Privacy Policy

Introduction

THEAX LTD (Company No. 11980590), trading as Axel Up, A.X.E.L, and AXEL.TRADE (axel.trade) and A.X.E.L Portal (portal.axel.trade), is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your personal information when you visit our website or use our services.

We are based at 3 Crompton Street, Bury, United Kingdom, BL9 0AD and operate in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Protection Contact

For all data protection matters, you can contact us at:

• Email: [email protected]
• General inquiries: [email protected]
• Post: Data Protection, THEAX LTD, 3 Crompton Street, Bury, BL9 0AD

Information We Collect

Information You Provide

When you use the project estimator, contact form, or engage our services, we may collect:

• Name and contact details (email address, phone number)
• Company name (if applicable)
• Project details and requirements you share
• Communications between us

Information Collected Automatically

When you visit our website, we may automatically collect:

• IP address and approximate location
• Browser type and device information
• Pages visited and time spent on site
• Referring website

A.X.E.L Portal Data

When you use A.X.E.L Portal services, we collect and process:

• Business data: Leads, quotes, invoices, expenses, timesheets
• Team data: User accounts, roles, permissions, activity logs, team memberships
• Customer data: Contact details, project information, communication records
• Financial data: Payment information, transaction records, billing details
• Media files: Receipt images stored securely in Cloudflare R2
• Voice recordings: Temporarily processed for speech-to-text, then deleted
• Usage analytics: Feature usage, performance metrics, anonymized behavior patterns

Team Accounts & Multi-User Data

A.X.E.L supports team accounts where a business can invite team members (employees, self-employed subcontractors, and administrators) who each receive their own independent A.X.E.L account. This section explains how data is collected, shared, and protected in team contexts.

Account Creation via Invitation

When a business invites you to their team, an independent A.X.E.L account is created for you using the name and email address provided by the inviting business. You receive a temporary password via email and can change it immediately upon first login.

Legal basis: Account creation via invitation is processed on the basis of legitimate interest (facilitating a business relationship between you and the inviting business) and contract performance (providing the A.X.E.L service). You may delete your account at any time if you do not wish to participate.

Data Sharing Between Business and Team Member

When you are a member of a business's team, certain data is shared between your personal account and the business account:

Data the business CAN access about you:

• Jobs you are assigned to and your work status on those jobs
• Timesheets and hours logged against the business's jobs
• CIS payment records — gross amounts, deductions, and net payments made to you by the business
• Invoices exchanged between you and the business
• Your name, email address, and phone number as provided during team setup

Data the business CANNOT access:

• Your bank account connections, balances, or transaction history
• Your personal expenses, receipts, or mileage records
• Your Self Assessment drafts, tax calculations, or filed returns
• Your income from other sources or other businesses
• Your personal settings, preferences, or security credentials
• Any data from other teams or businesses you may belong to

Business owners can configure visibility restrictions for each team member, which may limit what business data the member can see (for example, hiding job values, customer contact details, or financial totals). These restrictions are set by the business owner and apply only within the business context.

CIS Data Bridge (Automatic Data Transfer)

If you are a self-employed (CIS) team member, CIS deduction records created by the business are automatically synced to your personal account's “CIS Deductions Received” section. This enables:

• Automatic population of CIS data in your Self Assessment tax return
• Real-time visibility of deductions taken from your payments
• Accurate tax calculations without manual data entry

This automatic transfer occurs in the background whenever the business records a CIS payment involving you. You can view all synced records in your personal account and they are clearly marked as “Auto-synced from employer.”

Legal basis: This data transfer is processed on the basis of contract performance (providing the CIS tracking and Self Assessment features) and legitimate interest (ensuring accurate tax records for both parties, as required by HMRC regulations).

Sponsored Accounts

A business may sponsor a team member's A.X.E.L subscription, covering the cost of their plan. Sponsorship is a billing arrangement only — it does not grant the sponsoring business any additional access to the member's personal data beyond what is described above.

Multi-Team Membership

You may belong to multiple business teams simultaneously. Each business can only see data relevant to their own relationship with you. Data from one business is never shared with another business, even if you are a member of both.

Team Disconnection & Data Retention

If a business removes you from their team:

• You immediately lose access to the business's data (jobs, timesheets, etc.)
• Your personal account, data, and any personal SA/expense records remain completely intact
• CIS deduction records that were synced to your personal account are retained (they are your tax records)
• If the business was sponsoring your plan, you receive a 7-day grace period to subscribe independently before features are restricted to the free tier
• The business cannot delete your account — they can only remove you from their team
• Your personal data is never deleted as a result of team disconnection

Identity Verification Data

If you use our Expert Review & Filing service, we verify your identity using Stripe Identity (provided by Stripe, Inc.), a bank-grade identity verification service. This is required under Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations before an accountant can file a Self Assessment tax return on your behalf.

