Hearth - Making Tax Digital for Landlords

Last updated: January 2026

1. Introduction

Hearth ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our service.

Data Controller Information

Hearth is the data controller for the personal data processed through this service.

Company: Hearth Ltd
ICO Registration: Registration pending
Data Protection Contact: privacy@hearthapp.co.uk

We are registered with the Information Commissioner's Office (ICO) as required under UK data protection law for organisations processing personal data.

2. Information We Collect

Account Information

Email address
Password (encrypted)
HMRC connection tokens (encrypted)

Sensitive Personal Data

National Insurance Number (NINO): Required by HMRC for MTD submissions. Your NINO is encrypted using AES-256 encryption before storage and is only decrypted when submitting to HMRC.

Legal basis: We collect your NINO with your explicit consent, which is necessary for the performance of our contract to submit data to HMRC on your behalf. You may withdraw consent at any time by disconnecting from HMRC in your settings.

Financial Data

Summary data from your submissions (totals only)
Submission history and references

Important: We do not retain your original spreadsheet files. They are processed in memory and deleted immediately after.

3. How We Use Your Information

To provide and maintain our Service
To submit data to HMRC on your behalf
To send you important service notifications
To process payments
To improve our Service

4. Data Security

We implement industry-standard security measures including:

All data encrypted in transit (HTTPS/TLS)
Database encryption at rest
HMRC tokens encrypted with AES-256
Regular security audits
Secure hosting infrastructure

5. Data Sharing

We share your data only with:

HMRC: To submit your quarterly updates
Stripe: To process payments (they receive limited billing information)
Resend: To send transactional emails

We never sell your personal data to third parties.

6. Your Rights

Under UK GDPR, you have the right to:

Access your personal data
Correct inaccurate data
Delete your data
Export your data
Object to processing

To exercise these rights, contact us at privacy@hearthapp.co.uk

7. Data Retention

We retain your account data and submission history for as long as your account is active. Upon account deletion, all data is permanently removed within 30 days.

8. Cookies

We use essential cookies only for authentication and security. We do not use tracking or advertising cookies.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the Service.

10. Contact Us

For any privacy-related questions, contact us at:
privacy@hearthapp.co.uk