Aperture Works Privacy Policy.

CIS Invoice Mobile Application

Aperture Works Ltd

Last updated: 17 April 2026

Introduction

Aperture Works Ltd (“we”, “us”, “our”, “the Company”) is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use:

  1. The CIS Invoice mobile application (“the App”)

  2. Our website at https://cis-invoice.co.uk (“the Website”)

  3. Any services provided through the App, including Making Tax Digital (MTD) submissions to HM Revenue & Customs (HMRC)

This Privacy Policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and the Data (Use and Access) Act 2025.

By using our App, Website, or Services, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller Information

The data controller responsible for your personal data is:

Aperture Works Ltd Enterprise House, The Courtyard, Old Court House Road Bromborough, Wirral, England, CH62 4UE

Email: info@aperture-works.com Company Registration Number: 16563160

For data protection enquiries, please contact us at info@aperture-works.com.

2. Personal Data We Collect

We collect and process different categories of personal data depending on how you interact with our App and Services. It is important to understand that most of your data remains on your device and is never transmitted to our servers.

2.1 Data We Store (Cloud)

The following personal data is stored on our secure cloud servers:

Data Type

Purpose

Stored With

Email address

Account identification, authentication, service communications

Supabase (UK)

Full name

Account identification, personalisation

Supabase (UK)

Marketing preferences

To manage your communication preferences

Supabase (UK)

Profile picture

Profile display (Google sign-in only)

Supabase (UK)

Social Sign-In:

  1. Google Sign-In: We receive and store your email address, name, and profile picture from Google

  2. Apple Sign-In: We receive and store your email address (which may be a private relay address) and name (on first sign-in only). Apple does not provide a profile picture.

Subscription Management (RevenueCat):

To manage your subscription, we share the following with RevenueCat, our subscription management provider:

  1. User ID

  2. Email address

  3. Full name

  4. Subscription status and entitlements

RevenueCat processes this data in the USA (see Section 11 for safeguards).

2.2 Data Stored Locally on Your Device

The following data is processed by the App but stored only on your device. We do not have access to this data, and it is not transmitted to our servers.

Business Information:

  1. Company/business name

  2. Tradesman name

  3. Business address (street, city, postcode)

  4. Business phone and email

  5. Phone number (personal)

  6. Company logo (if uploaded)

  7. Vehicle registration number (if provided)

Tax Identification Numbers:

  1. Unique Taxpayer Reference (UTR)

  2. VAT registration number (if VAT registered)

  3. National Insurance Number (NINO) — stored using encryption (iOS Keychain or Android Secure Storage)

Bank Details:

  1. Bank name

  2. Account holder name

  3. Account number

  4. Sort code

Invoices and Quotes:

  1. Invoice/quote numbers and dates

  2. Work descriptions and job references

  3. Daily work entries

  4. Labour amounts, extras, materials

  5. CIS tax deductions

  6. VAT amounts

  7. Payment status and history

  8. Invoice notes

Customer and Supplier Data:

  1. Names

  2. Business names

  3. Addresses and postcodes

  4. Phone numbers

  5. Email addresses

  6. Notes

Note: You are responsible for ensuring you have the appropriate legal basis to store your customers’ and suppliers’ personal data within the App.

Expense Data:

  1. Expense dates and amounts

  2. Categories (Travel, Materials, Tools, Office, etc.)

  3. VAT amounts

  4. Vendor/supplier names

  5. Payment methods

  6. Receipt photographs (if attached)

  7. Notes and descriptions

2.3 Data Transmitted to HMRC (Pro Tier Only)

When you use Making Tax Digital features, certain data is transmitted directly to HMRC. This data is sent from your device to HMRC and is not stored on our servers. See Section 6 for full details.

2.4 Device and Technical Data

To operate the App securely and meet HMRC legal requirements for fraud prevention, the following device data may be collected when making HMRC submissions:

  1. Device type, manufacturer, and model

  2. Operating system and version

  3. App version

  4. Screen resolution

  5. Device timezone

  6. Device IP address

  7. Unique device identifier (UUID)

This data is transmitted directly to HMRC as legally required and is not stored on our servers.