When you complete identity verification, Stripe collects and processes:

• Identity documents: A photo of your passport, driving licence, or national ID card
• Selfie: A photo of your face, used to match against your ID document
• Extracted information: Name, date of birth, address, and document number as read from your ID

How we handle identity verification data:

• Your documents and selfie are processed and stored by Stripe — we never receive, store, or have access to the raw images
• We only receive the verification result (pass/fail), your verified name, and address from Stripe
• Verification is initiated only when you explicitly click “Verify My Identity” in your settings
• Stripe processes your data under their own Privacy Policy
• You can request deletion of your verification data by contacting us at [email protected]

Legal basis: We process identity verification data on the basis of legal obligation (AML/KYC requirements for tax agent services) and contract performance (providing the Expert Review & Filing service you purchased).

Retention: Verification status and verified name are retained for the duration of your subscription plus 7 years (in line with AML record-keeping requirements). Stripe retains the underlying verification data in accordance with their own retention policies.

HMRC Data — Self Assessment, VAT & CIS

If you connect your HMRC Government Gateway account through A.X.E.L Portal, we access and process data via the following HMRC APIs on your behalf:

• Making Tax Digital for Income Tax (MTD ITSA): Business details, quarterly update obligations, self-employment and property income submissions, tax calculations, and final declarations
• Self Assessment: Annual tax return data for users below the MTD income threshold
• VAT (MTD): VAT return obligations, 9-box quarterly VAT returns, liabilities, and payment history
• CIS Deductions: Gross amounts paid, materials costs, deduction amounts, net payments, contractor details, and subcontractor verification status

How we handle HMRC data:

• HMRC data is accessed only when you explicitly initiate a sync, submission, or verification action
• We use OAuth 2.0 — we never see or store your Government Gateway login credentials
• Access tokens are encrypted at rest and automatically refreshed; refresh tokens are single-use
• HMRC data is stored in the same encrypted database (Cloudflare D1) as your other business data, scoped to your account and hosted in the EU (Western Europe region)
• You can disconnect your HMRC connection at any time from Settings, which revokes our access

Fraud Prevention Headers (Transaction Monitoring)

When you use HMRC-connected features, we are required by law to collect and transmit certain device and browser metadata to HMRC for fraud prevention and transaction monitoring purposes. This is mandated by The Delivery of Tax Information through Software (Ancillary Metadata) Regulations 2019.

The data we collect and transmit to HMRC includes:

• Device identifier: A unique, persistent identifier generated and stored in your browser (UUID format, stored in localStorage)
• IP address: Your public IP address at the time of the HMRC request
• Browser and device information: Browser user-agent string, screen resolution, scaling factor, colour depth, window dimensions, timezone, and Do Not Track preference
• Multi-factor authentication status: Whether 2FA was used, the type (TOTP), and when it was last verified (a hashed reference to your 2FA secret is included — never the secret itself)
• User identifier: Your A.X.E.L account identifier (not your email or personal details)
• Vendor information: Our application name, version, and server IP address

This data is transmitted securely via HTTPS directly to HMRC's API servers as HTTP headers. It is not stored separately by us — it exists only in HMRC's systems after transmission. HMRC uses this data to detect and prevent fraud and may retain it for up to 6 years in accordance with their own retention policies. For more information, see HMRC's fraud prevention guidance.

Legal basis: We process HMRC data on the basis of contract performance (providing the tax management features you requested) and legal obligation (The Delivery of Tax Information through Software (Ancillary Metadata) Regulations 2019, and record-keeping requirements under the Income Tax Act and VAT Act 1994).

Retention: Tax submission records and snapshots are retained for 7 years from the end of the relevant tax year, in line with HMRC record-keeping requirements. VAT return records are retained for 6 years. HMRC access tokens are deleted when you disconnect.

Open Banking Data

If you connect your bank account through A.X.E.L Portal, we access your bank data via an FCA-authorised Open Banking provider. A.X.E.L acts as an agent of that provider when accessing and displaying your bank information.

We access the following data from your bank:

• Account details: Account name, account number, sort code, and account type
• Balances: Current and available balances
• Transaction history: Transaction dates, amounts, descriptions, merchant names, and references

How we handle Open Banking data:

• Bank data is accessed only when you explicitly connect your bank or initiate a sync
• We never see or store your bank login credentials — you authenticate directly with your bank via our Open Banking provider's secure redirect
• Open Banking consent is valid for 90 days; you will be prompted to reconnect when it expires
• Imported transactions are automatically categorised using trade-specific rules (e.g. Screwfix → Materials, Shell → Vehicle/Fuel) to assist with bookkeeping and tax preparation
• You can review and change any auto-categorisation at any time
• You can disconnect your bank at any time from Settings, which revokes our Open Banking provider's access to your bank data
• Previously imported transactions are retained after disconnection for bookkeeping continuity; you may request their deletion separately

Legal basis: We process Open Banking data on the basis of contract performance (providing the bookkeeping, expense tracking, and tax review features you requested) and consent (you explicitly authorise bank access via the Open Banking consent flow).

