Skip to main content

How we handle your data

The number one question we get: "Can I trust you with my credentials?" Here's exactly how DormantFile handles your HMRC Gateway login and Companies House authentication code.

HMRC credentials never stored

Your HMRC Government Gateway user ID and password are entered once at the point of CT600 submission. They are transmitted to HMRC over an encrypted TLS connection and immediately discarded from server memory once HMRC responds. They are never written to our database.

Companies House auth code never stored

Your six-character Companies House authentication code is entered at the point of accounts filing. It is transmitted to Companies House as part of the submission and is not stored in our database.

Encryption in transit

All data between your browser and our servers is encrypted using TLS. Your credentials travel over the same encrypted channel to HMRC and Companies House. At no point is sensitive data transmitted in plain text.

Secure password storage

Your DormantFile account password is hashed using bcrypt before it is saved. We never store it in plain text. Even if our database were compromised, your password could not be recovered.

Minimal cookies

One essential session cookie to keep you logged in, plus an optional analytics cookie — only loaded if you consent. No advertising or third-party tracking. See our cookie policy for details.

How we handle HMRC Gateway credentials

When you file a CT600, we ask for your HMRC Government Gateway user ID and password. These credentials are used once, at the moment of submission. They are transmitted directly to HMRC over an encrypted TLS connection. As soon as HMRC responds, the credentials are discarded from server memory. They are never written to our database, never logged, and never accessible to our team.

How we handle your Companies House authentication code

When you file dormant company accounts, we ask for your six-character Companies House authentication code. This code is entered at the point of filing and transmitted to Companies House as part of the submission. Like your HMRC credentials, it is not stored in our database, not logged, and not accessible to our team.

What data we store

We store only what is needed to run the service:

  • Your email address and hashed password (for your DormantFile account).
  • Your company details: name, registration number, UTR, and accounting period dates.
  • Filing records for both CT600 and dormant accounts submissions: what was filed, when, and the response from HMRC or Companies House.
  • Stripe customer ID for billing (card details are held by Stripe, not us).

Third-party services

  • HMRC — receives your company details and Gateway credentials during CT600 filing.
  • Companies House — receives your company details and authentication code during accounts filing.
  • Stripe — processes payments. They hold card details, not us.
  • Resend — delivers transactional emails (reminders, confirmations).

For the full legal detail, read our privacy policy.

Ready to file your dormant company returns?

Set up in minutes. File in seconds. Done for the year.

Get started →
Official government APIs · Credentials never stored