Back to Dhando

Privacy Policy

Last updated:

This policy explains what personal data Dhando (“we”, “the service”) collects, why, and your rights over it. We are the data controller for the personal data described here. [Insert legal entity name, registered address, and ICO registration number.]

What we collect

  • Account & profile: name, nickname, email, date of birth, phone number and postal address you provide at signup.
  • Financial data: transactions, account balances, categories, budgets, savings targets, reminders and reports you create or import (via CSV or, where connected, Open Banking).
  • Bank & broker connections: when you link an account through TrueLayer or GoCardless (Open Banking) or Trading 212, we receive account and transaction data and store access credentials encrypted at rest.
  • HMRC / Making Tax Digital: if you use the MTD for Income Tax filing feature, we process your National Insurance number, the HMRC business identifiers we retrieve for you, and the tax figures you choose to submit. The HMRC authorisation (OAuth) tokens are stored encrypted at rest; we never see or store your HMRC sign-in details.
  • Fraud-prevention data: HMRC requires anti-fraud information to accompany each MTD submission — your device and connection details (e.g. a device identifier, browser, screen and window size, time zone and IP address). This is collected only when you file and sent only to HMRC.
  • Technical: a session cookie to keep you signed in, and server logs for security and reliability.

How we use it

  • To provide the service — categorise transactions and generate your reports, budgets and forecasts.
  • To authenticate you and keep your account secure.
  • To send transactional email (verification, password reset, workspace invitations).
  • To file Making Tax Digital for Income Tax submissions to HMRC when you choose to, and to include the fraud-prevention data HMRC requires with each submission.

Lawful bases: performance of our contract with you (including the MTD filing you request), your consent (for Open Banking connections), and our legitimate interest in securing and operating the service. The fraud-prevention data is sent to meet HMRC’s requirements for the MTD service. [Confirm with counsel.]

Who we share it with

We do not sell your data. We share it only with processors that help us run the service:

  • HMRC when you file Making Tax Digital for Income Tax — the tax figures you confirm, plus the mandatory fraud-prevention data. HMRC is a separate data controller for what it receives.
  • Open Banking providers (TrueLayer, GoCardless) when you connect a bank account.
  • Trading 212 when you connect an investment account.
  • Hosting, database and object-storage providers that store your data on our behalf.
  • An email provider for transactional messages.

[List the specific sub-processors and their locations once finalised.]

Where joint workspaces are concerned

If you join a shared (“joint”) workspace, other members can see the financial data in that workspace. Members’ contact details are not exposed to one another beyond what’s needed to manage membership.

Retention

We keep your data while your account is active. When you delete your account (see below) your personal data and personal workspace are removed; shared workspaces you don’t solely own survive for their other members. Backups are retained for a limited period and then expire. [State the retention period.]

Your rights

Under UK GDPR you can access, correct, export, restrict, or delete your personal data, and object to certain processing. We’ve built two of these into the app:

  • Export — download a copy of your data from Profile → Export your data.
  • Erasure — delete your account and personal data from Profile → Delete account.

To exercise any other right, contact us at [privacy@yourdomain]. You also have the right to complain to the UK Information Commissioner’s Office (ICO).

Security

Passwords are hashed (scrypt); bank/broker credentials are encrypted at rest; access is scoped per workspace; and connections use HTTPS. No system is perfectly secure, but we apply reasonable technical and organisational measures.

Changes

We’ll update this policy as the service evolves and revise the date above. Material changes will be notified in-app or by email.

Contact

[Insert contact email and postal address for data-protection queries.]