Privacy Policy
Last updated: 25 February 2026
1. Who we are
Mint Books is a trading name of iCertifi. We provide cloud-based invoicing, expense tracking, and tax management software for UK businesses, including integration with HMRC Making Tax Digital (MTD) services.
Website: my.mintbooks.app
Contact: support@mintbooks.app
2. What personal data we collect
We collect and process the following personal data:
- Account information: name, email address, password (hashed)
- Business information: business name, address, VAT registration number, UTR
- Financial data: invoices, expenses, bank transactions, VAT returns, income tax data
- HMRC tokens: OAuth 2.0 access and refresh tokens (we never store your HMRC login credentials)
- Technical data: IP address, browser type, device information (for fraud prevention as required by HMRC)
3. Why we process your data
We process your personal data for the following purposes:
- Providing our service: creating invoices, tracking expenses, generating reports
- HMRC submissions: submitting VAT returns and ITSA quarterly updates on your behalf via Making Tax Digital APIs
- Fraud prevention: collecting and transmitting fraud prevention headers as required by HMRC
- Account management: authentication, authorisation, team member access
Our lawful basis for processing is contract performance (providing the service you signed up for) and legal obligation (HMRC fraud prevention requirements).
4. How we protect your data
- All data is encrypted in transit using TLS/HTTPS
- All data is encrypted at rest in our database (Neon PostgreSQL with AES-256)
- HMRC OAuth tokens are stored encrypted and are never exposed to the browser
- Multi-tenant architecture ensures each organisation's data is strictly isolated
- Role-Based Access Control (RBAC) restricts employee and team member access to authorised data only
- Authentication is handled by Supabase with industry-standard security practices
5. Data sharing
We share your data only with:
- HMRC: when you authorise us to submit VAT returns or ITSA updates on your behalf
- Infrastructure providers: Vercel (hosting), Neon (database), Supabase (authentication) — all bound by data processing agreements
- Payment processors: Stripe (for subscription billing only — we do not access your customers' payment details)
- AI processing: OpenAI (ChatGPT API) — used for receipt scanning (OCR) and bank transaction categorisation. Only receipt images and transaction descriptions are sent; no personal financial data is shared beyond what is visible on receipts. OpenAI does not use API data to train models.
- Email delivery: Resend — used for transactional email delivery (invoices, payment reminders). Recipient email addresses and email content are shared for delivery purposes only.
We never sell your personal data. We never share your data for marketing purposes without your explicit consent.
6. Data retention
We retain your data for as long as your account is active. Financial records are retained for a minimum of 6 years in line with HMRC requirements. When you delete your account, personal data is removed within 30 days, except where retention is required by law.
7. Your rights
Under UK GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Delete your data (right to erasure)
- Export your data in a portable format (CSV, PDF)
- Restrict processing of your data
- Object to processing
- Withdraw consent at any time
To exercise any of these rights, contact us at support@mintbooks.app.
8. Data portability
You can export your invoices, expenses, and financial reports at any time using the export features within the application. If you switch to another provider, we will assist with data migration upon request.
9. Reporting a security risk or incident
If you discover a security vulnerability, suspect a data breach, or become aware of any security risk affecting the Service, please report it immediately:
Email: security@mintbooks.app
We take all security reports seriously and will acknowledge receipt within 48 hours. We ask that you provide as much detail as possible and do not publicly disclose the issue until we have had a reasonable opportunity to address it.
If we become aware of a data breach affecting your personal data, we will notify you and the Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR. We will also notify HMRC at SDSTeam@hmrc.gov.uk if the breach involves HMRC-related data.
10. Cookies
We use essential cookies only for authentication and session management. We do not use tracking or advertising cookies.
11. Changes to this policy
We may update this privacy policy from time to time. We will notify you of significant changes via email or an in-app notification.
12. Contact us
If you have any questions about this privacy policy or how we handle your data, contact us at:
General enquiries: support@mintbooks.app
Security issues: security@mintbooks.app
Website: mintbooks.app