Edward Jenkins, trading as no~bull consulting (“we”, “us”), is the data controller for personal data processed through our software products: no~bull books (accounting software for UK sole traders) and no~bull visa (case management software for solicitors handling Spanish visa applications).
This policy explains what personal data we process, why, and what your rights are under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
It does not cover data processed by Google on our behalf — see Google’s Privacy Policy for that.
Our position under UK GDPR differs depending on the product and the person involved.
We are the data controller for account and subscription data (name, email, billing). The financial records you create and store in no~bull books live in your own Google Drive; we have no access to them and are not a controller for that data.
The solicitor or firm that subscribes to no~bull visa is the data controller for their clients’ personal data. We act as a data processor on their behalf for that data. We are the data controller only for the solicitor’s own account and subscription information.
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email address | Account creation, authentication, support | Contract (Art. 6(1)(b)) |
| Firm name | Workspace identification, correspondence | Contract (Art. 6(1)(b)) |
| Subscription status, payment history | Licence management and billing | Contract (Art. 6(1)(b)) |
| Login timestamps, session tokens | Security, fraud prevention | Legitimate interests (Art. 6(1)(f)) |
As required by HMRC’s MTD API rules, we collect and transmit fraud prevention headers with all MTD API calls. This includes device identifiers, browser metadata, and IP address. This is a legal obligation (Art. 6(1)(c)).
On behalf of subscribing solicitors, no~bull visa stores and processes the following categories of their clients’ personal data:
Criminal record certificates are special category data under UK GDPR Article 9. The solicitor (as data controller) is responsible for identifying and documenting the appropriate legal basis for processing this data. We process it solely on their instruction.
All workspace data — for both no~bull books and no~bull visa — is stored in a Google Sheets spreadsheet within the subscribing user’s own Google Drive. We do not copy or replicate this data to our own servers.
Our application code runs on Google Apps Script infrastructure within Google Cloud (data centres in the EU/EEA and US). Access to workspace data requires authentication via Google OAuth and our session token system.
We maintain audit logs of significant actions within each workspace. These logs are stored in the same Google Drive spreadsheet as the workspace data.
We implement appropriate technical measures including: single-use magic-link authentication, session expiry, rate limiting, and per-tenant data isolation.
| Data type | Retention period |
|---|---|
| Active workspace data | Held for the duration of the subscription plus a 44-day grace period |
| Account and subscription records | 7 years from end of subscription (statutory accounting obligation) |
| Session tokens | 30 days or until revoked |
| Magic-link login tokens | 15 minutes from issue |
| HMRC fraud prevention data | As required by HMRC — currently 7 years |
| Audit logs | Retained within the workspace for as long as the workspace exists |
Because workspace data lives in the user’s own Google Drive, it persists there until the user deletes it. Cancelling a subscription does not delete the underlying spreadsheet.
Google LLC is our primary sub-processor. Google Apps Script, Google Drive, Google Sheets, and Gmail are all Google services. Data processed by these services is subject to Google’s own terms and data processing agreements. Google’s infrastructure may transfer data to servers outside the UK; Google relies on Standard Contractual Clauses and the UK International Data Transfer Agreement for those transfers.
We do not sell personal data. We do not share it with any other third party except where required by law.
no~bull books is currently offered exclusively to UK-based businesses and processes data within the scope of UK GDPR only. If we expand to EU/EEA markets in the future, this policy will be updated accordingly before any such expansion.
no~bull visa is used by solicitors who may be established in Spain or elsewhere in the EU/EEA, and who process personal data of EU residents (visa applicants). This gives rise to obligations under both UK GDPR and EU GDPR (Regulation 2016/679).
The European Commission has granted the UK an adequacy decision under EU GDPR Article 45, meaning personal data can flow freely from the EU/EEA to the UK without requiring additional transfer safeguards. As a UK-based processor receiving data from EU-established controllers, we rely on this adequacy decision for inbound data flows.
Data flows from the UK to the EU (for example, where a UK-based applicant’s data is accessed by an EU-based solicitor) are similarly unrestricted under UK GDPR, as the EU/EEA is recognised as providing adequate protection.
If you are an EU resident, you hold the same rights listed in section 8 of this policy under EU GDPR Articles 13–22. To exercise them, contact the solicitor or firm whose portal you use (they are the data controller for your case data), or contact us at edward@nobull.consulting if your query relates to our processing as a processor.
You also have the right to lodge a complaint with your national supervisory authority. In Spain this is the Agencia Española de Protección de Datos (AEPD): aepd.es. A full list of EU supervisory authorities is available at edpb.europa.eu.
EU GDPR Article 27 requires processors established outside the EU who systematically process EU residents’ data to appoint an EU representative. At our current scale — processing EU residents’ data only occasionally and on behalf of a small number of solicitor clients — we rely on the exemption available to organisations whose processing is occasional, does not include large-scale processing of special category data on a systematic basis, and is unlikely to result in a risk to the rights and freedoms of individuals. We will appoint a representative if and when our processing volume requires it, and will update this policy accordingly.
Our marketing website (nobull.consulting) does not use tracking cookies or analytics scripts. No~bull books and no~bull visa use browser localStorage to store session tokens. These are functional and strictly necessary; no consent is required.
You have the following rights in relation to your personal data:
To exercise any of these rights, email edward@nobull.consulting. We will respond within one calendar month.
If you are a no~bull visa client (end applicant), please contact the solicitor or firm whose portal you use — they are the data controller for your case data.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk · 0303 123 1113.
We will update this policy when our practices change materially. The version number and effective date at the top of this page will reflect any changes. We will notify active subscribers by email of significant changes.
Edward Jenkins t/a no~bull consulting
edward@nobull.consulting
nobull.consulting