Qwikr ("we", "us", "our") is a cloud-based accounting platform operated in the United Kingdom. We are registered with the Information Commissioner's Office (ICO).
We act in two capacities: we are the data controller for your account, billing, and usage data; and we are a data processor for the financial and taxpayer records you (or your accountancy practice) store in the Service, which we process only on your instructions and on your behalf.
We collect the following categories of personal data:
We use your personal data to:
When you connect a business or client to HMRC, you authorise Qwikr through your Government Gateway account using HMRC's OAuth process. We never see or store your Government Gateway password. HMRC issues us scoped access and refresh tokens (limited to the tax services you authorised, e.g. VAT or Self Assessment), which we store encrypted at rest. We use these tokens only when you or your authorised users initiate retrievals or submissions. You can revoke our access at any time — by disconnecting within the Service or via your Government Gateway account at HMRC — after which the stored tokens cease to function and are deleted.
Under UK GDPR, we process your data on the following bases:
We do not sell your personal data. We share data with:
Financial and tax records are retained for as long as your account is active, plus 7 years after closure, to comply with UK financial record-keeping requirements. Other account data (profile, settings, usage history) is deleted within 30 days of account closure. Usage and log data is retained for 12 months. HMRC access and refresh tokens are deleted immediately when you disconnect a client from HMRC or close your account.
Under UK GDPR you have the right to:
To exercise these rights, email privacy@qwikr.tax. We will respond within 30 days.
We use strictly necessary session cookies to keep you logged in, and analytics cookies to understand how the Service is used. You can disable analytics cookies at any time via your browser settings.
We use TLS encryption for all data in transit, AES-256 encryption for data at rest, and enforce role-based access controls. We conduct regular security reviews and penetration testing.
Breach notification: in the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and will inform affected users without undue delay, in accordance with UK GDPR Articles 33–34.
Your data is stored in UK/EEA data centres. Where we engage processors outside the UK/EEA, we ensure appropriate safeguards are in place under UK GDPR Articles 46-47.
We may update this policy periodically. We will notify you by email of any material changes at least 30 days before they take effect.
For privacy queries: privacy@qwikr.tax.
If you are unsatisfied with our response, you have the right to complain to the ICO at ico.org.uk.