£ VATloop Join the beta

Home  /  Privacy Policy

Privacy Policy

Last updated: 25 May 2026

In one paragraph.

VATloop receives order, refund, and tax data from your Shopify store, computes a 9-box VAT return, and transmits it to HMRC under your explicit per-submission authorisation. We aggregate and discard customer-side personal data; we never use it for marketing, profiling, or AI training. Our infrastructure is UK / EEA only. This page explains what we collect, what we don't, who else has access, and your rights as a data subject.

1. Who we are

VATloop is operated by Ali Elmonofy, trading as EBM Solutions, a UK sole-trader business (the "Supplier"). VATloop is a Shopify app that submits Making Tax Digital ("MTD") VAT returns to HM Revenue & Customs ("HMRC") on behalf of UK Shopify merchants ("Merchants").

For the purposes of UK-GDPR, the Supplier acts in two distinct capacities depending on the data flow — as a data processor on the Merchant's behalf for order data instructed through the app, and as an independent data controller for fraud-prevention headers the Supplier is statutorily required to collect for HMRC. The respective obligations are set out in Annex B.

2. How to contact us

Privacy questions, data-subject requests, breach reports, and complaints should be addressed to:

  • Email — [email protected]
  • Postal — Ali Elmonofy, EBM Solutions, United Kingdom (full address provided on request)

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

3. Data we deliberately collect and store

The Services request from Shopify only the data fields necessary to compute aggregated tax and revenue totals for the 9-box VAT Return. The following categories are persisted to our database ("D1", hosted by Cloudflare in Western Europe):

  • Merchant account — shop domain, Shopify shop identifier, Shopify plan, billing status, trial-end date, VAT registration number (when entered), HMRC OAuth token state (encrypted at rest with AES-256-GCM via per-purpose HKDF-derived keys).
  • VAT submission records — the 9-box figures, VAT period key, submission status, HMRC receipt number ("form bundle number"), processing date, and authorisation trail (name typed at confirmation, timestamp, Shopify user identifier).
  • Audit log — material events affecting the operation of the Services (installation, uninstallation, HMRC link / unlink, submission authorisation, submission transmission, billing events, GDPR-webhook receipts), with non-PII payload summaries.

Legal basis: Article 6(1)(b) UK-GDPR (performance of the contract).

4. Data we receive transiently but do not store, use, or share

Shopify's Admin API may, depending on the scope being queried, include additional personal data fields in its API responses, including but not limited to customer names, billing and shipping addresses, email addresses, phone numbers, customer IP addresses, and order notes. With respect to any such transient personal data, the Supplier:

  • does not store the data to persistent storage of any kind;
  • does not log the data to any log, monitoring, or error-tracking system;
  • does not transmit the data to any third party (other than back to Shopify or HMRC where strictly required for service operation);
  • does not use the data for analytics, profiling, marketing, or any purpose other than the computation of the aggregates referred to in clause 3;
  • discards the data from in-memory state immediately upon completion of the aggregate computation for which it was received.

Legal basis: Article 6(1)(f) UK-GDPR (legitimate interests of the Supplier in delivering the contracted Service to the Merchant). The data subjects of this transient processing are the Merchant's customers, who are not party to the Merchant's contract with the Supplier; Article 6(1)(b) (performance of a contract with the data subject) is therefore not available as the lawful basis for this processing. A Legitimate Interest Assessment ("LIA") is maintained internally under the Article 6(1)(f) three-part test (purpose, necessity, balancing) and made available to the Merchant on written request.

5. Data we do not collect

The Services do not request, receive, or in any way process:

  • Payment card data, bank account details, or other payment credentials. All subscription billing for the Services is handled by Shopify via the Shopify Recurring Application Charge mechanism; the Supplier never has visibility of the Merchant's payment details.
  • Product-level inventory data beyond what is referenced on the orders queried for VAT computation.
  • Customer purchase histories, lifetime-value models, or marketing audiences derived from the Merchant's data.
  • Communications between the Merchant and the Merchant's customers (Shopify message threads, customer-service exchanges, and the contents of order notes are not requested via the Shopify API).

6. HMRC fraud-prevention headers

HMRC's Making Tax Digital programme requires the Services to transmit a set of fraud-prevention headers (Gov-Client-* per HMRC's MTD VAT API specification) with every Submission. These headers contain technical and behavioural data about the user's device and session at the moment of authorisation, including: device identifier, public IP address, browser user-agent string, browser-installed plugins, screen dimensions, window dimensions, timezone, and timestamp.

