Taxnova Ltd
Privacy Policy
Last Updated: 11 February 2026
1. Introduction
Taxnova Ltd (“Taxnova”, “we”, “us”, or “our”) is a company registered in the United Kingdom with a registered office at Arquen House, 4-6 Spicer Street, St. Albans AL3 4PQ. We provide AI-assisted R&D tax credit claim preparation services to businesses.
This Privacy Policy explains how we collect, use, store, and protect personal data when you visit our website (taxnova.ai), interact with us as a prospective customer, or use our services as a client. We are committed to protecting your privacy and processing your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller
For personal data we collect directly (such as website visitors and prospective customers), Taxnova acts as the data controller. When we process personal data on behalf of our clients as part of our R&D tax credit services, Taxnova acts as a data processor on the client’s behalf. The client remains the data controller for that data.
Our data protection contact: [email protected]
3. What Personal Data We Collect
3.1 Website Visitors
Usage data collected via analytics (page views, referral sources, device and browser type)
Cookie data and similar tracking technologies (see Section 10)
Information you submit via contact or demo request forms (name, email address, company name, role)
3.2 Prospective Customers
Contact details provided during sales conversations (name, email, phone number, company)
Communication records (emails, meeting notes)
CRM data necessary for managing our sales relationship
3.3 Client Data (Service Delivery)
When delivering our R&D tax credit services, we process data provided by our clients which may include:
Employee names, job titles, email addresses, and roles
Time records and project assignments
Personal data incidentally contained in technical documentation, project management systems (tickets, tasks, roadmaps, timesheets), and software development materials (commit messages, pull requests)
This data is processed under a Master Services and Data Processing Agreement (MSA/DPA) with each client. The client, as data controller, determines what data is shared with us.
3.4 Our Employees and Contractors
We also collect and process personal data of our own employees and contractors for employment and engagement purposes. This is managed under separate internal HR policies.
4. How We Use Your Data
| Purpose | Details |
| Service delivery | Processing client data to prepare R&D tax credit claim materials, including project identification, technical narratives, and time allocation calculations |
| AI-assisted processing | Using third-party LLM APIs (Anthropic, Google Gemini via Vertex AI) to analyse client data and generate draft outputs. API providers are contractually prohibited from using client data for model training. |
| Website operation | Analytics, performance monitoring, and improving user experience |
| Sales and marketing | Responding to enquiries, managing relationships, and communicating about our services |
| Legal and compliance | Meeting our legal obligations, managing disputes, and maintaining records as required by law |
| Product improvement | Using non-identifying data derivatives to improve our platform algorithms and develop new features (clients may opt out) |
5. Legal Bases for Processing
Contract performance: Processing necessary to deliver our services under our MSA/DPA with clients
Legitimate interests: Website analytics, business development, product improvement, and fraud prevention, where these interests are not overridden by your rights
Consent: Where you have opted in to marketing communications or specific data uses
Legal obligation: Where processing is necessary to comply with applicable laws or regulations
6. AI Processing and Data Security
Our service uses AI technology (Large Language Models) to assist in analysing client data and generating draft R&D tax credit materials. We maintain the following safeguards:
AI processing is performed exclusively via official API providers (Anthropic and Google Gemini via Vertex AI)
All API providers are contractually prohibited from using client data for model training, fine-tuning, or any other purpose beyond the immediate processing request
Client data transmitted to API providers is not retained by the provider beyond the processing session
No client data, whether identifiable or in derivative form, is ever used to train, fine-tune, or improve any machine learning models
All AI-generated outputs containing personal data are subject to the same confidentiality and security obligations as the original data
Data Derivatives may be used for product improvement purposes that do not involve model training, as described in our client agreements
7. Data Storage and Security
We implement robust technical and organisational security measures to protect your data:
Infrastructure: Our application runs exclusively on Google Cloud Platform (GCP) infrastructure hosted within the European Union
Encryption: All personal data is encrypted at rest (AES-256 or equivalent) and in transit (TLS 1.2 or higher)
Access controls: Role-based access limited to authorised personnel, with unique credentials and multi-factor authentication
Audit logging: All access to personal data and API interactions are logged for security audit purposes
Personnel security: Background checks and confidentiality agreements for all personnel with access to personal data
Incident response: Documented procedures for detecting, responding to, and recovering from security incidents
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Category | Retention Period | Basis |
| Raw client data | Until completion of subsequent claim cycle; or deleted within 30 days of termination | Contractual necessity |
| Final deliverables | Up to 7 years from creation | Compliance and audit purposes |
| Data Derivatives | Up to 7 years from creation | Product improvement per MSA terms (opt-out available) |
| Website analytics | Up to 26 months | Legitimate interests |
| Sales and marketing | Duration of relationship + 2 years | Legitimate interests |
| Backup systems | Up to 90 days after deletion from primary systems | Technical necessity |
9. Data Sharing and Sub-processors
We do not sell your personal data. We share personal data only with the following categories of recipients, and only to the extent necessary:
| Sub-processor | Purpose | Location |
| Google Cloud Platform | Infrastructure hosting and data storage | EU |
| Anthropic | LLM API processing | May involve transfers outside EU |
| Google Gemini (Vertex AI) | LLM API processing | May involve transfers outside EU |
All LLM API sub-processors are contractually prohibited from using client data for model training purposes.
10. International Data Transfers
All personal data is stored within the European Economic Area or the United Kingdom. Where data is transferred to sub-processors located outside the UK or EEA (for example, API calls to LLM providers), we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Secretary of State or the recipient’s participation in a valid adequacy framework.
11. Cookies
Our website uses cookies and similar technologies. We use essential cookies required for the website to function, and analytics cookies to understand how visitors interact with our site. You can manage your cookie preferences through your browser settings or via our cookie consent banner. We will not set non-essential cookies without your consent.
12. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data:
Right of access: Request a copy of the personal data we hold about you
Right to rectification: Request correction of inaccurate or incomplete data
Right to erasure: Request deletion of your personal data in certain circumstances
Right to restriction: Request that we limit how we use your data
Right to data portability: Receive your data in a structured, commonly used format
Right to object: Object to our processing of your data based on legitimate interests
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month. If you are a client employee whose data we process on behalf of your employer, please direct your request to your employer in the first instance, as they are the data controller.
13. Complaints
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection: ico.org.uk.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will post any updates on our website and, where changes are significant, notify you directly where possible.
15. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us: