Last updated: May 2026 · Filabl Ltd · Registered in England & Wales
Filabl is a UK accounting software provider. We take your privacy and the security of your financial data seriously. This policy explains what data we collect, why we collect it, and how we protect it.
1. Who We Are
Filabl ("we", "us", "our") is a software company registered in England and Wales. We provide AI-powered accounting and tax filing software for UK businesses at filabl.co.uk. Our registered email address for data protection matters is privacy@filabl.co.uk.
2. Data We Collect
Account Information
Name and email address when you sign up
Company name, registration number, and VAT number
Billing information (processed securely via Stripe)
Financial Data
Bank transaction data (where you connect a bank account via Open Banking)
VAT returns, tax submissions, and accounting records you create or import
Invoices, bills, quotes, contacts, and fixed assets you create in the app
Receipt images and emails you upload or forward to your receipt inbox
HMRC Government Gateway OAuth tokens (stored encrypted — we never store your HMRC password)
Usage Data
Pages visited, features used, and time spent in the app
Browser type, device type, and IP address
Error logs and performance data
3. How We Use Your Data
To provide and improve our accounting software services
To submit tax returns and filings to HMRC on your behalf (with your explicit authorisation)
To generate AI-powered tax insights and suggestions
To send service emails (receipts, deadline reminders, support)
To comply with our legal obligations under UK law
We do not sell your data to third parties. We do not use your financial data to train AI models without your explicit consent.
4. Legal Basis for Processing
We process your data under the following legal bases under UK GDPR:
Contract performance — to deliver the service you've subscribed to
Legal obligation — to comply with UK tax, financial, and data protection law
Legitimate interests — to improve our services and prevent fraud
Consent — for marketing communications (you can withdraw at any time)
5. HMRC Data & Making Tax Digital
When you connect your HMRC Government Gateway account, we receive OAuth access tokens which allow us to submit returns on your behalf. We store these tokens encrypted in our database (hosted on Supabase in EU London). We never receive or store your HMRC Government Gateway username or password. You can disconnect your HMRC account at any time from Settings.
6. Data Sharing
We share data only with the following trusted sub-processors:
HMRC — for tax filing via the Making Tax Digital API (UK government)
Supabase (EU London region) — database and authentication hosting. Data stored in the UK/EU.
Vercel (US-based) — application and serverless function hosting. Covered by Standard Contractual Clauses under the UK–US data bridge. See Vercel's Privacy Policy.
Anthropic (US-based) — AI processing for the AI Accountant chat feature. Financial context you provide in the chat may be processed by Anthropic's API. Covered by Anthropic's data processing agreement. See Anthropic's Privacy Policy.
Google (US-based) — receipt scanning via the Gemini API (when you upload a receipt image). Receipt images are processed to extract transaction data and are not stored or used to train Google's models. Covered by Google's data processing agreement. See Google's Privacy Policy.
Stripe (US-based) — payment processing and Open Banking (Stripe Financial Connections). Billing data is processed by Stripe and subject to Stripe's Privacy Policy.
Resend (US-based) — transactional email delivery (invoice payment reminders, accountant access invitations, sign-in verification codes, receipt inbox). Only the minimum data needed to deliver each email is shared. Covered by Resend's data processing agreement. See Resend's Privacy Policy.
Companies House — public company data lookups (UK government, publicly available data only).
Google Analytics (US-based) — website usage analytics (pages viewed, session duration, device type). Only loaded with your consent. Covered by Standard Contractual Clauses. See Google's Privacy Policy.
International Data Transfers
Some sub-processors (Vercel, Anthropic, Google, Stripe) are based in the United States. These transfers are safeguarded by Standard Contractual Clauses (SCCs) approved under UK GDPR, or the UK International Data Transfer Agreement (IDTA) where applicable. We only transfer the minimum data necessary to deliver each specific service.
7. Data Retention
We retain your data for as long as your account is active, plus 7 years after account closure (as required by HMRC record-keeping rules for business tax purposes). You may request deletion of non-statutory data at any time.
8. Your Rights
Under UK GDPR you have the right to:
Access the data we hold about you
Correct inaccurate data
Request deletion of your data (subject to legal retention requirements)
Object to processing or request restriction
Data portability — receive your data in a machine-readable format
We apply multiple layers of security to protect your data:
Encryption in transit: All connections use TLS 1.2+ (enforced via HSTS with a 2-year max-age and preload).
Field-level encryption at rest: Sensitive credentials — including HMRC OAuth tokens — are encrypted using AES-256-GCM with a unique random 96-bit IV per encryption operation before being written to the database. Authentication tags are verified on every read, preventing undetected tampering.
Security headers: Every response includes Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Referrer-Policy, and a strict Permissions-Policy.
Access controls: Row-Level Security (RLS) is enforced at the database layer so each user can only access their own data. API routes verify session tokens on every request.
Rate limiting: All authentication and API endpoints are rate-limited to protect against brute-force attacks.
CSRF protection: OAuth flows use HMAC-signed, timestamped state tokens to prevent cross-site request forgery.
