Guidance

HMRC App Privacy Notice — information

Published 23 April 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/hmrc-app-privacy-notice/hmrc-app-privacy-notice-information

This privacy notice explains how HMRC and other organisations may use your data when you use the HMRC App.

You can download the HMRC App on an iOS or Android device. You can also access the same services by logging in through the HMRC website in a web browser. This policy applies to using either of those channels.

You should read the HMRC privacy notice alongside this privacy notice.

Terms we use in this privacy notice

Data is ‘processed’ when any action is taken with it. For example, when it is collected or reviewed.

A controller is an organisation or person that decides what data is processed and how and why it is done. They are legally responsible for that data. A controller may appoint a processor, another organization or person that processes data under the controller’s instruction.

Lawful basis for processing

HMRC is the controller of the HMRC app and processes personal data based on lawful bases.

We provide the HMRC app in support of our public tasks as a government department to provide a quick and easy way for you to get information about your tax, National Insurance, tax credits and benefits.

The mobile app connects with HMRC’s services, sourcing all data from HMRC systems. Customer data is accessible only through a logged-in session.

We use cookies to enhance your browsing experience, serve personalised information or content, and analyse our traffic. By clicking ‘Accept All’, you consent to our use of cookies. You can manage your preferences by clicking ‘Cookie Settings’.

For more information, please visit our Cookie Policy and Privacy Policy.

Types of cookies we use

Essential Cookies

These are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you, such as setting your privacy preferences, logging in, or filling in forms.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site.

Functionality Cookies

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third-party providers whose services we have added to our pages.

Your choices

You can choose to accept all cookies, reject non-essential cookies, or customise your cookie preferences. To manage your preferences, select ‘Cookie Settings’.

You can read more about how we use cookies on the GOV.UK cookies page and the HMRC cookies page.

Why we use your personal data

We use your personal data to ensure the HMRC App works correctly. This application provides access to existing HMRC digital services. Please note that no personal data from these services is stored on your device.

All interactions with HMRC digital services are conducted securely, ensuring that your personal information remains protected and is not retained on your device. It means we can give you access to services and information about your taxes and benefits.

We may also use your personal data to:

  • improve the HMRC App
  • resolve technical faults
  • maintain and improve security
  • comply with the law
  • protect users against potential fraud
  • act if you provide information suggesting you or others may be at risk of harm
  • process data about your use of the HMRC App

Your contact with our service desk team

This means information captured when you contact the HMRC App service desk for support, or when you provide feedback or complete a survey.

Your use of the messaging services on the HMRC App

The messaging services available in the HMRC App may include your personal data such as your name and National Insurance number, enabling you to:

  • view and reply to messages from HMRC
  • send messages to HMRC for support or inquiries
  • receive updates and notifications related to your tax and benefits

To ensure the messaging service works correctly, we process personal and technical data about your activities when you are logged in.

This includes the time you use the messaging services, the actions you take, and related technical details.

This information is captured against your unique identifier. We may keep this data for up to 8 years.

Data security

We take the security of your personal data very seriously. To protect your information, we implement a variety of security measures.

Encryption

All sensitive data is encrypted both at rest and in transit to prevent unauthorized access.

Access Controls

We restrict access to your data to only those employees and third parties who need it to perform their job duties. Access is granted based on the principle of least privilege.

Regular Security Audits

We conduct regular security audits and assessments to identify and address potential vulnerabilities in our systems.

Incident Response Plan

We have a comprehensive incident response plan in place to quickly address and mitigate any data breaches or security incidents.

Data Minimisation

We only collect and process the data that is necessary for the operation of the HMRC App, reducing the risk of data breaches.

Training and Awareness

Our employees receive regular training on data protection and security best practices to ensure they handle your data responsibly.

Third-party sharing

The processing activity is a view function that allows customers to access information related to their accounts. Third party processors are utilised for specific purposes outlined below.

All data is obtained from National Savings and Investments (NS&I), HMRC internal systems, or the customer. There is no integration or comparison of data sets.

In the delivery of this application, we collaborate with various third-party organisations who are carefully selected and are required to adhere to strict data protection and privacy standards. They only have access to the information necessary to perform their specific functions and are not permitted to use it for any other purpose.

We categorise these organisations and describe their roles as follows:

Cloud Service Providers

We use third-party cloud service providers to host the application and support platform services. These providers ensure the app’s availability, scalability, and security.

Technical Support and Maintenance

Third-party technical support teams assist in maintaining and updating the application to ensure it runs smoothly and efficiently.

Analytics and Performance Monitoring

We engage third-party analytics services to monitor the app’s performance and usage, helping us improve user experience and functionality.

Security Services

Third-party security firms help us protect the application and its data from unauthorized access, ensuring compliance with relevant security standards.

Transfer of information outside the UK

HMRC may transfer personal information outside the UK when relevant and necessary for their functions.

Personal data is exchanged between HMRC and third-party organisations located outside the UK, specifically in the United States.

The following third-party services are involved:

Bitrise

A mobile application Continuous Integration (CI) build and deployment service. Bitrise is an external Software as a Service (SaaS) provider, with servers and services hosted in the United States. Google Cloud Platform, MacStadium, and Amazon Web Services are used for hosting and storage.

InVision

A mobile application design and prototyping service. InVision is also an external SaaS provider, with services hosted, backed-up, and operated in the United States. Development, support, and maintenance are conducted through InVision and its service providers in various countries.

Bitwarden

The Mobile App Team’s password vault Bitwarden stores passwords in the United States under an offshoring agreement. Due to Bitwarden’s end-to-end encryption, unencrypted keys and data are only stored locally on devices in the UK. Offshore submissions are reviewed annually.

Additionally, limited payment information (payment reference and value) is shared with ECOSPEND to process payments.

Safeguards are implemented to mitigate risks associated with the legal regime in the destination country, ensuring the protection of data subjects.

How long we’ll use your information

We will retain your personal information for only as long as it is necessary for us to do so, for the purposes for which we are using it and in line with our published records management and retention and disposal policy.

HMRC also collect anonymised information about how you use the app and when it crashes. This is called analytics data, and we use it to improve the experience and stability of the app. This data is optional.

Your preference will only apply to the app and not the HMRC website. This includes when you sign in to the website from the app and anywhere else that the app links to the website. HMRC do not have access to your Face ID data and do not save or store it.

How you use the HMRC App

This is technical data about your activities when you are logged in. It’s also called audit data. It may include the time when you use the HMRC App, what actions you take, and related technical details. This information is captured against your unique identifier. We may keep this data for up to 8 years.

How well things are working

This is also called performance data. We’ve appointed an approved analytics service provider to help us process this data. We may keep this data for up to 1 year.

Your responsibility to inform us of changes

It is important that the personal information we hold about you is accurate and current. You need to keep us informed if your personal contact information changes.

User rights

When using this app:

  • users can opt in or out of data collection via app settings, affecting all users on a shared device
  • you provide HMRC with personal and tax information to help manage your tax account and benefits. The app stores data on your device to function correctly, which is required.
  • HMRC collects anonymised analytics data about app usage and crashes to improve app stability, this data collection is optional
  • preferences apply only to the app, not the HMRC website, even when accessed through the app
  • HMRC does not access or store Face ID data

Data protection information rights

You have the right to delete the HMRC application at any time. To do so, simply uninstall the app from your device through your device’s application management settings.

For detailed information about your individual rights, including how to make a subject access request, please refer to the main HMRC privacy notice.

Contact HMRC or make a complaint

You can contact our data protection officer if you have questions about this privacy notice or want to make a complaint.

Back to top