How we handle your data
The number one question we get: "Can I trust you with my credentials?" Here's exactly how DormantFile handles your HMRC Gateway login and Companies House authentication code.
HMRC credentials never stored
Your HMRC Government Gateway user ID and password are entered once at the point of CT600 submission. They are transmitted to HMRC over an encrypted TLS connection and immediately discarded from server memory once HMRC responds. They are never written to our database.
Auth code stored only if you choose
Your six-character Companies House authentication code is entered at the point of accounts filing and is not stored in our database unless you choose to save it for autopilot. If you do save it, it is encrypted at rest (AES-256-GCM) and never logged. You can see whether it is stored and remove it any time from the company's settings — removing it deletes it immediately and permanently and turns autopilot off. Turning autopilot off without removing the code keeps it saved so you can re-enable in one click.
Encryption in transit
All data between your browser and our servers is encrypted using TLS. Your credentials travel over the same encrypted channel to HMRC and Companies House. At no point is sensitive data transmitted in plain text.
Secure password storage
Your DormantFile account password is hashed using bcrypt before it is saved. We never store it in plain text. Even if our database were compromised, your password could not be recovered.
Minimal cookies
One essential session cookie to keep you logged in, plus an optional analytics cookie — only loaded if you consent. No advertising or third-party tracking. See our cookie policy for details.
How we handle HMRC Gateway credentials
When you file a CT600, we ask for your HMRC Government Gateway user ID and password. These credentials are used once, at the moment of submission. They are transmitted directly to HMRC over an encrypted TLS connection. As soon as HMRC responds, the credentials are discarded from server memory. They are never written to our database, never logged, and never accessible to our team.
How we handle your Companies House authentication code
When you file dormant company accounts, we ask for your six-character Companies House authentication code. This code is entered at the point of filing and transmitted to Companies House as part of the submission. Like your HMRC credentials, it is not stored in our database unless you enable annual autopilot (see below) — and it is never logged or accessible to our team.
Annual autopilot (optional storage)
If you choose to save your Companies House authentication code, we store it so future autopilot filings can be submitted when you confirm by email each year. This is entirely opt-in — if you never save it, it is never stored. The code is encrypted at rest using AES-256-GCM and is never logged.
You can see whether the code is stored and remove it at any time from the company's settings page. Removing it deletes it immediately and permanently and turns autopilot off. Turning autopilot off without removing the code keeps it saved so you can re-enable in one click — giving you explicit control in both directions.
What data we store
We store only what is needed to run the service:
- Your email address and hashed password (for your DormantFile account).
- Your company details: name, registration number, UTR, and accounting period dates.
- Filing records for both CT600 and dormant accounts submissions: what was filed, when, and the response from HMRC or Companies House.
- Stripe customer ID for billing (card details are held by Stripe, not us).
Third-party services
- HMRC — receives your company details and Gateway credentials during CT600 filing.
- Companies House — receives your company details and authentication code during accounts filing.
- Stripe — processes payments. They hold card details, not us.
- Resend — delivers transactional emails (reminders, confirmations).
For the full legal detail, read our privacy policy.