VapeTax

Privacy Policy

Last updated 3 July 2026

This Privacy Policy explains how VapeTax collects, uses and protects personal data when you use our service at https://vapetax.co.uk. VapeTax is a software tool that helps UK vape manufacturers manage inventory, duty tax-stamp records, purchase and production orders, Vaping Products Duty (VPD) record-keeping and HMRC-ready exports. We are committed to handling your data lawfully, fairly and transparently in accordance with the UK GDPR and the Data Protection Act 2018.

1. Who we are

VapeTax is operated by, and is a subsidiary of, Qode Ltd, a company registered in England & Wales under company number 17259547. Our registered office is Liberty House, 30 Whitchurch Lane, Edgware, England, HA8 6LE.

For the purposes of your account, login and billing data, Qode Ltd is the data controller. If you have any questions about this policy or wish to exercise your rights, please contact us at privacy@vapetax.co.uk. This mailbox handles all legal, privacy and data-protection matters.

2. The data we collect

We collect and process the following categories of personal data:

  • Account and login data — your username, email address and a securely hashed password. We never store your password in plain text.
  • Company details — an optional company name and address that you may add to your account and use on your records and labels.
  • Business records you enter — the operational data you create in the service, such as stock (PG, VG, nicotine, CBD, flavourings), duty tax-stamp records, purchase and production orders, suppliers, wastage and variance data and other inventory information.
  • Billing records — your subscription plan, payment history (amount, plan, status and date), a Stripe customer id and a saved payment-method token used to process renewals. We do not see or store your full card number — card data is handled entirely by Stripe (see section 5).
  • Audit logs — records of key actions taken within your account, which help with security, accountability and compliance.
  • Technical data — information inherent to operating a web service, such as your IP address, and data needed to keep you securely signed in.

3. How & why we use your data

We use your personal data only where we have a lawful basis to do so under the UK GDPR. The bases we rely on, and the purposes for which we use your data, are:

  • Performance of a contract — to create and administer your account, provide the VapeTax service to you, store the records you enter, process your subscription and provide customer support.
  • Legitimate interests — to keep the service and your account secure, to prevent and detect fraud and abuse, to maintain audit logs and to improve and develop the service. We balance these interests against your rights and freedoms.
  • Legal obligation — to meet our own accounting, tax and other legal and regulatory obligations, including retaining billing records for the required period.
  • Consent — where we rely on your consent (for example, your cookie-consent choice), you may withdraw it at any time.

4. Controller vs processor

Our data-protection role depends on the type of data involved:

  • For the business records you enter — the stock, tax-stamp records, orders, suppliers and similar operational data you create in the service — Qode Ltd acts as a data processor. We process that data on your instructions and on your behalf, and you remain the controller of it.
  • For your account, login and billing data — Qode Ltd is the data controller and determines how and why that data is processed.

VapeTax is a record-keeping and compliance tool. It does not provide legal, tax, accounting or regulatory advice, and it does not file returns with HMRC on your behalf. You remain solely responsible for the accuracy of your records and for your own compliance with HMRC, VPD and all applicable laws. Please see our Terms & Conditions for more detail.

5. Sharing & subprocessors

We do not sell your personal data. We share data only with the trusted service providers (subprocessors) that we rely on to operate VapeTax, and only to the extent necessary to provide the service. These providers are:

ProviderPurposeLocation
StripePayment processing (handles card data; we store only a customer id and payment-method token)EU / UK
ResendSending transactional email (e.g. verification and account emails)EU / UK
NeonDatabase hosting (PostgreSQL)UK (London, AWS eu-west-2)
RenderBackend API hostingEU (Frankfurt)
VercelFrontend hostingEU / UK

We may also disclose personal data where we are required to do so by law, or to protect our rights, safety or property.

6. International transfers

Your customer data is stored in the UK/EU. Our database is hosted in the UK (London, AWS eu-west-2), our backend API runs in the EU (Frankfurt) and our frontend is served from the EU/UK. Where any transfer of personal data outside the UK takes place — for example through a subprocessor — we ensure it is protected by appropriate safeguards, such as UK-approved standard contractual clauses or an equivalent adequacy mechanism, so that your data continues to receive an essentially equivalent level of protection.

7. Data retention

We keep your personal data for as long as your account is active and for a reasonable period afterwards to meet our legal and accounting obligations. After that period, we delete or anonymise the data. Note that cancelling a subscription takes effect at the end of the paid period, after which your account moves to the Free plan; your data is not deleted on downgrade. If you wish to have your account and data deleted, contact us at privacy@vapetax.co.uk.

8. Security

We take the security of your data seriously and apply appropriate technical and organisational measures, including:

  • Passwords are securely hashed using bcrypt and never stored in plain text.
  • All data is encrypted in transit using HTTPS/TLS.
  • Each customer account's data is logically isolated through multi-tenant scoping, so one customer cannot access another customer's data.
  • Access to systems and data is restricted to those who need it.

9. Your rights under UK GDPR

Subject to the conditions in the UK GDPR, you have the following rights in relation to your personal data:

  • Access — to obtain a copy of the personal data we hold about you.
  • Rectification — to have inaccurate or incomplete data corrected.
  • Erasure — to have your personal data deleted in certain circumstances.
  • Restriction — to restrict how we process your data in certain cases.
  • Portability — to receive your data in a portable, machine-readable format.
  • Objection — to object to processing based on our legitimate interests.

To exercise any of these rights, please email privacy@vapetax.co.uk. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you are unhappy with how we have handled your data. You can contact the ICO at https://ico.org.uk. We would, however, appreciate the chance to address your concerns first.

10. Cookies

VapeTax sets exactly one strictly-necessary cookie, vt_refresh, an httpOnly session cookie used only to keep you securely signed in and to refresh your session. We do not use any analytics, advertising or third-party tracking cookies. The app also uses your browser's localStorage to hold a short-lived access token and your cookie-consent choice — localStorage is not a cookie and never leaves your device. For full details, see our Cookie Policy.

11. Children

VapeTax is a business tool aimed at vape manufacturers and is not directed at children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so that we can remove it.

12. Changes to this policy & contact

We may update this Privacy Policy from time to time to reflect changes to our service or legal requirements. When we do, we will revise the "Last updated" date shown at the top of this page. We encourage you to review this policy periodically.

This policy, and any dispute relating to it, is governed by the laws of England & Wales. If you have any questions or wish to exercise your rights, please contact us at:

  • Qode Ltd (operator of VapeTax)
  • Liberty House, 30 Whitchurch Lane, Edgware, England, HA8 6LE
  • Company number 17259547
  • privacy@vapetax.co.uk
VapeTax

Inventory, VPD records & HMRC compliance for vape manufacturers.

Product

FeaturesPricingSign inGet started

Legal

Terms & ConditionsPrivacy PolicyCookie Policy

Company

VapeTax is a subsidiary of Qode Ltd.

Company number 17259547

Liberty House, 30 Whitchurch Lane, Edgware, England, HA8 6LE

privacy@vapetax.co.uk

© 2026 Qode Ltd. All rights reserved.vapetax.co.uk