2.5 Data We Do NOT Collect

We want to be clear about what we do not collect:

  1. We do not use analytics services (no Google Analytics, Mixpanel, Firebase Analytics, or similar)

  2. We do not use crash reporting services

  3. We do not track your behaviour within the App

  4. We do not collect location data (GPS)

  5. We do not sell your personal data to third parties

  6. We do not use your data for advertising purposes

3. How We Use Your Personal Data

3.1 Legal Bases for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:

Purpose

Legal Basis

Providing our Services (invoicing, expense tracking)

Performance of contract

Processing account registration and authentication

Performance of contract

HMRC Making Tax Digital submissions

Legal obligation / Performance of contract

HMRC fraud prevention data transmission

Legal obligation (UK law)

Subscription management

Performance of contract

Sending service-related communications

Performance of contract / Legitimate interests

Sending marketing communications

Consent (opt-in)

Responding to support requests

Performance of contract / Legitimate interests

Complying with legal obligations

Legal obligation

3.2 Specific Processing Activities

Account Management:

  1. Creating and managing your user account

  2. Authenticating your identity when you sign in

  3. Managing your subscription and entitlements

Core App Functionality:

  1. Creating, editing, and storing invoices and quotes

  2. Generating PDF documents for sharing and printing

  3. Calculating VAT and CIS tax deductions

  4. Tracking expenses and categorising them

  5. Managing your customer and supplier database

HMRC Making Tax Digital (Pro Tier):

  1. Connecting to your HMRC account via Government Gateway

  2. Retrieving your registered self-employment business details

  3. Submitting quarterly income and expense updates

  4. Transmitting legally required fraud prevention data

Communications:

  1. Sending you important service updates and security notices

  2. Sending marketing emails (only if you opt in)

4. Data Storage and Security

4.1 Where Your Data is Stored

Local Device Storage: Most of your business data is stored locally on your device:

  1. Invoices and quotes

  2. Customer and supplier information

  3. Products and services

  4. Company settings and bank details

  5. Expense records

  6. Receipt photographs

This data is stored using your device’s built-in storage, protected by your device’s operating system encryption.

Secure Encrypted Storage (Device): Highly sensitive data is stored using additional encryption:

  1. iOS: Apple Keychain (hardware-backed Secure Enclave encryption)

  2. Android: Encrypted Keychain storage with AsyncStorage fallback

Data stored in secure storage includes:

  1. HMRC OAuth access and refresh tokens

  2. Your National Insurance Number

  3. Device identifier for HMRC fraud prevention

Cloud Storage (Supabase): We store limited data in our secure cloud database:

  1. Email address

  2. Full name

  3. Phone number (if provided)

  4. Authentication tokens (encrypted)

  5. Marketing preferences

Our cloud infrastructure is provided by Supabase, which uses Amazon Web Services (AWS) with encryption at rest and in transit.

4.2 Security Measures

We implement appropriate technical and organisational measures to protect your data:

Technical Measures:

  1. All data transmitted between the App and our servers uses TLS/HTTPS encryption

  2. All data transmitted to HMRC uses TLS/HTTPS encryption

  3. Sensitive data (NINO, HMRC tokens) is stored using hardware-backed encryption where available

  4. Row Level Security (RLS) in our database ensures users can only access their own data

  5. OAuth 2.0 with PKCE for HMRC authentication

  6. No plain-text storage of passwords (bcrypt hashing via Supabase)

Organisational Measures:

  1. Limited access to production systems

  2. Secure development practices

  3. Regular security reviews

4.3 No Automatic Cloud Backup

Important: Your invoices, quotes, expenses, and business data are stored primarily on your device. We do not automatically back up this data to the cloud. You are responsible for:

  1. Exporting important documents as PDFs

  2. Maintaining your own backups if needed

  3. Understanding that uninstalling the App or losing your device may result in data loss

5. Data Sharing

5.1 Third-Party Service Providers

We share personal data with the following third-party service providers who act as data processors on our behalf:

Service Provider

Purpose

Data Shared

Location

Privacy Policy

Supabase

Authentication and user account management

Email, name, phone, auth tokens

EU/US (AWS)

supabase.com/privacy

RevenueCat

Subscription and payment management

User ID, email, name, subscription status

USA (AWS)

revenuecat.com/privacy

HM Revenue & Customs (HMRC)

Making Tax Digital tax submissions (Pro tier only)

See Section 6 below

UK

gov.uk/government/organisations/hm-revenue-customs/about/personal-information-charter

Social Sign-In Providers (if you choose to use them):

Provider

Data Received

Their Privacy Policy

Google

Email, name, profile picture

policies.google.com/privacy

Apple

Email (may be private relay), name

apple.com/legal/privacy

5.2 Payment Processing

We do not directly process payments. All subscription payments are handled by:

  1. Apple App Store (iOS) – governed by Apple’s Privacy Policy

  2. Google Play Store (Android) – governed by Google’s Privacy Policy

We do not have access to your payment card details.

5.3 When You Share Data

When you use the App’s sharing features (email, print, share to other apps), you control what data is shared. This may include:

  1. PDF invoices and quotes containing your business details, customer information, and financial data

  2. Shared via email, messaging apps, cloud storage, or AirDrop

5.4 Legal Requirements

We may disclose your personal data if required by law, regulation, or legal process, or if we believe disclosure is necessary to:

  1. Comply with applicable laws or regulations

  2. Respond to a court order, subpoena, or government request

  3. Protect our rights, property, or safety, or that of our users or the public

5.5 Business Transfers

If Aperture Works Ltd is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

6. HMRC Making Tax Digital

This section applies to Pro-tier subscribers who use MTD features.