We conduct regular security reviews. In the event of a data breach affecting your rights, we will notify you and the ICO within 72 hours as required by UK GDPR.
10. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email or in-app notification at least 14 days before they take effect.
Contact Us
For any privacy-related questions or to exercise your rights, contact our data protection team:
Last updated: May 2026 · Filabl Ltd · Registered in England & Wales
These terms govern your use of Filabl's accounting software. By creating an account, you agree to these terms. Please read them carefully.
1. The Service
Filabl provides AI-powered accounting and tax filing software for UK businesses, including: VAT return submission via HMRC's Making Tax Digital API; transaction management and AI auto-categorisation; invoicing, bills, and quotes; Open Banking (bank account sync); receipt scanning and email inbox; company data via Companies House; anomaly detection; an AI accountant assistant; and accountant access management. The service is provided on a subscription basis.
2. Eligibility
You must be a UK-based business or sole trader to use Filabl. By signing up, you confirm that you have the authority to act on behalf of the business entity you register.
3. Your Account
You are responsible for maintaining the security of your account credentials
You must provide accurate and up-to-date information about your business
You are responsible for all activity that occurs under your account
You must notify us immediately of any unauthorised access at support@filabl.co.uk
4. Subscription & Payment
Subscriptions are billed monthly or annually in advance depending on your chosen plan
Annual plans are non-refundable except in the event of a billing error
Prices are in GBP and inclusive of VAT where applicable
You may cancel at any time — access continues until the end of the current billing period
We reserve the right to change pricing with 30 days' notice
Monthly refunds are issued at our discretion for billing errors; annual plan refunds are considered on a case-by-case basis
5. HMRC Filing & Tax Accuracy
Filabl submits tax returns to HMRC on your behalf using the Making Tax Digital API. You remain solely responsible for the accuracy of all financial data you provide. Filabl is software — not a regulated accountant or tax adviser. You should review all submissions before authorising them. Filabl accepts no liability for penalties or interest arising from inaccurate returns.
The AI Accountant feature provides general guidance only and does not constitute regulated financial or tax advice. For complex matters, consult a qualified accountant.
6. Acceptable Use
You agree not to:
Use Filabl for any unlawful purpose including tax fraud or money laundering
Attempt to reverse-engineer, hack, or disrupt the service
Share your account credentials with unauthorised parties
Submit false or misleading information to HMRC through our platform
7. Intellectual Property
Filabl and all associated software, designs, and content are owned by Filabl Ltd. Your financial data remains yours — we claim no ownership over it. You grant us a licence to process your data solely to deliver the service.
8. Service Availability
We aim for 99.9% uptime but cannot guarantee uninterrupted service. We are not liable for downtime caused by HMRC API outages, third-party services, or events outside our control. We will communicate planned maintenance in advance.
9. Limitation of Liability
To the maximum extent permitted by UK law, Filabl's liability to you is limited to the amount you paid us in the 3 months preceding the claim. We are not liable for indirect losses, loss of profit, or consequential damages.
10. Termination
We may suspend or terminate your account for breach of these terms, non-payment, or suspected fraudulent activity. You may terminate at any time by cancelling your subscription. On termination, you may export your data for 30 days before it is deleted.
11. Governing Law
These terms are governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
12. Changes to Terms
We may update these terms with 30 days notice. Continued use of the service after that date constitutes acceptance.
Filabl uses a minimal set of cookies — only what's necessary to run the service. We don't use advertising cookies or sell your browsing data.
What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help us keep you signed in, remember your preferences, and understand how our service is used.
Cookies We Use
Essential Cookies
These are required for the service to function and cannot be disabled:
Session cookie — keeps you signed in during your session
CSRF token — protects against cross-site request forgery attacks
Preference cookie — remembers your settings (e.g. sidebar state)
Analytics Cookies (optional — requires consent)
We use Google Analytics (gtag.js) to understand how visitors use our site — pages visited, session duration, and device type. Google Analytics is only loaded after you accept analytics cookies. If you choose "Essential Only", no analytics cookies are set and Google Analytics does not run. Google Analytics sets the following cookies:
_ga — distinguishes users (expires 2 years)
_ga_* — stores session state (expires 2 years)
This data is processed by Google LLC (US) under Standard Contractual Clauses. See Google's Privacy Policy.
Google Fonts
Our website loads fonts from Google Fonts (fonts.googleapis.com). This causes your browser to send a request to Google's servers, which may process your IP address. No cookies are set by Google Fonts. This is a functional necessity for displaying the site correctly and is processed under our legitimate interests.
Managing Cookies
You can control cookies through your browser settings. Disabling essential cookies will prevent the service from working correctly. For instructions, visit your browser's help pages.
Your Cookie Preferences
Loading…
Third-Party Cookies
Our payment processor Stripe may set cookies when you complete a payment. These are governed by Stripe's Privacy Policy.
We use essential cookies to keep you signed in. With your consent, we also use Google Analytics to understand how the site is used. No advertising cookies.
Cookie Policy