Retention: Imported bank transactions are retained for the duration of your subscription plus 90 days (or 7 years from the end of the relevant tax year where transactions are linked to tax records). Open Banking consent tokens are deleted when you disconnect your bank.

How We Use Your Information

We use your information to:

• Respond to your enquiries and provide project estimates
• Deliver the services you have engaged
• Send project updates and relevant communications
• Improve our website and services
• Comply with legal obligations

Legal Basis for Processing

We process your data based on:

• Consent: When you submit a contact form or estimator request
• Contract: To fulfil services you have engaged
• Legitimate interests: To improve our services and website
• Legal obligation: For tax and business records

Detailed Lawful Basis

Automated Decision-Making

A.X.E.L Portal uses automated systems and AI to assist with business processes. These include:

AI Lead Scoring

• Automatically evaluates and ranks leads based on conversion likelihood
• Uses factors like response time, project size, and communication patterns
• Helps prioritize follow-up efforts for better business outcomes
• You can review and override all AI scoring decisions

AI Quote Generation

• Suggests quote amounts based on project descriptions and historical data
• Considers industry standards, project complexity, and your pricing patterns
• All AI-generated quotes require human review and approval before sending

Expense Categorization

• Automatically categorizes business expenses from receipt images
• Uses OCR and AI to identify expense types and amounts
• Categorization can be reviewed and corrected at any time

Your Rights: You have the right to request human review of any automated decision and to challenge or override AI recommendations. See our AI Supplementary Terms for more details.

WhatsApp Messaging

We use the WhatsApp Business Platform (provided by Meta Platforms, Inc.) to communicate with customers. When you message us on WhatsApp:

• Your phone number, name, and profile information (as set in your WhatsApp account) are received
• Message content you send (text, images, documents) is processed to respond to your enquiry
• Messages may be handled by automated systems to provide faster responses

WhatsApp messages are processed on the basis of legitimate interest (responding to your enquiry) or consent (when you initiate contact). Messages are retained for up to 2 years from last contact for service continuity, then deleted.

Meta processes WhatsApp data in accordance with their own Privacy Policy. We do not use your WhatsApp data for marketing unless you explicitly opt in.

Data Sharing and Sub-Processors

We do not sell your personal information. We may share data with trusted third-party processors:

• Payment processing: Stripe for billing and subscription management
• Cloud infrastructure: Cloudflare for hosting, CDN, and database services
• AI processing: OpenAI for AI features, ElevenLabs for voice synthesis
• Email services: Resend for transactional emails and notifications
• Analytics: Google Analytics for website usage insights (anonymized)
• Messaging platforms: WhatsApp (Meta Platforms, Inc.) for business communications
• Open Banking: an FCA-authorised Open Banking provider for secure bank account data access and transaction retrieval
• Identity verification: Stripe Identity (Stripe, Inc.) for AML/KYC document verification when using the Expert Review & Filing service
• HMRC: HM Revenue & Customs for CIS deduction submissions and verification (when you connect your Government Gateway account)
• Legal requirements: If required by law or court order

For a complete list of sub-processors, their purposes, and data protection measures, see our Sub-Processor List.

International Data Transfers

Some of our sub-processors are located outside the UK and EU. When personal data is transferred internationally, we ensure appropriate safeguards:

Transfer Mechanisms

• Standard Contractual Clauses: Approved by UK and EU authorities for transfers to third countries
• Adequacy decisions: Where the UK has determined adequate data protection exists
• Additional safeguards: Technical measures like encryption, access controls, and audit requirements

Key Transfer Locations

• United States: OpenAI (AI processing), Resend (email), Google (analytics), Meta (WhatsApp)
• Global: Cloudflare (with data residency controls where available)

Data Retention

We retain personal information only as long as necessary for the purposes outlined in this policy. Our detailed retention schedule:

Your Rights

Under UK GDPR, you have the right to:

• Access: Request copies of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data (subject to legal obligations)
• Restriction: Limit how we process your data
• Object: Object to processing based on legitimate interests
• Data portability: Receive your data in structured, machine-readable format
• Withdraw consent: For processing based on consent
• Lodge complaints: With the Information Commissioner's Office (ICO)

Data Portability and Export

A.X.E.L Portal users can export their data in standard formats:

• CSV format: Leads, quotes, invoices, expenses, timesheets
• JSON format: Complete data export including metadata
• PDF reports: Formatted business reports and summaries
• Receipt images: Downloadable via secure links

Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

Data Breach Notification

In the event of a personal data breach:

• Authority notification: We will notify the ICO within 72 hours where required
• Individual notification: We will inform affected individuals without undue delay if the breach poses high risk
• Mitigation measures: We will take immediate steps to contain and remedy any breach
• Transparency: We may publish general information about significant incidents

Security

We implement appropriate technical and organisational measures to protect your data. However, no internet transmission is 100% secure, and we cannot guarantee absolute security.

Changes to This Policy

We may update this policy from time to time. Significant changes will be noted on this page with an updated revision date.