Privacy Policy

Render Technologies Ltd (company no. pending, England & Wales), trading as "Render" ("we", "us"), is the data controller for personal data collected through render.my.

When you create an account or use the service, we collect:

• Name and email address (account creation and contact forms)
• Email address provided when filing via the web form without an account — used to send your filing confirmation and HMRC correlation ID, retained for 90 days then deleted
• Company name (optional, provided by you)
• CT600 filing data you submit (UTR, accounting periods, financials)
• API usage logs (timestamps, endpoint, response codes — no payload bodies)
• IP address and browser user-agent (security logging)

We do not collect payment card details directly — payments are handled by our payment processor (Stripe).

We use your data to:

• Deliver the CT600 filing service (transmitting returns to HMRC)
• Authenticate you and protect your account
• Send transactional emails (filing confirmations, API key alerts)
• Detect and prevent fraud and abuse
• Comply with our legal obligations

We do not sell your data to third parties.

• Contract performance — processing necessary to provide the filing service
• Legal obligation — retaining records as required by tax legislation
• Legitimate interests — fraud prevention, security monitoring

We share data only with:

• HMRC — the CT600 data you instruct us to submit
• Companies House — when you file annual accounts, we transmit your iXBRL company accounts to Companies House (Crown Way, Cardiff CF14 3UZ) as part of your statutory annual accounts filing obligation under the Companies Act 2006. Companies House acts as an independent data controller for the public register. Your registered address and financial summaries become part of the public Companies House record.
• Google LLC (Gemini / Vertex AI) — when you use the document parsing feature (/v1/parse), uploaded financial documents are processed by Google's Gemini AI to extract structured data. Google acts as our data processor under a Data Processing Agreement and UK IDTA. Vertex AI does not use customer data to train its models. Data is processed in the EU/EEA.
• Stripe — for payment processing. Stripe acts as our data processor for processing payments on our behalf (under a Data Processing Agreement). Stripe is also an independent data controller for its own compliance obligations (fraud prevention, financial regulation). See Stripe's Privacy Policy.
• Sentry — error monitoring and performance tracking (acting as our data processor under a Data Processing Agreement; data stored in the EU)
• Infrastructure providers — hosting and database (under data processing agreements)

Filing records (UTR, accounting periods, financials submitted to HMRC) are retained for 7 years from the date of submission, in line with HMRC record-keeping requirements under UK tax legislation.

Account credentials and contact details are retained for as long as your account is active, and deleted within 30 days of account closure. You may request deletion at any time — see Section 7 for your rights.

Under UK GDPR you have the right to:

• Access a copy of your personal data
• Correct inaccurate data
• Request deletion (subject to legal retention obligations)
• Object to processing based on legitimate interests
• Data portability

To exercise any right, email privacy@render.my. We will respond within 30 days.

Passwords are hashed using bcrypt with a cost factor of 12. All data is encrypted in transit (TLS 1.2+). Filing records stored in our database (UTR, company name, and the full GovTalk XML submission) are encrypted at rest using AES-128 (Fernet). We conduct regular security reviews.

We use only essential session cookies (httpOnly, Secure, SameSite=Strict) for authentication. We do not use tracking or analytics cookies.

Data protection queries: privacy@render.my

You also have the right to lodge a complaint with the ICO: ico.org.uk