile marketplace settlements;
  • prepare HMRC Making Tax Digital VAT returns;
  • maintain audit records as required by UK tax law.

We do not use marketplace data for analytics about other customers, for advertising, for profiling, for training machine-learning models, for resale, or for any purpose unrelated to your authorised tax compliance use case.

3a.3 Independent controllers

Amazon Services Europe S.à r.l. (and its affiliates) is the source of the marketplace data under your OAuth grant. Amazon is an independent controller for its own processing of that data under the Amazon Privacy Policy and Amazon Data Protection Policy — Amazon is not a Vupiy sub-processor. See our Sub-processors list, Section 5.

3a.4 Disconnecting a marketplace integration

You may disconnect any third-party integration at any time via your Vupiy dashboard (Settings → Integrations). On disconnect we revoke the OAuth access token within 24 hours and stop new data retrieval. Historic invoices and audit records we are required to retain under UK statutory tax law (see Section 10) remain stored until their retention period expires.

Amazon Data Protection Policy compliance. Vupiy is a Public Solution Provider registered with Amazon's Selling Partner Appstore programme. Our handling of Amazon Information complies with Amazon's Data Protection Policy, including restricted use of buyer Personally Identifiable Information, on-demand Restricted Data Token retrieval, no use for profiling or advertising, and statutory retention only.

5. Who we share it with

We do not sell your data, ever. We do not share customer details with third parties for their own marketing purposes. Where we share data, it is only with carefully selected service providers who help us operate Vupiy, or with HMRC and other authorities where we are required by law.

5.1 Sub-processors (service providers)

We use a small number of UK / EU / global service providers to operate Vupiy. Each is bound by a written contract under Article 28 UK GDPR and must apply the same level of protection that we do. Categories include:

  • Hosting and infrastructure — cloud hosting provider (UK/EU region as primary)
  • Database — managed database provider
  • Email delivery — transactional email service for invoices, notifications, password resets
  • File storage — invoice / receipt / document storage
  • Payment processing — Stripe (for your Vupiy subscription billing and per-tenant payment links you create)
  • Customer support tooling — to handle your enquiries
  • Anti-fraud / bot protection — Google reCAPTCHA on authentication flows
  • Error monitoring — to detect and fix bugs
  • Analytics (consented only) — product usage analytics

Our current sub-processor list, including the legal entity, location, and purpose of each, is available at vupiy.co.uk/legal/subprocessors.

Sub-processor change notification. When we intend to add or replace a sub-processor, we will notify you by email (to your administrative contact) and via an in-app banner at least 30 days before the change takes effect. If you object on reasonable data-protection grounds, contact us at [email protected] — we will either reconfigure to avoid the sub-processor, or allow you to terminate the affected Service with a pro-rated refund of pre-paid fees.

5.2 HMRC and other authorities

When you use Vupiy's HMRC connection to file VAT returns, retrieve obligation periods, or interact with other HMRC services, the information necessary for that interaction is transmitted to HM Revenue & Customs (HMRC) via HMRC's official APIs.

HMRC receives this information as an independent data controller under its statutory functions (UK GDPR Art. 6(1)(e) — public task — and the Commissioners for Revenue and Customs Act 2005). HMRC is not a sub-processor of Vupiy. Once transmitted, HMRC's own Privacy Notice and Personal Information Charter govern how HMRC processes that data. You can review:

  • HMRC Personal Information Charter at gov.uk/government/organisations/hm-revenue-customs/about/personal-information-charter
  • HMRC App Privacy Notice
  • HMRC TxM (Transaction Monitoring) DPIA — published by HMRC on the Developer Hub

We may also share data with:

  • Other competent authorities — where we are required by law (e.g., a valid court order, law enforcement request, or regulatory direction). We will tell you when this happens, unless prohibited from doing so by law.
  • Companies House — where you use a Companies House integration in Vupiy, we transmit the data you instruct us to file.
  • Professional advisers — our own auditors, accountants, lawyers, where strictly necessary, under confidentiality.

5.3 What we never do

  • We never sell your personal data
  • We never share your personal data with third parties for their own marketing purposes
  • We do not use your customer ledger content (invoices, expenses, payroll, customer records) to train AI or machine learning models for any external use
  • We do not allow third-party tracking companies to set cookies or trackers via our application
  • We do not operate an ad revenue model

6. International transfers

Vupiy's production infrastructure is primarily located in the United Kingdom and the European Economic Area (EEA) to minimise cross-border transfers. However, some of our service providers (or staff accessing our systems for support) are based outside the UK — including in the United States and other countries.

Where we transfer your personal data outside the UK, we ensure a similar degree of protection by relying on one of the following safeguards:

  • UK adequacy regulations — for transfers to countries that the UK Government has determined provide adequate protection (including the EEA and other countries listed on the ICO's adequacy list)
  • The UK Extension to the EU-US Data Privacy Framework ("UK-US Data Bridge") — for transfers to recipients in the United States that are self-certified under the UK Extension
  • The International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (ICO template B.1.0, issued under section 119A(1) of the Data Protection Act 2018) — for other restricted transfers, supplemented by transfer risk assessments where required

A current list of our sub-processors and the countries where they are located is available at vupiy.co.uk/legal/subprocessors. To request a copy of the relevant transfer safeguard, email [email protected].

