UK GDPR and ICO
We are registered with the Information Commissioner's Office and we process personal data only to the extent we need to prepare and transmit your statutory accounts and Corporation Tax return. Full detail in the Privacy Policy.
Encrypted in transit
Every request between your browser, our service, HMRC and Companies House uses HTTPS with TLS 1.2 or higher.
Passwordless sign-in
We authenticate you with a single-use magic link sent to your email — there is no password for an attacker to phish or steal. The session that keeps you signed in expires automatically.
Your Companies House Authentication Code
The 6-character code you provide at company binding is stored in our UK Postgres database under restricted application-level access. It is used only to transmit returns on the company's behalf, never shared, and never displayed back to you.
Backups
Daily Postgres backups are encrypted with AES-256-GCM and stored off-site at a UK data centre. We periodically restore from backup to verify the chain works end-to-end.
Hosting
UK-based hosting (Hostinger London). Database and application servers do not leave the UK.
Engineer access
Production systems are accessible only to a small number of named engineers via SSH key. Every access is logged.
How long we keep your data
Filed returns and supporting transactions stay on file for six years from the end of the accounting period to which they relate — HMRC requires limited companies (and us, as the filing intermediary) to retain those records for that long. Authentication and security logs roll off after 12 months.
Who else touches your data
Four named processors: HMRC (recipient of the CT return), Companies House (recipient of the accounts), Stripe (£99 payment processor), Resend (transactional email for magic links and submission receipts), Hostinger (UK hosting), and our third-party large-language model providers (transaction-categorisation prompts only, with bank account numbers and sort codes redacted before send). The Privacy Policy carries the full list and the lawful bases.
If something goes wrong
In the event of a personal data breach we will notify the Information Commissioner's Office within 72 hours of becoming aware, as the UK GDPR requires. If you are personally affected we will email you directly with what happened, what data was involved, what we are doing about it, and what we recommend you do.
Your data, your rights
You can ask for a copy of the personal data we hold, correct it, or ask us to delete it (subject to the HMRC retention obligation above). Email [email protected] — we respond within one month, as the UK GDPR requires. Full detail in the Privacy Policy.
Reporting a vulnerability
Found something we should know about? Email [email protected]. We acknowledge within one working day.
Questions on any of the above? Get in touch.