Privacy Policy — FreeFiler beta

# Privacy Policy — FreeFiler beta

**Version v1.5 — effective from 27 June 2026**

## 1. Who we are

FreeFiler at freefiler.co.uk is a beta service operated by Render Technologies Limited ("Render", "we", "us"), the data controller for the personal data described below. FreeFiler is part of Render Technologies Limited, not a separate company. Contact: privacy@freefiler.co.uk.

If we later move FreeFiler account access or filing-record access to another Render Technologies Limited domain or brand, including Render or `render.my`, Render Technologies Limited remains responsible for the personal data described in this policy.

## 2. What we collect

- **Account data** — your email address, display name, and authentication identifier (via Clerk).
- **Company data** — the Companies House number(s) you add to your account and the membership role you declare (director, secretary, accountant, bookkeeper).
- **Filing data** — the CT600 form fields you complete, plus the assembled iXBRL accounts and iXBRL computation; the GovTalk envelope we send to HMRC; HMRC's response (IRmark when accepted, error detail when rejected).
- **Provenance metadata** — the version of the Authority manifest in effect at the moment your filing was submitted (so the filing can be reconstructed years later byte-for-byte).
- **Operational telemetry and product analytics** — request logs, PostHog event data, a first-party interaction journal, and early-beta Codex/OpenAI monitoring evidence for service reliability, beta support, and understanding where users get stuck in the filing journey.

## 3. What we do not collect

- We do not take payment information; FreeFiler is currently free of charge.
- We do not hold per-user HMRC Gateway credentials in our database; transmission to HMRC uses Render Technologies Limited's own vendor credentials.
- We do not send exact tax-form values, UTRs, CT600 XML, iXBRL files, GovTalk envelopes, or HMRC payload bodies to PostHog session replay. Exact filing values remain in Render's own systems and submitted Filing Record.
- We do not currently share personal details or filing data with partners. If FreeFiler later shows partner or affiliate offers, we will not share your personal details with a partner unless you choose that offer or give clear permission for that named partner.

## 4. Why we hold it — lawful bases

Under UK GDPR Article 6 we rely on:

- **Article 6(1)(b) — performance of a contract** — to hold your account, your draft, and your submitted filings during the period you maintain an account with us. This is the basis on which you can return to the service and view what you previously filed.
- **Article 6(1)(a) — consent** — only for marketing emails, if we later ask you to opt into them separately. Ticking the T&Cs box does NOT consent you to marketing.

We do not rely on Article 6(1)(c) (legal obligation) — Render is a software supplier, not the legal record-holder for your tax returns. HMRC keeps its own copy of every submission, and your company is independently required to keep its own books under the Companies Act 2006 + Finance Act 1998.

## 5. How long we hold it

We hold your account and draft data only for as long as you maintain an account with us. Submitted filing records are treated differently because they are evidence of what was sent to HMRC. If the FreeFiler brand or domain changes, Render Technologies Limited may continue to hold and provide access to your filing records through another Render Technologies Limited service or domain, including Render or `render.my`. When you delete your account, we:

1. Send you a confirmation email with a 7-day grace-period window and a one-click cancellation link.
2. Include in the email a signed URL to download an export ZIP containing your account profile and every filing (account.json + per-company folders with ct600.xml + accounts.ixbrl + computation.ixbrl + govtalk.xml + response.json).
3. On confirmation: delete your login, hard-delete your account row and company-membership rows, and delete mutable drafts.
4. Retain submitted filing evidence where needed to prove what was sent to HMRC and to handle audit, dispute, legal, or record-keeping questions. This retained evidence can include generated CT600 XML, iXBRL accounts, iXBRL computation, GovTalk envelope, IRmark, timestamps, HMRC response evidence, and authority-manifest provenance.
5. Send a final email confirming deletion is complete.

## 6. Who we share it with

- **HMRC** — your CT600 + iXBRL accounts + iXBRL computation are transmitted to HMRC as the legally-required recipient of a Corporation Tax return.
- **Companies House** — read-only: we query Companies House's public Public Data API to auto-fill your company's name, registered office, and last-filed accounts. We do not write to Companies House.
- **Clerk** (authentication-as-a-service) — your sign-in credentials are managed by Clerk; we hold only Clerk's opaque user-id.
- **Neon** (Postgres database hosting) — your form drafts and submissions are stored in a Neon-hosted Postgres database with provider-managed at-rest encryption.
- **Resend** (transactional email) — account-lifecycle emails and accepted-filing receipt emails are sent via Resend.
- **Sentry** (error monitoring) — production errors may be sent to Sentry with request context needed to diagnose faults. We configure error reporting to remove tax form contents, Companies House iXBRL bodies, HMRC response bodies, full filing documents, cookies, and authorisation headers before events are sent.
- **PostHog** (product analytics and optional masked session replay) — signed-in journey events and, only when you switch on support replay, a masked replay of your browser session so Render support can understand what happened. We do not send raw CT600 XML, iXBRL files, GovTalk envelopes, HMRC payload bodies, cookies, authorisation headers, passwords, claim tokens, or payment details to PostHog event properties.
- **OpenAI/Codex** (early-beta filing monitor) — for early beta users, Render may ask an OpenAI-hosted Codex agent to review a short-lived signed evidence bundle for your filing journey. The bundle is generated from Render's own systems and can include account/session identifiers, form progress, validation and submission status, Interaction Journal rows, PostHog event/replay references, and safe error summaries so we can check whether the service is working as expected. Codex monitoring is for support, debugging, and safety checks, not advertising.

Render also keeps a short-retention internal interaction journal during beta. It records structured facts such as which form field changed, whether it was empty, the broad value-length bucket, validation state, checkbox state, select/gate answer, save status, and submit/review blockers. It does not store raw sensitive field values unless the field is a checkbox, select/gate option, or support preference that is safe to record exactly.

Exact filing values remain in Render's own systems and submitted Filing Record. During early beta, those first-party records may be included in the short-lived Codex evidence review where needed to check the filing journey, after you accept the current terms and privacy wording. Codex evidence links expire and are not public links.

We do not sell your data.

## 7. Your rights

Under UK GDPR you have the right to:

- access your data — via your `/account` page or by emailing privacy@freefiler.co.uk
- correct inaccurate data — update fields in the form directly, or contact us
- erase your data — use the "Delete my account" action on `/account`
- restrict processing, port your data, object to processing — contact us

You can complain to the Information Commissioner's Office (ico.org.uk) about how we handle your data.

## 8. Cookies and tracking

FreeFiler uses essential authentication cookies and PostHog analytics for signed-in users who have accepted the current terms. PostHog helps us see where beta users get stuck and whether the filing journey is working. Detailed support replay is off unless you switch it on in the form support panel, and replay inputs are masked. During early beta, Render may also generate short-lived Codex/OpenAI monitoring evidence to check the filing journey almost live. We do not use advertising cookies.

## 9. Changes to this policy

We will publish a new version of this policy here when we make material changes. The version number above moves on each change.

## 10. Contact

Render Technologies Limited<br>
Company number: 17088258<br>
Registered office: 39 Islingword Road, Brighton, BN2 9SF<br>
privacy@freefiler.co.uk

Complaints about privacy can be sent to privacy@freefiler.co.uk. You also have the right to complain to the UK Information Commissioner's Office.