SDLT Check
Legal

Data Protection Policy

How SDLT Check collects, uses, secures, and retains personal and financial data within our Stamp Duty Land Tax platform.

Version 1.3 · Effective 1 February 2026

1. Introduction

This Data Protection Policy outlines how SDLT Check ("we", "our", or "us") collects, uses, secures, and retains personal and financial data within our Stamp Duty Land Tax (SDLT) calculation and case management platform.

We are committed to ensuring that your privacy is protected and that we comply with the UK Data Protection Act 2018 and the General Data Protection Regulation (UK GDPR). This policy applies to all users of the SDLT Check platform, including solicitors, agents, and their clients.

2. Scope of Data Processing

The SDLT Check platform processes data to facilitate accurate SDLT calculations, case management, and submissions to HMRC. We act as:

  • Data Controller: regarding the account information of our direct users (solicitors/agents).
  • Data Processor: regarding the client data entered by solicitors/agents for the purpose of tax calculation and submission.

3. Data We Collect

Based on our system architecture, we process the following categories of data:

3.1. User Account Data (Solicitors/Agents)

  • Identity: First name, last name, job title.
  • Contact: Professional email address, phone number.
  • Security: Password hashes, Two-Factor Authentication (2FA) secrets (encrypted), login audit logs, IP addresses.
  • Billing: Team billing details, VAT numbers, invoicing history.

3.2. Client Case Data (Property Purchasers)

  • Identity: Names, dates of birth, National Insurance Numbers (NINO).
  • Contact: Email addresses, phone numbers.
  • Transaction Details: Property address, purchase price, lease terms, completion dates.
  • Financial Data: Mortgage details, SDLT calculation inputs/outputs, payment statuses.
  • Sensitive Data: Information regarding divorce/separation orders, trust beneficiary details, or crown employment status (strictly where required for tax relief eligibility).

4. How We Use Data

We process data for the following specific legal and contractual purposes:

  1. Tax Calculation: Using property and transaction details to calculate accurate SDLT liability, including relief eligibility (e.g., First Time Buyer, Multiple Dwellings).
  2. HMRC Submission: Formatting and transmitting SDLT1 returns directly to HMRC via the Transaction Engine (Government Gateway).
  3. Case Management: Tracking the status of property transactions from instruction to completion.
  4. Billing: Processing payments for our services via Stripe.
  5. Service Improvement: Utilising Google Gemini AI to generate non-binding advisory reports based on case data (anonymised where possible).
  6. Security: Monitoring user activity via audit logs to prevent unauthorised access.

5. Data Security Measures

We employ robust technical and organisational measures to protect data:

  • Encryption: All data in transit is encrypted via TLS/SSL. Sensitive fields (such as 2FA secrets) are encrypted at rest in our database.
  • Access Control: We utilise strict Role-Based Access Control (RBAC) limiting data visibility to authorised Team Members, Team Admins, and Super Admins.
  • Two-Factor Authentication (2FA): We support and encourage 2FA for all user accounts to prevent unauthorised access.
  • Audit Logging: Our system maintains a comprehensive Activity log tracking all creates, updates, and deletes of sensitive records, including the actor, timestamp, and IP address.
  • Secure Infrastructure: Files and documents are stored securely using AWS S3 with restricted access policies.

6. Third-Party Sub-Processors

To provide our service, we share limited data with the following trusted third-party providers:

ProviderPurposeData Shared
HMRCTax Return SubmissionFull SDLT1 return data (Client NINO, DOB, Transaction details).
StripePaymentsPayment metadata, email, customer IDs.
Streak CRMCustomer SupportCase reference, client contact details, stage status.
AWS (S3)File StorageUploaded documents (e.g., structural reports).
Postmark/SMTPEmail NotificationsTransactional emails and reminders.
Google GeminiAI ReportingCase questionnaire data (for report generation).
CalendlySchedulingBooking details for consultation calls.

7. Data Retention

  • Active Cases: Data is retained while the case is active to facilitate transaction management.
  • Completed Cases: Case data is archived upon completion. We retain records for a period necessary to comply with legal obligations (e.g., for tax audit purposes) and to allow users to retrieve past calculations.
  • Incomplete/Draft Data: Unsubmitted form data may be purged after a set period of inactivity.

8. Your Rights

Under the UK GDPR, you have the following rights:

  1. Right of Access: You may request a copy of the personal data we hold about you.
  2. Right to Rectification: You may correct inaccurate or incomplete data via the platform dashboard.
  3. Right to Erasure: You may request the deletion of data where it is no longer necessary for the purpose it was collected (subject to HMRC record-keeping requirements).
  4. Right to Portability: You may request your data in a structured, commonly used format.

9. Contact & Data Protection Officer

For any questions regarding this policy or to exercise your rights, please contact:

  • Data Protection Officer: instruction@sdltcheck.co.uk
  • Company: SDLT Check (Midlands) Limited

Want to see how it works?

Book a short demo to see how SDLT Check helps firms reduce SDLT risk.

Book Demo