6.1 Your HMRC Authorisation

To use MTD features, you must:

  1. Connect your HMRC account through the Government Gateway

  2. Provide your National Insurance Number (NINO)

  3. Select a business registered with HMRC for self-employment

This authorisation is granted through HMRC’s official OAuth 2.0 process. You can revoke this authorisation at any time through your HMRC online account or within the App.

6.2 Data Submitted to HMRC

When you submit a quarterly update, we transmit the following to HMRC on your behalf:

Personal Identifiers:

  1. Your National Insurance Number

Business Information:

  1. Business ID (assigned by HMRC)

  2. Tax year and accounting period

Financial Data:

  1. Income/turnover figures

  2. Expense totals categorised as:

  3. Cost of goods sold

  4. Travel costs

  5. Wages and staff costs

  6. Premises costs

  7. Repairs and maintenance

  8. Professional fees

  9. Financial charges

  10. Advertising and marketing

  11. Interest paid

  12. Other expenses

By initiating a submission, you confirm that the information is accurate to the best of your knowledge and authorise us to transmit it to HMRC.

6.3 Fraud Prevention Headers (Legal Requirement)

UK law requires us to submit fraud prevention data to HMRC with every API request. This is not optional and is mandated by HMRC to help detect and prevent tax fraud.

The fraud prevention headers include:

Header

Data Collected

Purpose

Gov-Client-Device-ID

Persistent device identifier (UUID)

Identify the device used

Gov-Client-User-Agent

Device OS, version, manufacturer, model

Technical identification

Gov-Client-Timezone

Device timezone (e.g., UTC+01:00)

Audit and fraud detection

Gov-Client-Local-IPs

Device IP address(es)

Network identification

Gov-Client-Screens

Screen dimensions and resolution

Device identification

Gov-Client-Window-Size

App window dimensions

Device identification

Gov-Client-Connection-Method

“MOBILE_APP_DIRECT”

How the connection is made

Gov-Vendor-Product-Name

“CIS Invoice”

Identify our software

Gov-Vendor-Version

App version number

Software identification

By using MTD features, you consent to this data collection and transmission to HMRC as required by law.

For more information about HMRC’s fraud prevention requirements, visit: https://developer.service.hmrc.gov.uk/guides/fraud-prevention/

6.4 NINO Security

Your National Insurance Number is:

  1. Stored using encryption on your device (Keychain/Secure Storage)

  2. Displayed in masked format within the App (e.g., “AB 12 34 ** **”)

  3. Only transmitted to HMRC when making authorised API calls

  4. Never stored on our servers

6.5 Disconnecting from HMRC

You can disconnect your HMRC account at any time through the App. This will:

  1. Remove stored HMRC tokens from your device

  2. Prevent further submissions until you reconnect

  3. Not affect data already submitted to HMRC

7. Device Permissions

The App requests the following device permissions:

Permission

Purpose

Required?

Camera

Take photos of completed work or receipts to attach to invoices and expenses

Optional

Photo Library

Select existing photos to attach to invoices and expenses

Optional

Contacts

Import customer details from your address book

Optional

Internet

Authentication, HMRC submissions, subscription verification

Required

You can deny any optional permission, but some features may not function without them. You can change permissions at any time in your device settings.

8. Data Retention

8.1 How Long We Keep Your Data

Data Type

Retention Period

Reason

Account data (email, name)

Until you delete your account

Service provision

Authentication tokens

Until logout or expiry

Security

HMRC OAuth tokens

Until you disconnect or they expire

HMRC access

Local business data (invoices, quotes, etc.)

Until you delete them or uninstall the App

Your business records

Marketing preferences

Until you change them or delete your account

Consent management

8.2 Your Tax Record Obligations

Important: Under UK law, self-employed individuals must keep business records for at least 5 years after the 31 January submission deadline of the relevant tax year. This is your responsibility, not ours.

We recommend:

  1. Regularly exporting important invoices as PDFs

  2. Maintaining your own backup copies

  3. Not relying solely on the App for long-term record storage

8.3 Data Submitted to HMRC

Data submitted to HMRC is retained by HMRC according to their own retention policies. We have no control over data held by HMRC. For information about HMRC’s data retention, visit: https://www.gov.uk/government/organisations/hm-revenue-customs/about/personal-information-charter

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

9.1 Right of Access

You have the right to request a copy of the personal data we hold about you. Most of your data is visible directly within the App.

9.2 Right to Rectification

You have the right to request correction of inaccurate personal data. You can update most of your data directly within the App.

