Mia Accounting Privacy Policy
Last updated 21 May 2026
This notice describes how Mia Accounting handles personal data on behalf of the businesses and individuals who use the service. It is written to satisfy the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and to make clear what we do (and do not do) with the data you share with us when you submit VAT returns to HM Revenue & Customs through Making Tax Digital.
1. Who we are
Mia Accounting is operated by Voyage Manager Ltd (company number 07365818, registered in England and Wales, registered office: 48 Gunhild Way, Cambridge CB1 8RB, United Kingdom). For the purposes of UK GDPR, Voyage Manager Ltd is the data controller for account-related data (your login email, name, billing information) and a data processor for the business and financial data you record in the application on behalf of the business you administer.
Information Commissioner's Office (ICO) registration: ZB012114 (registered 11 March 2021, valid until 10 March 2027).
Our Data Protection Officer is John Scott. You can reach the DPO at privacy@miabazo.com for any question relating to how we handle your personal data.
2. What we collect
- Account data — the name, email address, and password hash you supply when you create an account, plus authentication metadata (login timestamps, IP address of the request, browser user-agent string).
- Business data — the legal name, trading address, VAT registration number, and contact details of the business you administer; the contacts (customers and suppliers) you add; and the invoices, bills, expenses, journal entries, and bank transactions you record.
- HMRC integration data — the OAuth 2.0 access token and refresh token HMRC issues to your Government Gateway session, the scopes you granted, and the metadata HMRC returns for each VAT return you submit (period key, form bundle number, charge reference, processing date).
- Fraud-prevention data — the information HMRC requires us to send with every MTD-VAT API call so that HMRC can detect fraudulent submissions. This includes your public IP address at the time of submission, your browser type and plugin list, screen dimensions, time zone, and a one-way hash of your Mia Accounting user identifier. The full list is defined by HMRC's Gov-Client-* and Gov-Vendor-* header specification.
- Support data — if you contact us by email, the message contents and any attachments you send.
3. What we do NOT collect or store
Mia Accounting never sees, processes, or stores your HMRC Government Gateway
sign-in details. When you connect Mia Accounting to HMRC, you are redirected to
api.service.hmrc.gov.uk/oauth/authorize — HMRC's own domain — where you
authenticate with HMRC directly. HMRC returns an authorization code to Mia Accounting; we
exchange that for an access token and refresh token. Your HMRC username and password are
exchanged exclusively between you and HMRC and are not visible to Mia Accounting at any
point in the flow.
4. Lawful basis (UK GDPR Article 6)
- Contract — processing necessary to provide the accounting service you subscribed to, including HMRC submissions you initiate.
- Legal obligation — transmission of fraud-prevention data to HMRC is mandated by HMRC's terms for MTD software vendors.
- Legitimate interest — service security, fraud prevention, anonymised product analytics, and responding to your support enquiries.
5. How we use your data
We use the data above only to run the accounting workspace you signed up for, transmit returns and obligations to HMRC at your direction, send you transactional email (invoices, password resets, billing receipts), and respond to support requests. We do not sell, rent, or trade your data, and we do not use your financial data to train AI models.
6. Sub-processors
We rely on the following providers to deliver the service. Each is bound by a written data processing agreement and processes data only on our documented instructions.
| Provider | Purpose | Region |
|---|---|---|
| Microsoft Azure | Application hosting, SQL database, key storage | United Kingdom (UK South / UK West) |
| HMRC | Submission of VAT returns, retrieval of obligations and liabilities | United Kingdom |
| Stripe Payments UK Ltd | Subscription billing and card processing | United Kingdom / European Economic Area |
| SendGrid (Twilio Inc.) | Transactional email delivery | European Economic Area |
| GoCardless Ltd | Open Banking account aggregation (optional, only if you connect a bank) | United Kingdom |
| Anthropic PBC | AI-assisted parsing of receipts and bank statements (optional, only if you enable the feature) | United States (Standard Contractual Clauses in place) |
7. Where your data is stored
Customer business and financial data is stored in Microsoft Azure data centres in the United Kingdom. Encrypted backups are held in the same region. Where a sub-processor operates from the European Economic Area, transfers are made under the UK Addendum to the EU Standard Contractual Clauses. Transfers to the United States (currently only Anthropic for optional AI features) are made under the UK International Data Transfer Addendum.
8. How we protect your data
- Encryption in transit — all traffic to Mia Accounting is served
over TLS 1.2 or higher. All API calls to HMRC are made over TLS to
api.service.hmrc.gov.uk. - Encryption at rest — the Azure SQL database uses Transparent Data
Encryption (AES-256). HMRC OAuth tokens are additionally encrypted at the application
layer using ASP.NET Core's Data Protection API
(
IDataProtector, purposeMia.Hmrc.OAuthTokens.v1) before being written to the database, so a database backup alone cannot be used to call HMRC on your behalf. - Tenant isolation — every record is scoped to a specific business, and authorisation is enforced on every request. A user signed into business A cannot read or modify data belonging to business B.
- Employee access — access to production data is restricted to named members of staff who require it to operate the service, granted on the principle of least privilege, logged, and revoked when no longer required.
- Penetration testing — the application is subject to periodic independent security testing; findings are tracked to closure.
9. Retention
- Account data — retained while your subscription is active and for 90 days after cancellation, after which it is deleted unless we are required by law to retain it.
- Business and financial records — retained for the statutory period required by HMRC for VAT records (currently 6 years from the end of the accounting period to which they relate). You may export your data at any time.
- HMRC OAuth tokens — held only while the connection is active. Access tokens expire automatically (4 hours by HMRC's policy); refresh tokens are valid for 18 months and are deleted immediately if you disconnect HMRC from the Settings page.
- Fraud-prevention header values — transmitted to HMRC with each submission and retained in our application logs for 90 days for incident-investigation purposes.
- Support correspondence — retained for 24 months from the date of last contact.
10. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you (Article 15);
- request correction of inaccurate data (Article 16);
- request deletion where we no longer need it and no statutory retention applies (Article 17);
- request that we restrict processing (Article 18);
- receive your data in a structured, machine-readable format (Article 20) — the application provides CSV and PDF export from every report and ledger;
- object to processing carried out on the basis of legitimate interest (Article 21);
- withdraw consent for any optional feature (e.g. AI receipt parsing) at any time.
To exercise any of these rights, email privacy@miabazo.com. We will respond within one month. If you are not satisfied with our response you may complain to the Information Commissioner's Office at ico.org.uk.
11. Personal data breaches
In the event of a personal data breach that meets the UK GDPR threshold we will notify the Information Commissioner's Office within 72 hours of becoming aware of it, and will notify affected customers without undue delay. Where the breach relates to data we have submitted to HMRC on your behalf, we will also notify HMRC's Software Developer Support team at softwaredevelopersupport@service.hmrc.gov.uk.
12. Reporting a security concern
If you believe you have found a security vulnerability in Mia Accounting, please follow our responsible-disclosure process.
13. Changes to this notice
We may update this notice from time to time. Where the change is material we will notify account holders by email at least 30 days before it takes effect. The date at the top of this page reflects the most recent revision.
14. Contact
Privacy enquiries: privacy@miabazo.com
Postal: Voyage Manager Ltd, 48 Gunhild Way, Cambridge CB1 8RB, United Kingdom