Privacy Policy
Last updated: June 2026
TruMint (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.
1. Who We Are
TruMint is the data controller for personal data collected through this platform. You can contact us at support@trumint.co.
2. Data We Collect
- Account data: name, email address, password (stored as a secure hash)
- Financial data: portfolio holdings, transaction history, tax calculations, net worth figures
- Broker data: data imported via CSV or Plaid — account numbers, balances, trade records
- Usage data: pages visited, features used, session duration
- Device data: IP address, browser type, operating system
- Communications: the content of emails or messages you send to our support team
- HMRC connection data: if you connect your Government Gateway account to file via Making Tax Digital, we store OAuth access and refresh tokens issued by HMRC. We never see or store your Government Gateway username or password. Tokens are encrypted at rest using AES-256-GCM and are used solely to submit your CGT disposals and Self Assessment declaration on your instruction.
- National Insurance Number (NINO): required to identify you with HMRC for MTD filing. Stored encrypted at rest. Never shared with any third party other than HMRC.
3. Why We Collect It (Legal Basis)
| Data | Purpose | Legal Basis |
|---|---|---|
| Email, name | Account creation and authentication | Contract performance |
| Financial data | Portfolio tracking, tax calculations | Contract performance |
| Usage data | Improving the service, debugging | Legitimate interests |
| Email address | Service notifications | Contract performance |
| Email address | Marketing emails (only if opted in) | Consent |
| IP address | Security, fraud prevention | Legitimate interests |
| HMRC OAuth tokens, NINO | MTD filing with HMRC on your instruction | Contract performance / explicit consent |
4. Third Parties We Share Data With
- Firebase (Google): Authentication and database storage. Google's data processing terms apply.
- Plaid: Bank and broker data connection. Plaid's own privacy policy applies to data you share via their interface.
- EODHD: Market data provider for live prices. No personal data is shared with EODHD.
- Google Cloud Platform: Server hosting and key management (Cloud KMS, Cloud Run). Data is processed within the EU/UK (europe-west2 / London region).
- HMRC: If you use the MTD filing feature, your CGT disposal data and Self Assessment final declaration are submitted directly to HMRC via their official API. This is performed on your explicit instruction only.
- TrueLayer / Plaid: Open banking providers for linking bank accounts. Their own privacy policies apply to data you share via their interfaces.
- Google Gemini: Used for transaction merchant enrichment and P60 income extraction (see Section 5). No HMRC submission data is sent to Gemini.
We do not sell your personal data to third parties.
5. Data Retention
- Account data: Retained while your account is active. When you delete your account via Account Settings, your account data and all associated personal data are permanently deleted immediately.
- Tax and financial data: Retained for 4 years from the relevant tax year (in line with HMRC record-keeping requirements).
- Usage and log data: Retained for 90 days.
5b. HMRC Connection & AI Processing
HMRC Making Tax Digital: When you connect your Government Gateway account, TruMint is authorised via OAuth 2.0. HMRC issues access and refresh tokens to TruMint — your Government Gateway credentials are never transmitted to or stored by TruMint. Tokens are encrypted at rest (AES-256-GCM, per-user keys managed in Google Cloud KMS, London region). You can revoke TruMint's access at any time via HMRC's Government Gateway › Manage authorised applications. Tokens automatically expire after 18 months.
Artificial intelligence: TruMint uses Google Gemini Flash for two purposes: (1) categorising transaction descriptions into spending categories — this does not affect your tax records or any HMRC submission; and (2) extracting income figures from P60 PDFs you upload — all extracted figures are shown to you for confirmation before use in any tax calculation. No AI-generated output is submitted to HMRC automatically or without your explicit approval.
6. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right to access — request a copy of the data we hold about you
- Right to rectification — ask us to correct inaccurate data
- Right to erasure — ask us to delete your data (“right to be forgotten”)
- Right to restriction — ask us to limit how we process your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — withdraw consent at any time where processing is based on consent
Right to erasure (self-serve): You can permanently delete your account and all associated data immediately via Account Settings → Delete Account in the dashboard. No email required.
To exercise any other rights, email support@trumint.co. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk or 0303 123 1113.
7. International Transfers
Firebase and Google Cloud Platform infrastructure may process your data outside the UK. This is covered by Google's Standard Contractual Clauses, which provide an equivalent level of protection to UK data protection law.
8. Cookies
We use cookies and similar technologies to operate the platform. For full details, see our Cookie Policy.
9. Security
We implement industry-standard security measures including encryption in transit (TLS) and at rest. In the event of a data breach, we will notify you and the ICO as required by UK GDPR.
10. Changes to This Policy
We will notify you by email at least 14 days before any material changes to this Privacy Policy take effect. The “Last updated” date at the top of this page always reflects the current version.
11. Contact Us
For any privacy-related questions or to submit a Subject Access Request: support@trumint.co