TaxRadar CIS Defence ("the Service") is a CIS due diligence and fraud prevention platform provided by Tax Radar Ltd (company number 16976149), a company incorporated in England and Wales ("we", "us", "our"). Tax Radar Ltd is a wholly-owned subsidiary of TresAI Limited (company number 15944206), which owns and develops the underlying software platform.
Tax Radar Ltd is the data controller for the personal data processed through this Service. TresAI Limited acts as our data processor, providing the technical infrastructure and software under a separate Data Processing Agreement.
Contact: For any data protection queries, please contact our Data Protection Officer at dpo@taxradar.ai.
The Service involves multiple parties and categories of personal data. It is important to understand the different roles:
| Party | Role | Explanation |
|---|---|---|
| You (our customer) | Data controller for subcontractor data you submit to the Service | You determine which subcontractors to check and submit their data for verification. You are responsible for having a lawful basis to share their data with us. |
| Tax Radar Ltd | Data controller for your account data; data processor for subcontractor data you submit | We control how your account information is used. For subcontractor data, we process it on your instructions to provide the Service. |
| TresAI Limited | Sub-processor | TresAI provides the software platform and technical infrastructure. It processes data on our behalf under a Data Processing Agreement. |
Important: The subcontractor data you submit to the Service (such as UTRs, NINOs, company numbers, and VAT registration numbers) belongs to your subcontractors, not to you. You must ensure you have a lawful basis under UK GDPR to submit this data to the Service, and that you have provided appropriate privacy notices to the relevant data subjects.
We collect and process the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account Data | Your name, email address, company name, company number | Provided by you at registration |
| Subcontractor Data | Director names, NINOs, company officer details, registered addresses | Submitted by you; enriched via HMRC and Companies House APIs |
| Tax References | UTRs, CIS verification numbers | Submitted by you; verified via HMRC |
| Screening Results | Sanctions screening results, risk assessment scores, compliance flags | Generated by the Service |
| VAT Data | VAT registration numbers, verification history | Submitted by you; verified via HMRC |
| Field Verification Data | GPS coordinates, photographs, timestamps from on-site visits | Collected during field verification |
| Usage Data | IP address, browser type, device information | Collected automatically for security and fraud prevention |
| Contact Enquiry Data | Full name, email address, phone number, company name, free-text message (including number of subcontractors engaged) | Provided by you via the contact form on this website prior to registration |
We process your data under the following lawful bases (UK GDPR Article 6):
| Lawful Basis | Application |
|---|---|
| Contract (Art. 6(1)(b)) | Processing necessary to provide the CIS due diligence service you have contracted for. |
| Legal Obligation (Art. 6(1)(c)) | CIS verification and HMRC submissions are required under UK tax law (Finance Act 2004, SI 2005/2045). |
| Legitimate Interest (Art. 6(1)(f)) | Fraud prevention, sanctions screening, and risk assessment to protect our users and the public from financial crime. |
| Legitimate Interest (Art. 6(1)(f)) | Responding to pre-sales and general enquiries submitted via the contact form. You have the right to object to this processing at any time by contacting dpo@taxradar.ai. |
We use automated systems including AI-powered analysis (via AWS Bedrock) to:
These automated assessments do not make final decisions — they produce recommendations that are reviewed by qualified professionals before any action is taken. You have the right to request human review of any automated assessment, and to challenge the output. Contact us at dpo@taxradar.ai to exercise this right.
CIS and tax-related records are retained for 7 years from the date of creation, in accordance with HMRC requirements (SI 2005/2045 Regulation 4A). After this period, records are automatically deleted via time-to-live (TTL) mechanisms.
Audit log records are also retained for 7 years to support regulatory investigations and data subject access requests.
Website contact form enquiry records are retained for up to 2 years from the date of submission, after which they are deleted.
You may request earlier deletion — see "Your Rights" below.
We share personal data only with the following third parties, as necessary to deliver the Service:
| Processor / Third Party | Purpose | Location |
|---|---|---|
| TresAI Limited | Sub-processor: provides software platform, cloud infrastructure, AI services | UK |
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, compute (via TresAI) | EU |
| HMRC | CIS verification, tax data exchange | UK |
| Companies House | Company and director data lookups | UK |
We do not sell personal data that identifies you. Anonymised and aggregated data, from which no individual can be identified, may be used for commercial purposes. Such anonymised data is not personal data and falls outside the scope of data protection legislation.
We do not transfer personal data outside the UK/EEA.
We implement appropriate technical and organisational measures (GDPR Article 32), including:
Under the UK GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you. |
| Rectification (Art. 16) | Request correction of inaccurate personal data. |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten"). |
| Portability (Art. 20) | Export your data in JSON or CSV format. |
| Restriction (Art. 18) | Request we limit processing of your data. |
| Object (Art. 21) | Object to processing based on legitimate interest. |
To exercise any of these rights, contact us at dpo@taxradar.ai. We will respond within 30 days as required by law.
Data export and data erasure can also be initiated directly from the application via the GDPR self-service endpoints.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
We use cookies and similar technologies on this platform. When you first visit, a cookie consent banner allows you to accept or reject non-essential cookies.
| Cookie Type | Purpose | Required? |
|---|---|---|
| Essential | Cookie consent preferences. These are necessary for the site to function and are set regardless of your consent choice. | Yes |
| Non-essential | Functional improvements and usage analytics to help us improve the service. Only activated if you click “Accept” on the cookie banner. | No — consent required |
You can change your cookie preferences at any time using the “Cookie Settings” link in the footer. For full details, see the Cookie Policy section within our Terms of Service.
All core data processing occurs within the EU/EEA. Our primary infrastructure is hosted on AWS in the EU. We do not routinely transfer personal data outside the UK/EEA.
If any sub-processor requires data transfer outside the UK/EEA in the future, we will ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs), and will update this notice accordingly.
This service is designed for use by business professionals and is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at dpo@taxradar.ai and we will take steps to delete such information.
We may update this privacy notice from time to time. Material changes will be communicated via email or in-app notification. The version number and date at the top of this page will always reflect the latest revision.
© Tax Radar Ltd 2026. Software owned by TresAI Limited.