This data is processed under Article 6(1)(c) UK-GDPR (compliance with a legal obligation under the Finance (No. 2) Act 2017 and HMRC's MTD VAT requirements). The data is transmitted directly to HMRC and is retained by the Supplier in the audit log only for the period set out in section 8 (audit-log retention).

On the fraud-prevention header path, the Supplier is the data controller, not a processor on the Merchant's behalf. The Merchant is not the controller of these headers and bears no controller obligations in respect of them.

7. Sub-processors

The Supplier engages the following sub-processors in delivering the Services:

Sub-processor Purpose Region
Shopify Inc. Source of merchant order, refund, and tax data; processor of subscription billing. Global (Merchant's chosen region)
HM Revenue & Customs Recipient of Submissions and fraud-prevention headers. United Kingdom
Cloudflare, Inc. Hosting infrastructure (Workers compute, D1 storage, KV state, DNS). Western Europe (UK / EEA)
Web3Forms Landing-site enquiry capture. EEA

The Supplier will notify the Merchant of any change of sub-processor not less than thirty (30) days before the change takes effect. The Merchant may terminate the Services without penalty if it does not agree to the change.

8. Audit-log retention

The Supplier maintains an audit log of material events affecting the operation of the Services (installation, uninstallation, HMRC link / unlink, submission authorisation, submission transmission, billing events, GDPR-related webhook receipts). The log is retained according to a three-tier scheme:

8.1 Tier 1 — fraud-prevention header metadata

IP address, user-agent string, and other personal-data fields captured in connection with HMRC fraud-prevention header transmission. Retained for ninety (90) days from the date of the event, after which they are nulled in place. The non-Tier-1 portion of the audit-log row is preserved per the relevant remaining tier.

Legal basis — Article 6(1)(c) UK-GDPR (compliance with the legal obligation to transmit HMRC's MTD VAT fraud-prevention headers; statutory authority Finance (No. 2) Act 2017 sections 60 to 62 and HMRC's Making Tax Digital VAT API specification), supplemented by Article 6(1)(f) (legitimate interest in fraud-detection and security forensics during the active operational window). Retention period justified under Article 5(1)(c) (data minimisation).

8.2 Tier 2 — non-PII operational metadata

All audit-log fields other than those in Tier 1 and Tier 3, including event type, actor type, tenant identifier, timestamp, sanitised payload summary, and request / response hashes. Retained for three hundred and sixty-five (365) days from the date of the event, after which they are hard-deleted (save for rows that are also Tier 3 records, which are retained on the Tier 3 schedule).

Legal basis — Article 6(1)(f) UK-GDPR (legitimate interest in operational forensics, security review, and dispute resolution). Retention period justified under Article 5(1)(e) (storage limitation) — 365 days covers the full annual operational cycle including all VAT-period boundaries.

8.3 Tier 3 — Submission confirmation records

The minimum-field record of every transmitted Submission: tenant identifier (foreign-key only), VAT period key, the VAT period start, end, and due dates (which anchor the six-year retention clock), Submission identifier, date and time of authorisation and transmission, HMRC receipt identifier, status, and hash of the HMRC response. No personal-data fields are included in a Tier 3 record. Retained for six (6) years from the end of the VAT period to which the Submission relates, after which they are hard-deleted.

Legal basis — Article 6(1)(c) UK-GDPR (compliance with the legal obligation in VAT Act 1994 Sch.11 to support inspection of VAT records), supplemented by Article 6(1)(f) (legitimate interest in maintaining evidence of historic Submissions for dispute resolution and HMRC inspection support).

8.4 Erasure rights and exemptions

The Supplier honours valid erasure requests under Article 17 UK-GDPR in respect of Tier 1 and Tier 2 data. Tier 3 records are exempted from erasure under Article 17(3)(b) (compliance with a legal obligation) and Article 17(3)(e) (defence of legal claims), to the extent and for the duration set out above. The Supplier will provide the data subject with a written explanation citing this exemption in response to any Tier 3-affecting erasure request, and will apply the exemption only to the strict minimum-field Tier 3 record.

8.5 Implementation

The Supplier implements this scheme by means of a scheduled job that runs at least daily and that (a) nulls Tier 1 fields on rows older than 90 days, (b) hard-deletes Tier 2 rows older than 365 days that are not also Tier 3 records, and (c) hard-deletes Tier 3 records older than the Tier 3 cut-off. This is part of the Article 25 UK-GDPR data-protection-by-design implementation of the Services.

