Privacy Policy – Agent authorisation automation

PRIVACY POLICY – Agent authorisation automation

Controller / who we are: Ion Zamfir, trading as Bizbooster (“we”, “us”).​
Last updated: 27 January 2026.​
Contact: Email: info@bizbooster.io, Website: https://bizbooster.io

What this notice covers

This privacy notice explains how we handle personal data when providing Bizbooster automation/software services that help create and track HMRC agent authorisation invitations (for example, MTD ITSA digital authorisations).

Roles (controller vs processor)

• If you are a tax agent/accounting practice using Bizbooster, you typically decide why/how your clients’ data is used; you are the controller and we act as your processor for the data you input into the system.
• If you engage Ion Zamfir trading as Bizbooster directly to provide services to you as an individual/business, we may act as the controller for that engagement.

Personal data we may process

Depending on configuration, we may process:

• Identity/contact data: name, email, phone, address.
• HMRC authorisation-related data: invitation IDs, statuses, timestamps, links.
• Tax identifiers/known facts used to create invitations (only if provided by you/your systems): e.g., National Insurance number (NINO) and postcode.
• Operational/technical data: logs needed to run and troubleshoot automations, and security credentials/tokens used to connect to HMRC and other platforms.

How we use the data (purposes)

We use personal data to:

• Create, send, and track HMRC agent authorisation invitations and their status.
• Update your systems (e.g., CRM) to reflect authorisation progress/completion.
• Troubleshoot errors, provide support, and maintain security.

Lawful bases (when we are controller)

Where we act as controller, we rely on one or more of these bases (depending on context):

• Performance of a contract (to deliver the service you request).
• Legal obligation (where applicable).
• Legitimate interests (running and improving the service, preventing fraud, maintaining audit trails), balanced against your rights.

Sharing and subprocessors

We may share/process data with:

• HMRC (to create/check invitations via HMRC APIs).
• Your connected systems (e.g., CRM, email) that you have authorised/configured.
• Our automation/hosting providers used to run the workflows (subprocessors).

International transfers

Your connected services (e.g., email/CRM providers) may process data outside the UK/EEA. Where applicable, we use appropriate safeguards (such as adequacy decisions and/or contractual protections) for international transfers.

Data retention

We keep personal data only as long as necessary for the purposes above, including:

• Invitation tracking records until processed (accepted/rejected/expired) plus a limited period for audit/support: [e.g., 90 days].
• Operational logs for troubleshooting for a limited period: [e.g., 30 days], unless you request earlier deletion or longer retention is needed for legal reasons.

Security

We use appropriate technical and organisational measures to protect personal data, including access controls, least-privilege handling of credentials, and encryption where supported by the platforms used. You should not email or store access tokens in plain text.

Your rights

Where we are controller, you have rights including access, rectification, erasure, restriction, objection, and (in some cases) data portability. To exercise your rights, contact us using the details above.

Complaints

If you are unhappy with how we handle your data, please contact us first. You also have the right to complain to the UK Information Commissioner’s Office (ICO).