🇬🇧 EN 🇷🇴 RO 🇵🇱 PL 🇱🇹 LT 🇧🇬 BG

Privacy Policy

Hardhat
Last updated: February 2026

1. Introduction

This privacy policy explains how Hardhat ("we", "our", "us") collects, uses, stores and protects your personal information when you use the Hardhat mobile application, the MyCISRefund.com website, and any related services (together, the "Services").

Hardhat is a financial management tool designed for UK construction workers operating as CIS (Construction Industry Scheme) subcontractors. We help you track CIS deductions, manage expenses, and interact with HMRC's systems. We are a software provider — we do not act as your tax agent, accountant, or financial adviser.

We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who We Are

Hardhat is a trading name. We are the data controller responsible for your personal data.

Email: privacy@myCisRefund.com

If you have questions about this policy or your personal data, contact us using the email address above.

3. What Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

  • Name and email address
  • Phone number (if provided)
  • Password (stored in encrypted form)
  • Preferred language

3.2 Tax and Financial Information

  • Unique Taxpayer Reference (UTR)
  • National Insurance number
  • CIS deduction statements and payment records
  • Income and expense records you enter or import
  • Self Assessment tax return data

3.3 HMRC Data

When you authorise us to connect to HMRC on your behalf via their APIs, we may retrieve:

  • CIS deduction data held by HMRC
  • Tax calculation and liability information
  • Self Assessment submission status

You explicitly authorise this access through HMRC's Government Gateway sign-in process using OAuth 2.0. You can revoke this access at any time through your HMRC online account.

3.4 Device and Usage Data

  • Device type, operating system and version
  • App version
  • IP address
  • Usage analytics (pages visited, features used)
  • Crash reports

4. How We Use Your Data

We use your personal data for the following purposes:

  • Providing the Services: Creating and managing your account, tracking CIS deductions, calculating potential refunds, submitting information to HMRC on your instruction, and enabling expense tracking.
  • HMRC Interaction: Retrieving your CIS deduction data and submitting returns to HMRC when you instruct us to do so. We act as a software intermediary only — all submissions are made on your instruction and under your responsibility.
  • Communicating with You: Sending service notifications, tax deadline reminders, and (where you have consented) marketing communications.
  • Improving Our Services: Analysing usage patterns to improve features, fix bugs, and develop new functionality.
  • Legal Compliance: Meeting our obligations under tax, financial services, and data protection law.

5. Legal Basis for Processing

We process your data under the following lawful bases:

  • Contract: Processing necessary to provide the Services you have signed up for (Article 6(1)(b) UK GDPR).
  • Consent: Where you have given clear consent, for example to receive marketing emails or to connect your HMRC account (Article 6(1)(a) UK GDPR). You can withdraw consent at any time.
  • Legitimate Interests: For analytics, fraud prevention, and service improvement, where our interests do not override your rights (Article 6(1)(f) UK GDPR).
  • Legal Obligation: Where we are required to process data by law (Article 6(1)(c) UK GDPR).

6. Who We Share Your Data With

We do not sell your personal data. We share data only with the following parties and only as necessary:

  • HMRC: When you authorise us to retrieve or submit data on your behalf via HMRC's APIs.
  • Cloud Hosting Provider: We use secure cloud infrastructure to store your data.
  • Law Enforcement: Where required by law or to protect our legal rights.

7. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest
  • Secure authentication and access controls
  • Regular security reviews and updates

No system is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security.

8. Data Retention

We retain your personal data only for as long as necessary:

  • Account data: For as long as your account is active, and for a reasonable period afterwards to allow you to reactivate.
  • Tax and financial data: We recommend retaining tax records for at least 5 years in line with HMRC requirements. We will retain your data for this period unless you request earlier deletion.
  • Marketing data: Until you unsubscribe or withdraw consent.
  • Usage and analytics data: Typically retained in anonymised form.

When data is no longer needed, we securely delete or anonymise it.

9. Your Rights

Under UK GDPR, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Ask us to correct inaccurate data.
  • Erasure: Ask us to delete your data (subject to legal retention requirements).
  • Restriction: Ask us to restrict processing in certain circumstances.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at privacy@myCisRefund.com. We will respond within one month.

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

10. HMRC API Usage

Hardhat connects to HMRC's APIs to provide CIS deduction tracking and tax filing functionality. Important points:

  • We only access HMRC data that you have explicitly authorised us to access via the Government Gateway OAuth process.
  • We use HMRC data solely to provide you with the Services described in this policy.
  • We do not share your HMRC data with any third party except as described in Section 6.
  • We store HMRC data securely and in accordance with HMRC's terms of use for developers.
  • You can revoke our access to your HMRC data at any time via your HMRC online services account or by contacting us.
  • We are a software provider. We do not act as a tax agent, and we do not provide tax advice. You are responsible for the accuracy of any information submitted to HMRC through our Services.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes via email or an in-app notification. The date at the top of this policy indicates when it was last updated. We encourage you to review this policy periodically.

12. Contact Us

If you have questions, concerns or requests relating to this privacy policy or your personal data, please contact us:

Email: privacy@myCisRefund.com