Privacy Policy
Last updated: 5 March 2026
1. Who we are
Cuppa is operated by Cuppa Tech Ltd (Company No. 17075381), registered at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK. We are the data controller for your personal data processed through Cuppa.
Contact us about data protection matters at: legal@cuppa.tax
2. What data we collect
Account information
- Name, email address
- Password (stored as a one-way hash — we cannot read it)
- Date you accepted our Terms of Service
Business and financial records
- Business name, address, start date
- Income and expense entries (dates, amounts, categories, notes)
- Client names and contact details
- Invoice details and bank account information (for invoicing)
- Vehicle and home office configuration
- Uploaded documents (receipts, invoices)
HMRC integration data
- HMRC National Insurance number and Unique Taxpayer Reference
- OAuth tokens for HMRC API access (encrypted at rest)
- Submission payloads and HMRC receipt identifiers
Technical data
- IP address and user agent (for session security and audit logging)
- Device information (for HMRC fraud prevention headers, as required by law)
- Session activity timestamps
3. Why we process your data (legal basis)
| Purpose | Legal basis |
|---|---|
| Providing the Cuppa service | Contract performance |
| Submitting data to HMRC on your behalf | Contract performance + legal obligation |
| HMRC fraud prevention headers | Legal obligation (HMRC requirement) |
| Session security and audit logging | Legitimate interest (security) |
| Storing financial records | Legal obligation (HMRC 5-year retention) |
| Sharing data with AI assistants you connect | Consent (you initiate the connection) |
4. How long we keep your data
- Financial records and submissions: 5 years from the end of the relevant tax year, as required by HMRC
- Account information: retained while your account is active, deleted within 30 days of account deletion
- Audit logs: retained for 2 years for security purposes
- HMRC tokens: deleted immediately when you disconnect your HMRC account
5. Who we share your data with
We only share your data with third parties that are necessary to provide the service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, file storage | EU (Frankfurt) |
| Vercel | Application hosting | EU / US |
| OAuth sign-in (if you choose Google login) | US (adequate safeguards) | |
| HMRC | Tax submissions (at your instruction) | UK |
AI assistant integrations
If you choose to connect Cuppa to an AI assistant (such as ChatGPT or Claude), the assistant can access your financial data through Cuppa's API on your behalf. This includes income entries, expense entries, client details, and financial summaries. Data is only shared when you explicitly connect your account and make requests through the assistant. You can disconnect at any time by revoking the API key in Settings.
Cuppa does not control how the AI assistant provider (e.g. OpenAI, Anthropic) processes or retains data once it has been returned in response to your request. Please review the provider's own privacy policy for details on their data handling practices.
We do not sell your data. We do not use your data for advertising.
6. Your rights
Under UK GDPR, you have the right to:
- Access your personal data — you can export all your data from Settings at any time
- Rectify inaccurate data — you can edit your records directly in Cuppa
- Delete your data — you can delete your account from Settings (subject to HMRC retention requirements)
- Port your data — use the CSV export feature in Settings
- Object to processing based on legitimate interest
- Restrict processing in certain circumstances
To exercise any of these rights, email privacy@cuppa.tax. We will respond within 30 days.
7. Cookies
Cuppa uses only essential cookies required for the service to function. We do not use any third-party tracking or analytics cookies. For full details, see our Cookie Policy.
8. Data security
We protect your data with:
- Encryption in transit (TLS) and at rest
- Field-level encryption for sensitive data (bank details, HMRC tokens)
- Password hashing with bcrypt (12 rounds)
- Rate limiting on authentication endpoints
- Session management with device tracking
- Audit logging of security-relevant actions
9. Security incidents and breach notification
We maintain an incident response plan to handle security events promptly. In the event of a personal data breach:
- We will assess the breach and take immediate steps to contain it
- Where required, we will notify the Information Commissioner's Office (ICO) within 72 hours
- Where HMRC data is involved, we will notify HMRC within 72 hours
- If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay
To report a security vulnerability or suspected breach, contact us at: security@cuppa.tax
10. Complaints
If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
11. Changes to this policy
We may update this policy from time to time. If we make significant changes, we will notify you by email or through the application. The "last updated" date at the top of this page will always reflect the most recent version.