Privacy Policy

Version 1.0 · Effective date: 6 April 2026 · Controller: Edward Jenkins t/a no~bull consulting · edward@nobull.consulting

1. Introduction

no~bull books ("we", "us", "our") is a cloud-based accounting application operated by Edward Jenkins, trading as no~bull consulting. This Privacy Policy explains how we collect, use, store and protect your personal data when you use no~bull books.

We are committed to protecting your privacy and complying with applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and where applicable the EU GDPR.

2. Data Controller

Detail	Information
Name	Edward Jenkins
Trading as	no~bull consulting
Email	edward@nobull.consulting
Website	nobull.consulting

3. What Data We Collect

3.1 Account and identity data

• Name, email address, and company name provided during registration
• Google account information used for authentication (via Google OAuth)
• VAT registration number (if provided for MTD VAT submissions)

3.2 Financial data

• Invoice and bill records you create within the application
• Client and supplier contact details you enter
• Bank account information (account names and sort codes — no full account numbers)
• VAT return data submitted to HMRC via Making Tax Digital (MTD)

3.3 Technical data

• Google Sheets spreadsheet ID associated with your account
• Log data: access times, pages visited, errors (held in Google Apps Script logs)
• HMRC fraud prevention data: browser user agent, screen dimensions, device identifier, timezone — collected and transmitted to HMRC as required by law for MTD submissions

3.4 Data we do not collect

• Full bank account numbers or card numbers
• Biometric data
• We do not use cookies for tracking or advertising
• We do not sell your data to any third party

4. How We Use Your Data

Purpose	Legal basis
Providing the no~bull books service	Contract performance (Art. 6(1)(b) UK GDPR)
Submitting VAT returns to HMRC via MTD	Legal obligation (Art. 6(1)(c) UK GDPR)
Transmitting fraud prevention headers to HMRC	Legal obligation (Art. 6(1)(c) UK GDPR)
Communicating with you about your account	Contract performance
Improving the software and fixing bugs	Legitimate interests (Art. 6(1)(f) UK GDPR)
Complying with legal and regulatory requirements	Legal obligation

5. Data Storage and Security

Your financial data is stored in your own Google Sheets spreadsheet, which lives in your own Google account. We do not store your financial data on our own servers — you retain full ownership and control.

Access to your data is controlled by Google OAuth 2.0 authentication, a unique spreadsheet ID that acts as a private access key, and HMRC OAuth tokens stored encrypted in Google Script Properties.

6. HMRC Fraud Prevention Data

As required by law under the Finance Act 2020 and HMRC's Making Tax Digital regulations, we collect and transmit fraud prevention headers with all MTD API calls. This includes your browser user agent string, screen dimensions, window size, device identifier, and timezone. This data is transmitted directly to HMRC and is not stored by us beyond the duration of the API call. For more information, see HMRC's fraud prevention guidance.

7. Third-Party Services

Service	Purpose
Google Workspace (Google LLC)	Application hosting, data storage, authentication
HMRC Making Tax Digital API	VAT return submission and retrieval
Google Gemini API	AI assistant feature (optional)

8. Data Retention

• Account data: retained for the duration of your subscription plus 7 years (to meet statutory accounting requirements)
• Financial records: retained in your Google Sheets spreadsheet — you control deletion
• HMRC OAuth tokens: automatically expire after 4 hours; refresh tokens expire after 18 months
• Application logs: retained for 30 days within Google Apps Script infrastructure

9. Your Rights

Under UK GDPR you have the right to access, correct, erase, restrict, port, and object to processing of your personal data. To exercise these rights, contact edward@nobull.consulting. We will respond within 30 days.

10. International Data Transfers

Google LLC may process data outside the UK and EU. Google participates in the EU-US Data Privacy Framework and provides appropriate safeguards. HMRC data is processed within the UK only.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a notice within the application. The effective date at the top of this document will be updated accordingly.

12. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

13. Contact

For any privacy-related queries: edward@nobull.consulting