Privacy Policy
Effective date: 27 April 2026
This Privacy Policy explains how EC Digital Limited ("EC Digital", "we", "us", "our") collects and uses personal data when you visit our website at [INSERT: domain] (the "Website") or register and operate an account for the Cita desktop application ("Cita").
It is important to read this notice together with our Terms of Service.
1. Who we are
EC Digital Limited is a company incorporated in Jersey with company number 164058 and registered office at St Helier, Jersey. EC Digital is the controller of the personal data described in this Privacy Policy.
For any privacy-related question or to exercise your rights, contact us at [INSERT: privacy contact email].
2. The most important point
Cita is a desktop application that runs on your firm's own systems. When you use Cita to prepare and submit Jersey personal income tax returns:
- The data you enter about taxpayers and their tax affairs is stored on your own systems, not on ours.
- Tax return submissions are sent directly from your systems to Revenue Jersey's TOOS service — they do not pass through EC Digital.
- We do not see, receive, or store the personal data of your firm's clients in connection with their tax returns.
This Privacy Policy therefore covers only the personal data we receive about you, your firm, and the people in your firm who register and operate your Cita account — not data about your firm's clients.
3. What personal data we collect
We collect the following categories of personal data:
Account data — when an individual registers an account on behalf of a firm:
- name of the firm;
- business contact details (email address, phone number, postal address).
Billing data — to administer your account and pricing:
- billing contact name and address;
- record of Submission Credit purchases, prices, and Submissions used;
- invoice history and payment status.
Communications data — if you contact us:
- the content of your message and any reply;
- details of your support request.
We do not collect special category personal data (such as health, religious belief, or biometric data) and you should not send any such data to us.
4. How we use your personal data and the lawful bases
We process your personal data on the following lawful bases under the Data Protection (Jersey) Law 2018:
| Purpose | Categories used | Lawful basis |
|---|---|---|
| To register and administer your account, including authentication and licence verification | Account | Performance of a contract |
| To take payment, issue invoices, and manage Submission Credits | Account, billing | Performance of a contract |
| To provide customer support and respond to your queries | Account, communications | Performance of a contract; legitimate interests (running our business) |
| To send service messages (e.g. about updates, billing, or service changes) | Account | Performance of a contract; legitimate interests |
| To send marketing about Cita and related products (where you have opted in or where it is otherwise lawful) | Account | Consent; legitimate interests |
| To protect the security of our systems, prevent fraud, and detect misuse | Account | Legitimate interests (protecting our business and our customers) |
| To comply with legal obligations, including accounting and tax record-keeping | Account, billing | Legal obligation |
| To establish, exercise, or defend legal claims | All | Legitimate interests; legal obligation |
You can object to processing based on legitimate interests at any time (see Section 8).
5. Who we share your personal data with
We share personal data only with:
- Service providers that help us run our business (collectively, "sub-processors"), including:
- Convex, Inc. — the platform we use to host our online services for account management, billing, and Submission Credit accounting. Convex stores account and billing data on our behalf. Convex does not receive any taxpayer data.
- Vercel Inc. — hosts our Website. Vercel processes standard server log data (such as IP address and request metadata) when you visit the Website. Vercel does not receive any taxpayer data.
- Professional advisers (lawyers, accountants, auditors) where reasonably necessary;
- Authorities or third parties where we are required by law to do so or where it is necessary to establish, exercise, or defend legal claims; and
- A purchaser or successor entity in the event of a sale, merger, reorganisation, or insolvency, subject to appropriate confidentiality obligations.
We do not sell your personal data.
6. International transfers
Some of our service providers (including Convex) are based outside Jersey, and your personal data may be transferred to and processed in countries that are not on the list of jurisdictions whose data protection regime is recognised as adequate under the Data Protection (Jersey) Law 2018.
Where we transfer personal data outside Jersey to such a country, we put in place appropriate safeguards, which may include:
- standard contractual clauses approved by the Office of the Information Commissioner of Jersey or by the European Commission;
- transfers to recipients certified under a recognised certification scheme; or
- other safeguards permitted by the Data Protection (Jersey) Law 2018.
You can contact us at [INSERT: privacy contact email] for a copy of the safeguards in place for any specific transfer.
7. How long we keep your personal data
We keep your personal data only for as long as we need it for the purposes set out in this Privacy Policy, after which we delete or anonymise it.
| Data | Retention period |
|---|---|
| Account data while your account is active | For the duration of the account |
| Account data after the account is closed | Up to 24 months, then deleted unless we are required to keep it for longer |
| Billing and invoicing records | At least 6 years from the end of the relevant accounting period (or longer where required by Jersey tax or accounting law) |
| Support communications | Up to 24 months from the last contact |
| Security and audit logs | Up to 12 months |
8. Your rights
Under the Data Protection (Jersey) Law 2018, you have the right to:
- access the personal data we hold about you;
- rectify personal data that is inaccurate or incomplete;
- erase personal data in certain circumstances (the "right to be forgotten");
- restrict how we process your personal data in certain circumstances;
- object to processing based on legitimate interests or for direct marketing;
- portability — to receive your personal data in a structured, commonly used format and to ask us to transmit it to another controller; and
- withdraw consent at any time, where we are processing your personal data on the basis of consent.
To exercise any of these rights, contact us at [INSERT: privacy contact email]. We will respond within the timeframes required by law (generally one month).
If you are unhappy with how we handle your personal data, you can complain to the Office of the Information Commissioner of Jersey at oicjersey.org. We would, however, appreciate the chance to address your concerns first — please contact us before submitting a complaint.
9. Cookies and similar technologies
The Website does not use cookies to track or identify you. The Cita desktop application does not use web cookies, but it may store local configuration on your device.
10. Security
We use reasonable technical and organisational measures to protect personal data against loss, misuse, and unauthorised access, including encryption in transit, access controls, and regular review of our systems. No system is completely secure; if you have reason to believe your account has been compromised, contact us immediately at [INSERT: security contact email].
You are responsible for keeping your account credentials confidential and for the security of the systems on which you install and run Cita.
11. Children
Cita is a business product. The Website and Cita are not directed at children, and we do not knowingly collect personal data from anyone under 18.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The latest version is always available on the Website, and we will indicate the effective date at the top. If we make material changes, we will give you reasonable notice (for example, by email or by a notice on the Website or in Cita) before they take effect.
13. Contact
EC Digital Limited St Helier, Jersey Privacy: [INSERT: privacy contact email] General: [INSERT: contact email]