9.3 Right to Erasure (“Right to be Forgotten”)

You have the right to request deletion of your personal data. You can:

  1. Delete individual invoices, quotes, customers, suppliers, items, and expenses within the App

  2. Delete your entire account through the Profile/Settings screen

Account deletion will:

  1. Remove your account from our authentication system

  2. Clear all locally stored data on your device

  3. Not affect data already submitted to HMRC

  4. Not automatically cancel App Store/Play Store subscriptions (you must cancel these separately)

9.4 Right to Data Portability

You have the right to receive your personal data in a portable format. You can:

  1. Export invoices and quotes as PDF documents

  2. Use the App’s sharing features to transfer documents

9.5 Right to Restrict Processing

You have the right to request that we restrict processing of your personal data in certain circumstances.

9.6 Right to Object

You have the right to object to processing based on legitimate interests. You can:

  1. Opt out of marketing communications at any time via the Profile settings

  2. Contact us to object to other processing

9.7 Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

9.8 Exercising Your Rights

To exercise any of these rights, please contact us at:

Email: info@aperture-works.com

We will respond to your request within one month. In some cases, we may need to verify your identity before processing your request.

9.9 Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office Wycliffe House, Water Lane Wilmslow, Cheshire, SK9 5AF Website: https://ico.org.uk Helpline: 0303 123 1113

10. Guest Mode

You may use the App without creating an account (“Guest Mode”) with the following limitations:

  1. Maximum of 3 invoices

  2. No cloud backup or synchronisation

  3. No access to HMRC MTD features

  4. All data is stored only on your device

In Guest Mode:

  1. We assign a temporary local identifier

  2. No personal data is transmitted to our servers

  3. If you uninstall the App, all guest data is permanently lost

You can migrate your guest data to a registered account when you sign up.

11. International Data Transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom.

11.1 Data Processed in the UK

The following service processes data within the United Kingdom:

Recipient

Purpose

Location

Supabase

Authentication and user account management

UK

As this data remains within the UK, no international transfer safeguards are required.

11.2 Data Transferred Internationally

The following services process data outside the United Kingdom:

Recipient

Purpose

Country

Safeguard

RevenueCat

Subscription and payment management

USA

Standard Contractual Clauses, DPA

Google (sign-in)

Authentication (if you choose Google sign-in)

USA

Standard Contractual Clauses

Apple (sign-in)

Authentication (if you choose Apple sign-in)

USA

Standard Contractual Clauses

These transfers are protected by appropriate safeguards, including Standard Contractual Clauses approved by the UK Government, which ensure your data receives an equivalent level of protection as it would under UK law.

11.3 Data Transmitted to HMRC

Data submitted through Making Tax Digital features is transmitted directly from your device to HM Revenue & Customs servers in the United Kingdom. This data is not routed through our servers.

12. Children’s Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@aperture-works.com, and we will delete such data.

13. Cookies and Similar Technologies

13.1 Website

Our website may use essential cookies necessary for the website to function. We do not use cookies for analytics or advertising.

13.2 Mobile App

The App does not use cookies. We use:

  1. Authentication tokens: Stored securely to keep you signed in

  2. Local storage: To store your business data on your device

  3. Secure storage: For sensitive data like HMRC tokens

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will notify you by:

  1. Displaying a notice within the App

  2. Sending an email to your registered email address

  3. Updating the “Last updated” date at the top of this Policy

We encourage you to review this Privacy Policy periodically.

Your continued use of the App after changes are posted constitutes your acceptance of the updated Privacy Policy.

15. Third-Party Links

The App and Website may contain links to third-party websites or services (e.g., HMRC Government Gateway). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Aperture Works Ltd Enterprise House, The Courtyard, Old Court House Road Bromborough, Wirral, England, CH62 4UE

Email: info@aperture-works.com

We aim to respond to all enquiries within 5 business days.

17. Summary of Key Points

Topic

Summary

What we store

Email address, full name, marketing preferences, profile picture (Google sign-in only)

What stays on your device

Business information, tax IDs (NINO, UTR), bank details, invoices, quotes, expenses, customer and supplier data

What we DON’T collect

Analytics data, location data, usage tracking, advertising data, crash reports

Cloud storage

Supabase (UK) for account data only

International transfers

RevenueCat (USA), Google/Apple sign-in (USA) — protected by Standard Contractual Clauses

Who we share with

Supabase (auth), RevenueCat (subscriptions), Google/Apple (sign-in), HMRC (tax submissions – Pro tier)

HMRC MTD

Pro tier only; requires NINO; fraud prevention headers are legally required; data sent directly to HMRC

Your rights

Access, rectification, erasure, portability, restrict, object, complain to ICO

Data retention

Account data until you delete; local data until you delete or uninstall; you are responsible for tax record keeping

Security

TLS encryption, Keychain/Secure Storage for sensitive data, no plain-text passwords

This Privacy Policy was last updated on 17 April 2026.

Aperture Works Ltd – Registered in England and Wales