Skip to main content

Privacy Policy

Last reviewed: April 2026

1. Who We Are

The Tree Capital ('we', 'us', 'our') is the data controller responsible for personal data processed through this platform. For data privacy enquiries, contact us at: privacy@thetreecapital.com.

2. What Personal Data We Process

We process the following categories of personal data:

  • Account information: name, email address, login credentials (hashed).
  • Business data: company name, VAT registration number, address, telephone number.
  • Transaction data: contract values, invoice details, payment references.
  • HMRC OAuth tokens: secure access tokens issued by HMRC to enable VAT submissions via Making Tax Digital (MTD). These tokens are encrypted at rest and never contain your HMRC password.
  • Usage data: IP addresses and browser information collected for fraud prevention as required by HMRC's Terms of Use.

3. Why We Process It (Lawful Basis)

  • Contract performance (Article 6(1)(b) UK GDPR): Processing necessary to provide the platform services you have contracted for, including VAT submission on your behalf.
  • Legal obligation (Article 6(1)(c) UK GDPR): Submission of VAT returns to HMRC as required by Making Tax Digital legislation.
  • Legitimate interests (Article 6(1)(f) UK GDPR): Security monitoring, fraud prevention (including HMRC-mandated fraud prevention headers), and platform improvement.

4. How We Protect Your Data

  • All data is transmitted over HTTPS (TLS 1.2 or higher). HTTP access is not permitted.
  • HMRC OAuth access tokens and refresh tokens are encrypted at rest using symmetric encryption (Fernet / AES-128-CBC).
  • Passwords are never stored in plain text; they are hashed using Django's PBKDF2-SHA256 algorithm.
  • Access to customer data is restricted to authorised employees based on their role (Role-Based Access Control).
  • We do not share your personal data with third parties for marketing purposes.

5. Data Retention

We retain your personal data for as long as your account is active or as required to comply with legal obligations (typically 7 years for financial records under UK law). You may request deletion of your account data at any time subject to legal retention requirements.

6. Sharing Your Data

We share your data only with:

  • HMRC — to fulfil VAT obligations under Making Tax Digital. Data is submitted via HMRC's secure API.
  • Hosting providers — Railway.app (EU region) hosts the platform infrastructure. They act as a data processor under a data processing agreement.

We do not sell your personal data.

7. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Request erasure ('right to be forgotten'), subject to legal retention obligations.
  • Restrict or object to processing.
  • Data portability – export your data in a machine-readable format (JSON/CSV) via your account settings.
  • Withdraw consent where processing is based on consent.

To exercise any of these rights, contact privacy@thetreecapital.com.

8. Cookies

We use session cookies strictly necessary to operate the platform (authentication, CSRF protection). We do not use advertising or tracking cookies.

9. Complaints

You have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

10. Changes to This Policy

We may update this policy to reflect changes in the law or our practices. Material changes will be notified to users via the platform.

The Tree Capital | privacy@thetreecapital.com | https://www.thetreecapital.com