Privacy Policy

Last updated: 25 April 2026

This privacy policy explains how Hale Technology Limited ("we", "us") collects, uses, and protects your personal information when you use the CIS Tracker UK mobile application and website (cistracker.uk).

1. Who We Are

Hale Technology Limited is registered in England & Wales. We are the data controller for any personal information processed through CIS Tracker UK. You can contact us at privacy@cistracker.uk.

2. What We Collect

Account information

• Name and email address
• Business name and trading address (optional)
• UTR (Unique Taxpayer Reference) and National Insurance number, if you choose to provide them
• Employer reference (if you operate as a contractor)

CIS records

• Payment records, including dates, gross/net amounts, materials, and CIS deductions
• Subcontractor and contractor counterparty details you enter
• HMRC verification numbers and deduction rates
• Photos of Payment & Deduction Statements you upload

Technical information

• Device identifiers (used for fraud-prevention headers required by HMRC)
• IP address and approximate location
• App version, operating system, and crash reports

Payment information

We do not store full card details. Payments are processed by Stripe; we receive only a customer identifier and subscription status.

3. Lawful Basis for Processing

We process your personal data under the following lawful bases:

• Contract — to provide the CIS Tracker service you have subscribed to
• Legal obligation — where we must retain records for tax, accounting, or HMRC compliance
• Legitimate interests — to operate, secure, and improve the service
• Consent — for optional marketing communications, which you can withdraw at any time

4. How We Use Your Information

• To provide CIS calculation, refund estimation, and reporting
• To submit verification requests and CIS300 returns to HMRC on your behalf (with your authorisation)
• To send you compliance reminders (CIS300 deadlines, gross status renewals, etc.)
• To process subscription payments via Stripe
• To respond to support requests
• To detect and prevent fraud and abuse

5. Sharing Your Information

We share data only when necessary, and only with:

• HMRC — when you authorise verification or CIS300 submission
• Stripe — to process payments
• HostGator (Endurance International Group) — our hosting provider
• Google Cloud Platform — for push notifications (Firebase Cloud Messaging)
• Law enforcement or regulators — where legally required

We never sell your data, and we never share it with advertisers.

6. International Transfers

Most of our infrastructure is hosted in the UK or EEA. Where data is transferred outside the UK (for example, to Stripe in the US or Google Cloud), we rely on Standard Contractual Clauses or equivalent safeguards under UK GDPR.

7. How Long We Keep Your Data

• Active accounts — for as long as you maintain an account
• CIS records — at least 6 years after the relevant tax year ends, in line with HMRC record-keeping obligations
• Closed accounts — personal data is deleted within 30 days of account closure, except where retention is legally required (e.g. for tax records)
• Backups — encrypted backups are retained for up to 90 days

8. Your Rights Under UK GDPR

You have the right to:

• Access — request a copy of your personal data
• Rectify — correct inaccurate personal data
• Erase — request deletion (subject to legal retention requirements)
• Restrict processing — limit how we use your data
• Object — object to processing based on legitimate interests
• Data portability — receive your data in a machine-readable format
• Withdraw consent — for any processing based on consent

To exercise any of these rights, email privacy@cistracker.uk. We respond within 30 days.

You can also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Security

We use industry-standard security measures including HTTPS/TLS in transit, encrypted database storage, password hashing with bcrypt, and JWT-based authentication. HMRC OAuth tokens are encrypted at rest. We perform regular security reviews. No system is 100% secure — please use a strong, unique password.

10. Children

CIS Tracker is not intended for users under 18. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be notified in-app and by email. Your continued use of the service after the effective date constitutes acceptance.

12. Contact

Hale Technology Limited
Liverpool, United Kingdom
Email: privacy@cistracker.uk