Privacy Policy
Effective Date: 26 May 2026
1. Data Controller
Dawn Works Limited is the data controller for the information processed within the Submidt application. For any privacy-related inquiries, you can contact us at support@submidt.co.uk.2. Information We Collect
We collect and process the following categories of data:- Accountant Information: Name, email address, and active company details.
- Submidt Account Information: Login details(Username & password hash), IP address.Passwords are never stored in plain text and are securely hashed.
- Client Information: Client names, client email addresses, postal address, business & HMRC identifiers, and relevant tax/income/expense values required for HMRC MTD submissions.
- Security & Compliance Data: DeviceId (stored via cookie), local public IP addresses, public ports, browser user-agent strings, browser & screen size, and timestamps. This data is collected to fulfill statutory fraud prevention requirements mandated by HMRC.
- Audit Logs: Records of login sessions and data submissions, including timestamps, authentication records, and records relating to the approval workflow.
- Lawful Basis for Processing: We process Accountant and your client information under the lawful basis of Performance of a Contract. We process fraud prevention and security data under Legal Obligation, as required by HMRC's MTD Fraud Prevention requirements. We process login alerts, approval notifications, and support communications under Legitimate Interests, ensuring platform security and user awareness.
3. How & Why We Use Your Data
We use the collected data strictly for the following purposes:- Contractually: To provide, maintain, and secure the Submidt platform.
- Security: To authenticate user sessions and securely
persist login states for up to 4 hours of inactivity.
To communicate new login locations to users, critical alerts, client approval flow updates, and support responses. - Legal Compliance: To transmit tax submissions
securely to the HMRC MTD API on your behalf.
To comply with HMRC Fraud Prevention Network Analytics requirements.
4. Data Storage and Encryption
All user and client data is stored securely within a database. We operate our infrastructure using data centres located in London, United Kingdom to strictly keep all data within the country and subject to UK GDPR regulations. To ensure the highest level of security for sensitive financial information, data held in the database is encrypted at rest. No user data is transferred, processed, or viewed by any party outside of Dawn Works Limited, except for the explicit transmission to HMRC during a filing event and AWS processes limited email delivery data, including recipient email addresses and message metadata, solely for the purpose of delivering transactional system emails. These transfers are protected using Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO), ensuring an equivalent level of data protection.5. Cookies and Session Technologies
Submidt uses essential cookies to persist and authenticate user sessions and devices. These technologies are used for the following purposes:- Maintaining secure login sessions and remembering authenticated users during periods of activity.
- Generating and storing device identifiers required for HMRC fraud prevention compliance.
- The cookies used by Submidt are strictly necessary for the operation and security of the platform and do not require consent under the Privacy and Electronic Communications Regulations (PECR). We do not use advertising cookies, behavioural tracking cookies, or third-party analytics cookies within the Submidt platform.
- Session cookies are invalidated after 4 hours of inactivity, at which point the user will have to re-enter their log in credentials for a new session cookie to be issued. Session cookies are deleted upon expiration and when the user logs out of Submidt. The HMRC fraud prevention DeviceID cookie persists for 13 months and upon reaching this maximum age it immediately expires and is permanently deleted from your device's storage.
6. Third-Party Data Processors
We limit the exposure of your data to external services. The third-party processors we utilise are:- Amazon Web Services (AWS): Used exclusively as our email transport layer (Simple Email Service) to deliver system updates, receipts, and confirmations.
- Stripe (Future Integration): We implement Stripe to handle billing and subscription management. While active, Stripe will process financial data directly according to their own privacy standards. No credit card details will be stored on our servers.
- HMRC: We share the quarter information that you provide and device information (such as IP address, Screen & Window information and account identification) alongside our own information such as application IP address and application identification codes to adhere to the HMRC regulations and to provide a secure, traceable and accountable submission on the user's behalf.
- Law Enforcement: Financial crime authorities, police forces, courts, other bank/fraud/financial misconduct tracing and any other third parties required by law. We may also share during corporate restructuring or acquisitions.
7. Retention of Data
We retain financial submission logs and user account information for as long as your account remains active or as required by UK tax law and statutory limitations. Currently, we maintain your data for 5 years after account closure, this is subject to change in line with UK GDPR and is longer for AML/fraud cases as required by law.8. Roles and Responsibilities
Submidt is designed for use by accountants, tax agents, and authorised representatives submitting MTD tax information to HMRC on behalf of clients. In relation to client tax and financial information entered into the platform, the accountant or authorised user using Submidt generally acts as the data controller, determining the purpose, accuracy and responsibilities of the information submitted to HMRC. Dawn Works Limited acts as a data processor in providing the Submidt platform and associated services. Accountants and authorised users are responsible for:- Ensuring they have the lawful authority to process and submit client information.
- Ensuring client information entered into Submidt is accurate, complete and kept up to date.
- Maintaining the confidentiality and security of their account credentials.
- Obtaining any permissions, approvals, or authorisations required before making any submissions on behalf of clients.
- Reviewing submissions before transmission to HMRC.
9. Your Rights Under UK GDPR
Under UK GDPR, users of Submidt and, where applicable, their clients may have the following rights in relation to personal data processed through the platform:- Right of access: to request copies of your personal data.
- Right to rectification: to correct inaccurate or incomplete data.
- Right to erasure: to request deletion of data where legally permitted.
- Right to restrict processing: to limit how your data is used.
- Right to object: to object to/opt out of processing based on legitimate interests.
- Right to data portability: to receive your data in a structured, machine-readable format.
- Right to withdraw consent: where consent is used (not applicable for HMRC mandated processing).
- Right to lodge a complaint: with the Information Commissioner's Office (ICO) at ico.org.uk.
© 2026 Dawn Works Limited