Skip to main content
Flonancial
Sign UpLog in

Privacy policy

Last updated: 20 March 2026

Who we are

Flonancial is operated by Flonancial Ltd, a company registered in England and Wales. Company number: 17090724. Registered office: 104 Finborough Road, London, SW10 9ED.

Flonancial is bridging software for Making Tax Digital. We help sole traders and landlords submit their quarterly updates to HMRC. You can contact us at hello@flonancial.co.uk.

How Flonancial works

When you upload a spreadsheet to Flonancial, the file is parsed entirely in your web browser using client-side JavaScript. Your spreadsheet file is never transmitted to our servers, never stored by us, and is discarded from browser memory once you navigate away or close the page.

Flonancial reads two numbers from your spreadsheet — your turnover and your expenses — and displays them for you to review before submission. Only the summary figures you choose to submit are sent to HMRC and stored by us.

What data we collect and store

When you use Flonancial, we collect and store:

  • — Your email address, used to create and manage your account
  • — Your National Insurance number (NINO), stored in our database and used in API calls to HMRC to identify your tax account
  • — Business details retrieved from HMRC after you connect your account, including business name, type, address, and HMRC business ID
  • — Quarterly submission records: the turnover, expenses, and other business income figures submitted to HMRC, along with the submission date, tax year, quarter period, and HMRC correlation ID
  • — HMRC OAuth tokens, stored securely in encrypted httpOnly cookies to enable submissions on your behalf
  • — A device identifier (UUID stored in a persistent browser cookie) used for HMRC fraud prevention headers

We do not collect or store:

  • — Your spreadsheet files or any data within them beyond the summary figures you submit
  • — Individual transaction records (dates, descriptions, amounts)
  • — Your HMRC Government Gateway username or password
  • — Any tracking, advertising, or analytics data

How we use your data

We use your data solely to provide the Flonancial service:

  • — Enabling you to log in and access your account
  • — Using your NINO to make API calls to HMRC on your behalf (retrieving business details, obligations, and submitting quarterly updates)
  • — Keeping a record of what was submitted, when, and the HMRC confirmation reference

We do not sell your data. We do not share your data with third parties for marketing purposes. We do not use your data for advertising.

HMRC fraud prevention headers

HMRC requires all Making Tax Digital software to submit fraud prevention header data with each API call. This is a legal requirement. The data we collect for this purpose includes your browser type, screen dimensions, timezone, device identifier, window size, IP address, and your Flonancial user identifiers (email and internal account ID).

This data is sent directly to HMRC as part of the API request. We do not store fraud prevention data beyond the duration of the request, with one exception: during the HMRC connection process, we temporarily store fraud prevention data in a browser cookie (flo_fraud_data) for up to 10 minutes to carry it through the OAuth redirect. This cookie is deleted immediately after use.

For more information, see HMRC's guidance on fraud prevention data.

Our lawful basis

We process your personal data on the basis of contract — you provide your data in order for us to deliver the service you have signed up for. For HMRC fraud prevention headers, we process data on the basis of legal obligation, as this is required by law for all MTD-compatible software.

Record keeping — your responsibility

Flonancial is bridging software. We do not store your transaction records or spreadsheet files. The legal obligation to maintain digital records of each transaction (date, amount, and category) and to retain those records for at least five years sits with you, the taxpayer.

Your spreadsheet is your digital record. Keep it safe.

Data retention

We retain your submission history (the summary figures sent to HMRC, submission dates, and HMRC references) for a minimum of five years after the 31 January Self Assessment filing deadline for the relevant tax year, so that you have a record of what was submitted.

Your account details (email address and NINO) are retained for as long as your account is active. You may delete your account at any time from the Settings page, or by contacting us.

Data storage and security

Account and submission data is stored securely using Supabase, a cloud database provider with servers in the EU. Data is encrypted in transit via TLS. Access to your data is restricted to your account only through row-level security policies enforced at the database level.

HMRC OAuth access and refresh tokens are stored in httpOnly cookies and are never exposed to client-side JavaScript.

Our application is hosted on Vercel, with servers in the United States (US East). Your spreadsheet files are never uploaded to any server — they are processed entirely within your web browser.

Your rights

Under UK GDPR, you have the right to:

  • — Access the personal data we hold about you
  • — Request correction of inaccurate data (including your email, password, and NINO via the Settings page)
  • — Request deletion of your account and all associated data
  • — Download a copy of your data in a portable format (JSON export available from the Settings page)
  • — Withdraw consent at any time

You can exercise most of these rights directly from your Settings page. For any other requests, email us at hello@flonancial.co.uk and we will respond within 30 days.

Cookies

Flonancial uses essential cookies only:

  • Login session cookies — Supabase authentication tokens that keep you logged in
  • HMRC OAuth token cookies — httpOnly cookies storing your HMRC access and refresh tokens, used for API authentication
  • Device identifier cookie (flo_device_id) — a UUID used for HMRC fraud prevention headers, expires after 10 years
  • Fraud data cookie (flo_fraud_data) — temporary cookie used during HMRC connection only, expires after 10 minutes and is deleted after use

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Because every cookie we use is strictly essential, no cookie consent banner is needed — and you won't see one.

Security disclosures

If you discover a security vulnerability or have concerns about the security of your data, please contact us immediately at hello@flonancial.co.uk with the subject line "Security disclosure". We aim to respond within 24 hours.

Data breaches

In the event of a data breach affecting your personal data, we will:

  • — Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR
  • — Notify HMRC by logging a ticket within 72 hours, providing a breach contact name and telephone number
  • — Notify affected users without undue delay, explaining what happened, what data was affected, and what steps we are taking

Changes to this policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date. Continued use of Flonancial after changes constitutes acceptance of the updated policy.