1. Who we are
The data controller is {{LEGAL_ENTITY}}, company number {{COMPANY_NUMBER}}, registered office {{REGISTERED_ADDRESS}}, registered with the UK Information Commissioner's Office under reference {{ICO_REGISTRATION}} (“FileoFix”, “we”, “us”).
For any data-protection question you can reach us at {{CONTACT_EMAIL_PRIVACY}}. Our Data Protection contact is {{CONTACT_EMAIL_DPO}}.
2. Scope
We are a data controller for data about our own users, account holders and website visitors. We act as a data processor for personal data that a customer uploads or causes to be processed through their workspace (for example, personal data about officers, PSCs or employees referenced in a filing). Where we act as processor, we process that data only on the customer's documented instructions and in accordance with the Data Processing Agreement agreed with that customer.
3. Personal data we collect
We collect and hold the following categories of personal data.
- Account data. Name, email, profile picture, authentication metadata (via our authentication provider), roles within a workspace, and sign-in activity.
- Company and filing data. Company name, number, registered address, officers, persons with significant control, share capital, accounting reference date, filing history — sourced from Companies House and from what you upload.
- Financial data. Where you connect a bank account or accounting software, transactions and balances, categorised and used to prepare filings.
- Filing artefacts. iXBRL accounts, CT600 XML, PDFs and related working papers, plus acceptance receipts returned by HMRC and Companies House.
- Payment data. Plan, status, billing dates and invoice metadata. Card details are collected and held by our payment processor — we do not see or store full card numbers.
- Communications. Emails you send us, in-product messages, support tickets.
- Audit and security data. Device, IP address, user-agent, timestamps of significant actions (login, approve, submit, export). Used to keep the service secure and to produce the statutory audit trail.
- Analytics and diagnostics. Page views, feature use, error reports and performance traces, some of which may be associated with your account.
4. Why we use your data
- To provide the Service: create and manage your account, prepare and submit filings.
- To meet statutory record-keeping duties (HMRC, Companies House).
- To process payments and manage your subscription.
- To communicate with you about the Service, security notices, and billing.
- To keep the Service secure — detect fraud, investigate incidents, maintain an audit trail.
- To improve the product (analytics, feature use, aggregated error reporting).
- To comply with law, respond to lawful requests, and enforce our terms.
5. Lawful bases
We rely on the following UK GDPR Article 6 bases:
- Contract (Art. 6(1)(b)) — to deliver the Service to you and process payments.
- Legal obligation (Art. 6(1)(c)) — tax and company-law record-keeping (typically seven years for HMRC purposes), anti-money-laundering checks where applicable.
- Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, product analytics, and direct communication with existing customers about our own related services. We have assessed these interests against your rights.
- Consent (Art. 6(1)(a)) — for non-essential cookies and optional marketing communications, where required. You can withdraw consent at any time.
6. Sub-processors
We work with the following service providers. Each has agreed to appropriate security standards and is contractually limited to processing data for the purposes of the Service.
| Provider | Purpose | Primary region |
|---|---|---|
| Clerk | Authentication & user identity | USA |
| Convex | Application backend, database, file storage | USA (migrating to UK) |
| Vercel | Website and application hosting | Global edge; functions in London (lhr1) |
| Stripe | Payments (PCI-DSS compliant) | USA / EU |
| Resend | Transactional email | USA / EU |
| Sentry | Error monitoring and performance traces | USA |
| PostHog | Product analytics | EU |
| Cloudflare | DNS, CDN, network security | Global |
| Companies House | UK statutory register lookups and filings | United Kingdom |
| HMRC | Corporation tax submissions (CT600 / MTD) | United Kingdom |
| Plaid / TrueLayer (optional) | Open Banking connections where you opt in | UK / EU |
An up-to-date list is available on request and, for enterprise customers, as an annex to the Data Processing Agreement.
7. International transfers
Some providers process data outside the United Kingdom. Where we transfer personal data outside the UK, we rely on an adequacy decision where one exists (for example, the UK Adequacy Regulations for the EEA), or on the UK International Data Transfer Agreement (IDTA) / the UK Addendum to the EU Standard Contractual Clauses, together with supplementary measures where appropriate.
8. Retention
We keep personal data only as long as we need it for the purposes set out above, or as required by law.
- Filing artefacts and related data — retained for at least seven (7) years from the end of the relevant accounting period to meet HMRC record-keeping requirements.
- Account data — retained for the life of your account plus a reasonable period after closure for dispute-resolution and legal-defence purposes.
- Deletion requests — where you ask us to delete data we are not required to retain, records are first marked as deleted and placed in a thirty (30)-day grace window, then permanently purged.
- Analytics and diagnostics — aggregated or pseudonymised quickly; raw event logs are typically retained for up to ninety (90) days.
- Backups — rolling point-in-time backups are held by our infrastructure provider and overwritten on a rolling basis.
9. Your rights
Under the UK GDPR and the Data Protection Act 2018 you have the right to: access your personal data; correct inaccuracies; request erasure (subject to our retention obligations); restrict processing; object to processing based on legitimate interests; request portability of data you provided to us; and withdraw consent at any time.
To exercise any right, contact {{CONTACT_EMAIL_PRIVACY}}. We will respond within one month; in complex cases we may extend by up to two further months and will tell you.
11. Security
We apply measures proportionate to the risk, including TLS 1.3 in transit, AES-256 at rest, least-privilege access controls, audit logging of significant actions, separation of production data from development environments, regular vulnerability reviews, and vendor selection based on recognised security accreditations (for example, SOC 2 Type II for our core providers).
12. Children
The Service is intended for business customers aged 18 or over. It is not directed at children and we do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.
13. Changes to this policy
We may update this policy to reflect changes in our services or the law. The "Effective" date at the top shows when the current version took effect. Material changes will be notified by email and/or in-product notice in advance of the effective date.
14. Complaints
If you are not satisfied with how we have handled your data, you can complain to the UK Information Commissioner's Office:
- Online: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
We would appreciate the chance to address your concern first.
15. Contact
Privacy team: {{CONTACT_EMAIL_PRIVACY}}.
Data Protection contact: {{CONTACT_EMAIL_DPO}}.
Post: {{REGISTERED_ADDRESS}}.
For our terms of service see Terms & Conditions.