qwartly - MTD Bridging Software That Lets You Keep Your Spreadsheet

qwartly is MTD bridging software that connects your existing spreadsheets to Making Tax Digital. No new software to learn, no data to re-enter. Just £49/year.

Making Tax Digital for Income Tax Starts April 2026

From April 2026, HMRC requires sole traders and landlords with income over £50,000 to keep digital records and submit quarterly updates using MTD-compatible software. The threshold drops to £30,000 from April 2027 and £20,000 from April 2028.

How It Works

  1. Upload your spreadsheet - Drop in the same Excel or CSV file you already use.
  2. Map your columns - Tell qwartly which columns are income, expenses, and dates.
  3. Submit to HMRC - We format everything to HMRC's spec and submit via their official API.

MTD Bridging Software Pricing

£49 per year - Unlimited quarterly submissions, all spreadsheet formats, direct HMRC API connection, column mapping saved for next time, submission history and confirmations, email support.

That's less than £1 per week. Most MTD software charges £12-£30 per month.

To use qwartly, please enable JavaScript in your browser.

Skip to main content

Legal

Privacy Policy

This Privacy Policy explains how qwartly handles personal data for its MTD bridging software service and related marketing, support, billing, and compliance activities.

1. Who we are

qwartly is a trading name of OVERCLOCK MINDS LTD, a company registered in England & Wales (Companies House number 17120394), which is the data controller for the personal data described in this policy. You can contact us, including our Data Protection Lead, at hello@qwartly.co.uk.

2. What data we collect

  • Account details such as your name, email address, password hash, and marketing preferences.
  • Tax workflow data such as NI number, spreadsheet financial data, HMRC submission records, saved mappings, business profiles, and reminder preferences.
  • HMRC OAuth tokens and HMRC fraud-prevention headers used to access the MTD API securely.
  • Billing and subscription information processed through Stripe. We do not store your full card details.
  • Cookie consent records and your Google Ads conversion-tracking preference.

3. Purposes and legal bases

We rely on a specific UK GDPR Article 6 lawful basis for each category of personal data. Our full Record of Processing Activities maps every data category to its basis, recipients, and retention period; the key mappings are:

  • Account and authentication data (name, email, password hash) — Article 6(1)(b) performance of a contract: creating and securing your account.
  • Tax-workflow data, including your National Insurance number, spreadsheet financial data, saved mappings, business and property profiles, submissions, and final declarations — Article 6(1)(b) performance of a contract, to provide the bridging and submission service you signed up for. Your NI number is a national identifier (not special-category data under Article 9); it is encrypted at rest and used only for HMRC submission.
  • HMRC OAuth tokens — Article 6(1)(b) performance of a contract: maintaining your authorised connection to HMRC.
  • HMRC fraud-prevention header metadata — Article 6(1)(c) legal obligation: the Ancillary Metadata Regulations 2019 (SI 2019/360) require this on every MTD API call (see section 10).
  • Terms & Conditions acceptance record — Article 6(1)(c) legal obligation and Article 6(1)(b): evidencing the contract you entered into at registration.
  • Billing and subscription data — Article 6(1)(b) performance of a contract and Article 6(1)(c) legal obligation: processing payment and meeting tax and accounting record-keeping duties.
  • Retention of tax, submission, billing, and audit records after account closure — Article 6(1)(c) legal obligation: UK tax, accounting, and anti-fraud record-keeping requirements.
  • Service security, abuse prevention, audit logging, and operational troubleshooting — Article 6(1)(f) legitimate interests: keeping the service and your data secure and diagnosable, balanced against your rights.
  • Marketing emails, optional Google Ads conversion tracking, and non-essential cookies — Article 6(1)(a) consent, which you can withdraw at any time.

4. Third-party processors

  • HMRC for Making Tax Digital API access and submission processing.
  • Stripe for payments, invoicing, and subscription administration.
  • Brevo for transactional and marketing email delivery.
  • Google for optional Google Ads and gtag conversion measurement.
  • IONOS as our production hosting provider. Production customer data is processed and stored on IONOS Cloud infrastructure located in the United Kingdom.

4a. Hosting, location, and encryption

Production servers, the PostgreSQL database volume, the Redis cache volume, and routine backups are hosted on IONOS Cloud infrastructure in the United Kingdom. We do not knowingly replicate production customer data outside the United Kingdom.

Encryption is layered. Transport Layer Security (TLS) protects data in transit between your browser, qwartly, and HMRC. Storage and volume encryption is enabled at the operating system layer for the application server, the database volume, the Redis cache volume, and backup snapshots. In addition, qwartly uses application-layer encryption (Fernet, AES-128 in CBC mode with HMAC-SHA256) inside the FastAPI application before sensitive financial and tax payloads are written to the database.

Application-layer encryption is applied to: HMRC OAuth access and refresh tokens, your NINO, HMRC business identifier payloads, spreadsheet filenames, headers and row previews, validation snapshots, saved column-mapping payloads, submission snapshots and line-item amounts, tax calculation snapshots, final declaration calculation and error details, and audit log detail payloads.

Application-layer encryption is in addition to, not a replacement for, access controls. Some operational metadata remains readable to the qwartly application and database operators under role-based access controls: your email address, business routing identifiers, HMRC correlation IDs, Stripe customer and subscription identifiers, record statuses and timestamps, and spreadsheet file hashes. This data is needed for login, routing, support correlation, billing reconciliation, filtering, and retention administration.

