Privacy Policy
Last updated: 28 March 2026
1. Introduction
DormantFile ("we", "us", "our") is committed to protecting the personal data of everyone who uses our website and service. This privacy policy explains what information we collect, why we collect it, how we share it, and how we keep it safe. It applies to all users of DormantFile, whether you have a free account, a paid subscription, or are simply browsing the site.
2. Data controller
If you have any questions about how we handle your data, contact us at hello@dormantfile.co.uk.
3. What data we collect
We collect the following categories of personal data:
- Account information — your email address, name, and a securely hashed password.
- Company details — company name, Companies House registration number, Unique Taxpayer Reference (UTR), and accounting period dates.
- Filing records — submission timestamps, correlation IDs, response payloads, and filing type (accounts or CT600).
- Payment information — your Stripe customer ID and email address. We never store your card details; all card data is held by Stripe as an independent controller.
- HMRC Gateway credentials — your Government Gateway user ID and password are used only at the moment of filing. They are transmitted to HMRC over TLS, never written to our database, and discarded from server memory immediately after the submission completes.
- Companies House authentication code — entered at the point of filing, transmitted directly to Companies House over TLS, and not stored in our database.
4. How we use your data and legal basis
We process your personal data under UK GDPR on the lawful bases set out below.
| Processing activity | Data used | Lawful basis |
|---|---|---|
| Create and manage your account | Email, password, name | Contract performance |
| Submit filings to HMRC and Companies House | Company details, Gateway credentials, CH auth code | Contract performance |
| Deadline reminders | Email, company details, deadline dates | Legitimate interests |
| Filing confirmations | Email, filing records | Contract performance |
| Process payments | Email, Stripe customer ID | Contract performance |
| Analytics (if consented) | Anonymised usage data | Legitimate interests (cookie placement requires PECR consent) |
5. Third-party services
We share data with the following third parties, only as necessary to provide the service:
- HMRC — your company details and Gateway credentials are transmitted to HMRC to file your CT600 return. HMRC is an independent controller for data it receives.
- Companies House — your company details and authentication code are transmitted to Companies House to file your annual dormant accounts. Companies House is an independent controller for data it receives.
- Stripe — your email address and payment data are shared with Stripe to process subscription payments. Stripe acts as an independent data controller for payment data. See Stripe's privacy policy.
- Resend — your email address is shared with Resend to deliver transactional emails such as filing reminders and confirmations. Resend acts as a data processor on our behalf.
- Google Analytics — anonymised usage data is shared with Google Analytics if you have consented to analytics cookies. Google acts as a data processor on our behalf.
6. International transfers
Stripe and Resend are US-based companies. Transfers of personal data to these providers are covered by UK adequacy regulations and standard contractual clauses, as applicable. Google Analytics data may also be processed internationally under equivalent safeguards.
We do not transfer personal data outside the UK except through the services listed above.
7. Data storage and security
Your data is stored in a PostgreSQL database. All data is encrypted in transit using TLS. Passwords are hashed using bcrypt before storage — we never store your password in plain text.
HMRC Gateway credentials are never persisted. They are held in server memory only for the duration of the submission request and discarded immediately after HMRC responds. Companies House authentication codes are likewise not stored in our database.
8. Data retention
- Account data — retained while your account is active, plus 12 months after cancellation to allow you to reactivate.
- Filing records — retained for 6 years from the filing date, in line with HMRC record-keeping requirements.
- After the applicable retention period, or upon your written request (subject to legal retention obligations), we delete all personal data associated with your account.
9. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate personal data.
- Erase your personal data (subject to legal retention obligations — for example, filing records must be kept for 6 years).
- Restrict processing of your data in certain circumstances.
- Data portability — receive your data in a machine-readable format.
- Object to processing based on legitimate interests.
- Withdraw consent for analytics cookies at any time. Withdrawal does not affect the lawfulness of processing carried out before you withdrew consent.
- Complain to the Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, email us at privacy@dormantfile.co.uk.
10. Children's data
DormantFile is not directed at persons under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from someone under 18, please contact us and we will delete it promptly.
11. Automated decision-making
We do not use automated decision-making or profiling that produces legal or similarly significant effects.
12. Cookies
We use a small number of cookies to operate the service and, with your consent, to understand how it is used. For full details, see our cookie policy.
13. Changes to this policy
We may update this privacy policy from time to time. We will notify you of material changes by email or by placing a prominent notice on the website. Your continued use of the service after any changes constitutes acceptance of the updated policy.