7. Sending information to HMRC for fraud prevention

HMRC is required by law to monitor digital tax submissions for fraud and criminal activity. To support this, The Delivery of Tax Information through Software (Ancillary Metadata) Regulations 2019 (SI 2019/360) require us, as your software provider, to collect and transmit a defined set of technical and contextual information ("fraud prevention headers") alongside every request your account makes to HMRC's APIs.

The information transmitted with each HMRC request includes:

  • Your device's public IP address and the timestamp of that IP
  • Local network IP addresses on your device and the timestamp
  • A unique device identifier we generate for your installation (a persistent UUID; not your email or any government ID)
  • Your browser type, version and User-Agent string
  • Your screen size, scaling factor, colour depth, window size, and browser plugins
  • Your local timezone
  • An indicator of whether you completed multi-factor authentication at sign-in
  • An internal Vupiy user identifier (a hashed reference to your account; not your email or NI Number)
  • Vupiy product metadata — product name, version, licence type, our server IP
  • The connection method used (e.g., web_app_via_server)

HMRC uses this information solely to detect suspicious activity and prevent fraud and tax crime. It does not form part of your tax return. The figures you submit to HMRC are separate.

Because this disclosure is mandated by UK law, you cannot opt out of fraud prevention headers being sent while continuing to use Vupiy's HMRC connection. Failure by us to transmit valid headers could result in a statutory penalty under SI 2019/360 and loss of access to HMRC's APIs. If you do not wish for this information to be collected and transmitted to HMRC, you must not connect Vupiy to HMRC. You can still use the rest of Vupiy without an HMRC connection.

8. Connecting Vupiy to HMRC

To file VAT returns and (where enabled) other tax submissions through Vupiy, you complete HMRC's OAuth 2.0 authorisation flow. HMRC displays the scope of access we have requested (for example, "View your VAT information" and "Change your VAT information"). When you consent, HMRC issues us with an access token (valid 4 hours, auto-refreshed) for the duration HMRC allows — currently up to the maximum period HMRC permits, which is 18 months at the time of writing.

What flows to HMRC (from Vupiy on your instruction): the figures of your VAT 9-box return, your VAT Registration Number (VRN), the period reference, the OAuth bearer token, and the fraud prevention headers described in Section 7. For ITSA, Self Assessment, Corporation Tax and Companies House submissions (where enabled), the equivalent data required by HMRC's API for that filing.

What flows from HMRC (to Vupiy on your instruction): your VAT obligation periods, liabilities, payments, and submission acknowledgements (including the Receipt ID and Form Bundle Number for each submission). Equivalent data for other tax regimes where enabled.

You can revoke this authorisation at any time in two ways:

  • From within Vupiy — go to Settings → HMRC → Disconnect from HMRC. We will immediately destroy your refresh token.
  • From your HMRC online account — at Account home → Manage account → Tax agents and software.

Once you revoke, Vupiy will be unable to file or retrieve information from HMRC on your behalf until you re-authorise. Submissions you have already made remain valid and on the HMRC record — they are not "undone" by revoking access.

9. Audit and HMRC submission records

To comply with HMRC's record-keeping requirements (VAT Notice 700/22 for VAT; equivalent rules for ITSA, Self Assessment, Corporation Tax) and to be able to evidence the integrity of past submissions, we retain a tamper-evident audit record of each successful and unsuccessful HMRC submission for a minimum of six years from the end of the relevant tax period.

Each audit record contains:

  • The submission payload (the figures sent — e.g., VAT 9-box values)
  • HMRC's response identifiers (Receipt ID, Form Bundle Number)
  • Request and response timestamps
  • The internal Vupiy user identifier
  • The fraud prevention headers transmitted (as required by SI 2019/360)
  • Audit trail of any user actions related to the submission (preview, confirm, retract)

We will retain this audit record even after you close your Vupiy account or revoke your HMRC connection, because the statutory obligation runs against the underlying tax period — not against the account. After the retention period ends (6 years from end of the relevant period), we securely delete the audit record.

You can export your submission audit log at any time while your account is active, from Settings → HMRC → Export audit log. After account closure, you will lose interactive access, but the records remain available to us for the statutory retention period only.

10. How long we keep your data

We keep personal data only as long as necessary for the purposes set out in this Privacy Policy. Where UK statutory retention rules apply (Companies Act 2006, VAT Act 1994, HMRC Notices), those override our minimisation default.