5. Data retention

  • Active account profile data is retained while your account is open. If you close your account, the live sign-in record is anonymised immediately and an anonymised account row may be retained for compliance and systems integrity.
  • HMRC access tokens: deleted when you disconnect your HMRC account.
  • Audit logs and compliance records: retained for up to 6 years, then deleted automatically.
  • Spreadsheet uploads, validation snapshots, saved mappings, business profiles, notification preferences, and sent reminder records: retained until you delete them, they expire automatically, or you close your account.
  • Validation snapshots: up to 7 days, then automatically deleted.
  • Submission records, final declarations, and subscription or billing history: retained where required by tax, accounting, anti-fraud, or legal obligations, including after account closure.
  • Cookie consent logs: retained as compliance evidence.
  • Waitlist records: until launch, unsubscribe, or a shorter lawful retention need applies.

6. Your rights

Under UK GDPR you have the right to ask for access, rectification, erasure (subject to legal retention requirements), restriction, portability, objection, or withdrawal of consent. You can exercise these rights either through the in-app routes listed below or by emailing hello@qwartly.co.uk.

6a. Data portability and right to access (in-app routes)

You can exercise your UK GDPR rights of access and portability directly inside qwartly. The following dashboard routes are available to every logged-in customer:

  • Account and processed-data export — Settings → Account settings (route /dashboard/settings) calls GET /api/auth/data-export and returns a machine-readable JSON document containing your profile, your Terms & Conditions acceptance record (version and date), marketing-consent record, HMRC connection metadata (including business identifiers), saved column mappings, business profiles, property business records, Business Source Adjustable Summary (BSAS) calculation records, notification preferences, validation snapshots, submission records, final declarations, subscription and billing records, and audit references.
  • Submitted quarterly summaries and final declarations — Submissions (route /dashboard/submissions) and individual submission pages (/dashboard/submissions/:id) provide per-submission PDF receipt downloads (showing the HMRC correlation ID, status, and totals). The full mapped data snapshot for each submission and the line-item totals are also returned in machine-readable JSON form by the data-export route described above.
  • Business details export — exported HMRC business identifiers and stored business profiles are included in the JSON document produced by /dashboard/settings → data export.
  • Account closure and data deletion — Settings → Danger zone (route /dashboard/settings, action "Close account") immediately deletes stored HMRC connection data, uploaded spreadsheets, validation snapshots, saved mappings, sent reminder history, notification preferences, business profiles, and active sessions. Submission records, final declarations, subscription and billing history, and audit logs are retained where required by UK tax, accounting, anti-fraud, or other legal obligations.
  • Rectification of name, email, and marketing preference — Settings → Profile (route /dashboard/settings).
  • Withdrawal of optional consent — Cookie Preferences on the site-wide legal bar or footer; marketing consent toggle in Settings → Profile.

7. International transfers

qwartly is designed for UK and EEA processing. Where Stripe, Brevo, or Google involve transfers outside the UK or EEA, we rely on appropriate safeguards such as standard contractual clauses or equivalent measures.

8. Automated decision-making

qwartly does not make decisions about you using solely automated processing that produce legal or similarly significant effects.

9. Cookies

  • Essential cookies, including csrf_token and refresh_token, are used to keep sign-in and session security working.
  • Optional Google Ads / gtag conversion tracking loads only after you opt in through the cookie banner or cookie preferences controls.
  • You can revisit your choice at any time through Cookie Preferences on the site-wide legal bar or footer.

10. Fraud-prevention browser metadata (legally required)

When you connect qwartly to HMRC and submit Self Assessment data on your behalf, HMRC requires us to attach a bundle of fraud-prevention headers to every API call. To produce these headers we collect the following details from your browser, used only for the corresponding HMRC submission:

  • User-agent string (the value your browser already sends to every website it visits).
  • Screen size, browser window size, scaling factor, and colour depth.
  • Your timezone as a UTC offset (for example UTC+01:00).
  • A persistent device identifier stored in your browser's localStorage under the key qwartly.hmrc.deviceId. This is a random UUID that does not contain any personal information. You can clear it at any time by clearing site data for qwartly.co.uk.
  • Lawful basis: UK GDPR Article 6(1)(c) — processing necessary for compliance with a legal obligation. The legal obligation is the Ancillary Metadata Regulations 2019 (SI 2019/360), made under section 132A of the Finance Act 2008, together with HMRC's directions made under those regulations (directions last updated 16 April 2025). The regulations require software that submits Income Tax Self Assessment or VAT (MTD) data on behalf of users to attach the prescribed fraud-prevention headers to every API call. We do not use this metadata for marketing, profiling, or any purpose other than the HMRC submission it accompanies. Further detail is in HMRC's published fraud-prevention specification (see reports/hmrc/docs/fraud-prevention-overview.md in our compliance evidence pack).

11. Your right to complain to the ICO

If you are unhappy with how we handle your personal data, you can complain to the Information Commissioner's Office at ico.org.uk.

12. Changes to this policy

We may update this Privacy Policy to reflect legal, operational, or product changes. Last updated: 14 May 2026. Material updates will be highlighted by email or an in-product notice where appropriate.

13. Contact

For privacy questions, rights requests, or complaints, email hello@qwartly.co.uk.

qwartlyhello@qwartly.co.uk
All prices include VATAnnual subscription: £49/year