9. International transfers

The Supplier processes personal data within the United Kingdom and the European Economic Area only. Cloudflare workloads run in EEA / UK regions; D1 storage is configured to Western Europe (WEUR). The Supplier will not transfer personal data outside the United Kingdom or EEA without an appropriate transfer mechanism under Chapter V UK-GDPR and prior written notice to the Merchant.

One exception applies by necessity: Shopify Inc. is a Canadian company that processes merchant data globally. Where the Supplier reads Merchant data via Shopify's Admin API, the transient personal data described in section 4 has already been processed by Shopify under its own data-protection terms (which the Merchant accepts as part of the Shopify platform contract). The Supplier does not initiate any further international transfer of this data.

10. Your rights

As a data subject under UK-GDPR you have the right to:

  • Access the personal data we hold about you (Article 15).
  • Rectification of inaccurate or incomplete personal data (Article 16).
  • Erasure of your personal data ("right to be forgotten") under Article 17, subject to the Tier 3 exemption in section 8.4.
  • Restriction of processing in defined circumstances (Article 18).
  • Data portability — receive your personal data in a structured, commonly used, machine-readable format (Article 20).
  • Object to processing based on legitimate interests (Article 21).
  • Withdraw consent at any time where processing is based on consent (Article 7) — note that the Services do not rely on consent as the lawful basis for any core processing.
  • Lodge a complaint with the UK Information Commissioner's Office.

11. Making a data-subject request

Two channels are available depending on your relationship with the Merchant:

If you are a customer of a Merchant using VATloop — please contact the Merchant first. The Merchant is the data controller for the order data they instructed us to process; we will respond to the Merchant's instruction. You may also use Shopify's built-in customer data-request mechanism, which fires the Shopify customers/data_request and customers/redact webhooks to us automatically. Where the Merchant uninstalls the app, Shopify's shop/redact webhook triggers complete deletion of the Merchant's persistent data (subject to the Tier 3 exemption).

If you are a Merchant or one of its authorised users — email [email protected] with the subject line "DSAR" and a brief description of the right you are exercising. We will respond within one month per Article 12(3), and may extend by a further two months for complex requests (with notice).

12. Scope expansion

Any proposal by the Supplier to expand the data the Services request, collect, store, or process beyond the scope described in sections 3 to 7 shall require a written variation to the Terms, notified to the Merchant not less than thirty (30) days before the change takes effect. The Merchant may terminate the Services without penalty if it does not agree to the variation.

13. Updates to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to Merchants by in-app notice and / or email not less than thirty (30) days before they take effect. The "Last updated" date at the top of this page reflects the date of the most recent revision. Historic versions are available on request.

Annex B — Data Processing Agreement

This Annex forms part of the agreement between the Supplier and each Merchant and governs the Supplier's processing of personal data on the Merchant's behalf for the purposes of UK-GDPR Article 28.

B.1 Scope and dual capacity

The Supplier processes personal data in two distinct capacities:

  • as a processor on behalf of the Merchant (the controller) in respect of personal data the Supplier handles on the Merchant's instructions for the purpose of computing and transmitting Submissions, including the transient processing described in section 4 of the Privacy Policy;
  • as an independent controller in respect of personal data the Supplier is statutorily required to collect for transmission to HMRC under HMRC's MTD VAT fraud-prevention header requirements (statutory authority: Finance (No. 2) Act 2017 sections 60 to 62 and HMRC's Making Tax Digital VAT API specification), as described in section 6 of the Privacy Policy ("fraud-prevention headers").

B.2 Subject matter, nature, purpose, and duration (processor capacity)

  • Subject matter — personal data contained in Shopify order, refund, tax, and merchant-account records that the Services request from Shopify under the Merchant's authorisation.
  • Nature and purpose — receipt, aggregation, computation of 9-box VAT totals, and transmission to HMRC, including the transient processing of customer-side personal data described in section 4 of the Privacy Policy.
  • Duration — for the term of the Services plus the retention periods set out in section 8 of the Privacy Policy (audit-log retention).
  • Categories of personal data — (i) merchant account: VAT registration number, contact email, Shopify user identifiers; (ii) merchant-side staff: user identifiers and session activity captured in the audit log; (iii) customer-side (transient only): order line records as returned by Shopify Admin API, which may include names, addresses, email addresses, phone numbers, customer IP addresses, and order notes.
  • Categories of data subjects — (i) the Merchant's authorised users; (ii) the Merchant's customers (transient processing only).

