Your Privacy Matters
Last updated: 4 June 2026 · DoneLabs Ltd · ICO Reg. No. ICO-0001353294
1. Who We Are
DoneCIS is a product of DoneLabs Ltd, a company registered in England and Wales, company number 17056937. We provide Making Tax Digital (MTD) software for UK sole trader CIS subcontractors, enabling CIS deduction tracking and quarterly submissions to HMRC. For the purposes of UK data protection law, DoneLabs Ltd is the data controller for personal data collected through DoneCIS. Contact: hello@donecis.co.uk
2. What Personal Data We Collect
We collect and process: Identity data (name, email address, National Insurance Number), HMRC data (MTD ID, encrypted OAuth access tokens, CIS deduction records), Financial data (bank transactions synced via open banking), Submission data (quarterly CIS returns and overrides), Technical data (IP address, device ID, browser information, session data), and Usage data.
3. How We Use Your Data
To provide the DoneCIS service on the basis of contractual necessity: retrieving your CIS deductions from HMRC, splitting labour and materials, and submitting quarterly returns on your behalf. To comply with legal obligations: fraud prevention header data submitted to HMRC as required. To manage your account and subscription on the basis of contractual necessity. To improve our service on the basis of legitimate interests.
4. HMRC Data and OAuth
DoneCIS uses OAuth 2.0 to connect to your HMRC account. We never store your Government Gateway username or password. We store encrypted OAuth access tokens solely to submit your CIS returns on your behalf. These tokens are encrypted using AES-256-GCM encryption at rest and transmitted over HTTPS. Your National Insurance Number is stored encrypted and used only to identify your CIS records with HMRC.
5. Open Banking Data
DoneCIS connects to your bank account via TrueLayer, an FCA-authorised open banking provider. We request read-only access to your transaction history to help you split labour from materials accurately. We cannot and never will move money from your account. Bank transaction data is stored securely and used only for CIS compliance purposes.
6. Fraud Prevention Data
HMRC requires all MTD software providers to submit fraud prevention headers with every API call. This includes your device ID, IP address, browser information, and timezone. This is a legal requirement under the Regulation of Investigatory Powers Act 2000 and HMRC's Terms of Use. We have no discretion over this requirement.
7. Data Sharing
We share your personal data only where necessary: HMRC (to submit your CIS returns and overrides), TrueLayer (open banking, read-only), Stripe (subscription payments), Neon (database provider, EU-hosted). We do not sell, rent, or share your personal data with any third party for marketing purposes.
8. Data Storage and Security
Your data is stored on Neon PostgreSQL infrastructure. Security measures include: AES-256-GCM encryption for all OAuth tokens at rest, HTTPS and TLS for all data in transit, HttpOnly and Secure cookie flags, rate limiting on all API endpoints, and parameterised database queries.
9. Data Retention
We retain your personal data for as long as your DoneCIS account is active. If you delete your account, we will delete your personal data within 30 days, except where required by law. Financial records required for tax purposes may be retained for up to 7 years.
10. Your Rights
Under UK GDPR you have: Right of access (request a copy via Data Export), Right to erasure (delete account via Delete Account feature), Right to rectification (update your profile), Right to restrict processing, Right to data portability (machine-readable format), Right to object. Contact us at hello@donecis.co.uk to exercise any right.
11. Cookies
DoneCIS uses strictly necessary cookies only: session cookies for authentication and a persistent device ID cookie for HMRC fraud prevention compliance. We do not use advertising or tracking cookies.
12. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. Our ICO registration number is ICO-0001353294.