Privacy Policy
Last updated: July 2026
This policy explains how Micro-File by DaFinIT(“we”, the “Service”) collects, uses, and retains your data. DaFinIT is the data controller. For any privacy query, contact [email protected].
1. Data We Collect
To execute statutory corporate filings, the Service processes the following clusters of data:
- Account credentials: email address, name, and multi-factor authentication details, managed via our identity provider (Clerk).
- Corporate identifiers: your 8-digit Companies House Company Registration Number (CRN) and 10-digit HMRC Unique Taxpayer Reference (UTR).
- Transmission credentials: your Government Gateway User ID and password, and your Companies House Authentication Code. These are supplied at the point of transmission, held transiently in memory only for the duration of that single submission, and are never written to our database.
- Financial information:balance sheet figures, profit & loss line items, director names, and disclosure inputs required to satisfy FRS 105 micro-entity requirements.
- Payment information: processed by our payment provider (Stripe). We do not receive or store your full card details.
2. How We Use Your Data
Your data is used solely to generate the structural iXBRL full accounts and CT600 computation XML packages and to transmit them to the government gateways. Payloads are transmitted using high-grade Transport Layer Security (TLS) encryption to the live gateway servers operated by HMRC and Companies House. On a successful filing, we email you a receipt (including a PDF) so you can retain evidence of the submission.
3. Third-Party Infrastructure Sub-Processors
Your data passes through a lean, secure cloud environment:
- Clerk — authentication, email verification, and secure user sessions.
- Vercel — hosts the application frontend.
- Render — runs the secure backend payload-building engine.
- Supabase / PostgreSQL — stores your wallet balance and a minimal, redacted filing audit record.
- Upstash (Redis) — briefly caches generated documents (see Retention below) to enable receipt download and re-transmission.
- Stripe — processes card payments for filing credits.
- Resend — delivers transactional email, including your filing receipt.
- Cloudflare — content-delivery routing and web-application-firewall (WAF) protection that secures connections and blocks malicious network activity.
4. The Minimal-Footprint Paradigm
We operate on a data-minimisation framework to reduce your security exposure. Unlike traditional subscription bookkeeping software, the Service does not maintain a permanent, open-ended ledger of your historic accounting records. In particular, the raw financial payload embedded in each submission is redacted before it is written to our audit log — we do not retain your raw financial line items.
5. Retention and Purging
- Raw financial payload: redacted from the audit record at the moment of submission. The full financial line items are not stored in our database.
- Generated documents: the full iXBRL accounts and receipt PDF are cached in Upstash (Redis) for approximately 30 minutes to enable receipt download and re-transmission, after which they automatically expire.
- Audit record: we retain minimal metadata — company number and name, accounting period, submission status, correlation/submission references, and the redacted receipt envelope — to evidence that a filing occurred and to prevent duplicate submissions. This may be deleted on request, subject to any legal obligation to retain it.
- Account & wallet data: your account details (held via Clerk) and your filing-credit balance are retained for as long as your account remains active, and are removed or anonymised when you close your account.
- Your record-keeping obligation: because your financial data is deliberately not retained in full, company directors are responsible for downloading and securely archivingthe final PDF/iXBRL receipts to satisfy their statutory 6-year corporate record-keeping obligations.
6. Cookies
We use strictly necessary session cookies (managed via Clerk and Cloudflare) solely to authenticate logins and maintain your session. No marketing or tracking cookies are used.
7. Your Rights
Under UK data protection law you have the right to access, correct, or request deletion of your personal data, and to object to or restrict certain processing. To exercise any of these rights, contact [email protected].
8. Contact
For any question about this policy or how your data is handled, email [email protected].