B.3 Controller warranties

The Merchant warrants that it has lawful basis to instruct the Supplier to process the personal data described in B.2 for the purposes described, and that it has provided all notices and obtained all consents necessary under UK-GDPR Articles 13 and 14 in respect of the data subjects.

B.4 Supplier (processor) obligations

B.4.1 Instructions. The Supplier shall process personal data only on the documented instructions of the Merchant, including with regard to transfers, unless required by UK or EU law (in which case the Supplier shall inform the Merchant of that legal requirement before processing, save where prohibited by that law).

B.4.2 Confidentiality. The Supplier shall ensure that persons authorised to process the personal data are under a written confidentiality obligation or appropriate statutory obligation of confidentiality.

B.4.3 Security (Article 32). The Supplier shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • AES-256-GCM encryption at rest of all OAuth tokens via HKDF-derived per-purpose keys;
  • TLS 1.2 or later in transit;
  • least-privilege access controls on all stores;
  • audit logging of all material events;
  • regular review of measures' adequacy.

B.4.4 Sub-processors. The Merchant grants the Supplier general authorisation to engage the sub-processors listed in section 7 of the Privacy Policy. The Supplier shall provide not less than thirty (30) days' notice of any addition or replacement; the Merchant may object within that period and terminate the Services without penalty if the objection cannot be resolved.

B.4.5 Data-subject rights assistance. The Supplier shall, taking into account the nature of the processing, assist the Merchant by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Merchant's obligation to respond to requests for exercising data-subject rights under UK-GDPR Articles 15–22. The Supplier and the Merchant acknowledge that, in respect of the transient processing described in section 4 of the Privacy Policy, the Supplier holds no stored personal data of the relevant data subjects, and that the practical scope of this assistance is therefore limited to the persistent records described in section 3 of the Privacy Policy.

B.4.6 Breach notification. The Supplier shall notify the Merchant without undue delay and in any event within 48 hours of becoming aware of a personal-data breach affecting personal data processed under this Annex.

B.4.7 DPIA assistance. The Supplier shall provide reasonable assistance to the Merchant in carrying out data-protection impact assessments under Article 35 UK-GDPR and prior consultations with the Information Commissioner under Article 36, where required.

B.4.8 Records of processing. The Supplier shall maintain records of all processing carried out on the Merchant's behalf in accordance with Article 30(2) UK-GDPR, and shall make those records available to the Merchant on reasonable written request.

B.4.9 International transfers (Chapter V). As set out in section 9 of the Privacy Policy.

B.4.10 Deletion or return on termination. On termination or expiry of the Services the Supplier shall, at the Merchant's election, delete or return to the Merchant all personal data processed on the Merchant's behalf, save for data the Supplier is required to retain under (a) UK or EU law, or (b) the retention scheme set out in section 8 of the Privacy Policy, which the Supplier shall retain only for the periods stated there and protect at the same standard as during the term.

B.4.11 Audit and inspection. The Supplier shall make available to the Merchant all information necessary to demonstrate compliance with this Annex, and shall allow and contribute to audits, including inspections, conducted by the Merchant or another auditor mandated by the Merchant. The Merchant shall give not less than thirty (30) days' written notice of any audit. Where the Merchant's request can reasonably be satisfied by the Supplier's most recent third-party audit report or by written responses to a documented information-security questionnaire, the Supplier may provide those in place of an on-site inspection. On-site inspections shall not exceed one per calendar year save where required following a personal-data breach.

B.5 Controller obligations on the fraud-prevention path

In respect of fraud-prevention headers transmitted under section 6 of the Privacy Policy, the Supplier acts as an independent data controller and assumes the obligations of a controller under UK-GDPR, including in respect of lawfulness (Article 6(1)(c) — compliance with the statutory obligation), transparency (Articles 13 and 14 — disclosure in this Annex and section 6 of the Privacy Policy), data-subject rights (Articles 15–22), and security (Article 32, applying the same measures as in B.4.3). The Merchant is not the controller of fraud-prevention headers and bears no controller obligations in respect of them.

B.6 Order of precedence

In the event of conflict between this Annex and the main Terms, this Annex prevails in respect of the processing of personal data and the parties' obligations under UK-GDPR. The main Terms prevail in all other respects.

Questions? Email [email protected].