CategoryRetention period
Account profile and contact detailsWhile your subscription is active, plus 30 days after closure
Invoices, accounting records, VAT data, payroll records6 years from the end of the financial year (Companies Act 2006 s.388 + VAT Act 1994)
Buyer PII from authorised marketplaces (Amazon, etc.) — buyer name, email, shipping address as part of issued tax invoices6 years from the end of the UK tax year in which the related VAT return was submitted (VAT Act 1994 s.69, VAT Regulations 1995 reg. 31, Companies Act 2006 s.388)
HMRC submission audit logs6 years from end of relevant tax period (VAT Notice 700/22 — see Section 9)
HMRC OAuth tokensActive session only; refresh tokens until you disconnect
Authentication and security logs12-24 months
Marketing consent recordsWhile your consent is active, plus 3 years to evidence prior consent
Support enquiries (where they contain personal data)3 years from last contact
Stripe payment records6 years (PCI + accounting compliance)
Cookies — strictly necessarySession-based
Cookies — analytics (consented)Up to 13 months (ICO guidance)
Database backups35 days on a rolling schedule

Where we are required by law to keep data for longer (for example, in response to a regulator's hold notice), we will. After the retention period ends, we securely delete or anonymise the data.

11. Your rights

Under UK data protection law, you have the right to:

  • Be informed about how we use your personal data (this Privacy Policy)
  • Access a copy of your personal data we hold (a "Subject Access Request" or DSAR)
  • Rectify inaccurate or incomplete data
  • Erase your personal data in certain circumstances (the "right to be forgotten")
  • Restrict our processing of your data in certain circumstances
  • Data portability — receive a structured, commonly used, machine-readable copy of certain data, and ask us to transmit it to another controller where technically feasible
  • Object to our processing where we rely on legitimate interests, and at any time to direct marketing
  • Not be subject to a solely automated decision that produces legal or similarly significant effects on you
  • Withdraw your consent at any time where we rely on it

To exercise any of these rights, email [email protected]. We will respond within one month of receiving your request. For complex or numerous requests we may extend by up to two further months, telling you within the first month and explaining why.

Where you exercise a deletion request, please be aware:

  • Personal data we are required by law to retain (e.g., accounting records under Companies Act 2006, HMRC submission audit logs under VAT Notice 700/22) will be retained for the statutory period and then deleted.
  • We may need to verify your identity before responding (for example, by asking you to log in or confirm details). This is for your protection.

Automated decisions

Vupiy does not make decisions about you based solely on automated processing that produce legal or similarly significant effects on you. Where we use automated tools to assist us (for example, fraud detection on payment activity), a human reviews any decision that materially affects your access to the Service.

Children

The Service is intended for businesses and adults aged 18 or over. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us at [email protected] and we will delete it without undue delay.

12. Cookies

We use cookies and similar storage technologies in the Vupiy website and the Service. Some are strictly necessary to provide functionality you have requested — for example, keeping you logged in, protecting against cross-site request forgery, maintaining your session, and remembering your theme preference. These are set automatically and cannot be switched off.

Other cookies — analytics, performance, personalisation — are set only with your consent. You can give or withdraw your consent at any time using the Cookie Settings link in the website footer.

We do not run advertising cookies, we do not allow third-party tracking companies to set cookies via our website or application, and we do not operate any ad revenue model.

A full cookie list, including each cookie's name, provider, purpose, duration and whether it is strictly necessary, is available at vupiy.co.uk/cookies.html (or on demand from [email protected]).

13. How we protect your data

We have implemented technical and organisational measures appropriate to the risk, in line with Article 32 of the UK GDPR:

  • Encryption in transit — TLS 1.2 or higher on all customer-facing endpoints and internal service communication
  • Encryption at rest — disk-level encryption (AES-256) and field-level encryption for sensitive secrets (HMRC OAuth tokens, Stripe API keys, 2FA secrets, NI Numbers, UTRs)
  • Access controls — least-privilege role-based access, mandatory MFA for all staff with production access, audited admin actions
  • Network security — Web Application Firewall, DDoS protection, IP allow-listing for administrative interfaces
  • Logging and monitoring — centralised audit logs, anomaly detection
  • Application security — dependency scanning, static and dynamic analysis in CI, OWASP Top 10 review cadence
  • Backup and disaster recovery — daily encrypted backups, tested restore procedure, documented RTO and RPO
  • Personnel — confidentiality clauses in staff contracts, security training, background checks for staff with production access
  • Vendor management — Article 28 Data Processing Agreements with every sub-processor, periodic security questionnaires, preference for vendors with SOC 2 / ISO 27001 attestations
  • Incident response — documented plan, 72-hour ICO notification process, communication templates

No system is perfectly secure, and we cannot guarantee absolute security. If a breach occurs that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and in plain language, in line with Article 34 UK GDPR.

14. Complaints

If you are concerned about how we handle your personal data, please contact us first at [email protected] — we will acknowledge your complaint within 30 days and aim to respond as quickly as we reasonably can after a thorough investigation. From 19 June 2026, this internal complaint route is also a statutory right under section 164A of the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025).

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

  • Web: ico.org.uk/make-a-complaint/
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

15. Changes to this Privacy Policy

If we materially change this Privacy Policy, we will:

  • Email account administrators at least 30 days before the change takes effect
  • Surface an in-app banner explaining the change
  • Update the "Last updated" date at the top of this page

Continued use of the Service after the effective date constitutes acceptance of the updated Policy. The "Last updated" date is authoritative.

16. Contact

Postal address (for formal data protection correspondence):

Octillionsoft LIMITED
Privacy Team
295 Caledonian Road, Islington
London, N1 1EG
United Kingdom