Privacy Policy — Render

# Privacy Policy — Render

**Version v1.2-render — effective from 1 June 2026**

## 1. Who we are

Render at render.my is operated by Render Technologies Limited ("Render", "we", "us"), the data controller for the personal data described below. Contact: privacy@render.my.

## 2. What we collect

- **Account data** — your email address, display name, and authentication identifier (via Clerk).
- **Company data** — the Companies House number(s) you add to your account and the membership role you declare.
- **Filing data** — the CT600 form fields you complete, plus the assembled iXBRL accounts and iXBRL computation; the GovTalk envelope we send to HMRC; HMRC's response.
- **Payment evidence** — Stripe provider reference, amount, currency, authorisation status, capture status, cancellation status, failure status, and webhook event ids.
- **Provenance metadata** — the version of the Authority manifest in effect at the moment your filing was submitted.
- **Operational telemetry** — minimal request logs for service reliability.

## 3. What we do not collect

- We do not store card numbers, CVCs, or sensitive payment-method details. Stripe handles card entry and payment-method processing.
- We do not hold per-user HMRC Gateway credentials in our database; transmission to HMRC uses Render Technologies Limited's own vendor credentials.

## 4. Why we hold it — lawful bases

Under UK GDPR Article 6 we rely on:

- **Article 6(1)(b) — performance of a contract** — to hold your account, your draft, your submitted filings, and payment evidence needed to provide the paid filing service.
- **Article 6(1)(a) — consent** — only for marketing emails, if we later ask you to opt into them separately.

We do not rely on Article 6(1)(c) (legal obligation) — Render is a software supplier, not the legal record-holder for your tax returns. HMRC keeps its own copy of every submission, and your company is independently required to keep its own books.

## 5. How long we hold it

We hold your account and draft data only for as long as you maintain an account with us. Submitted filing records and non-sensitive payment evidence are treated differently because they are evidence of what was submitted and charged. When you delete your account, your login, account row, memberships, and mutable drafts are deleted. Submitted filing evidence may still be retained to prove what was sent to HMRC and to handle audit, dispute, legal, payment, or record-keeping questions. Retained filing evidence can include generated CT600 XML, iXBRL accounts, iXBRL computation, GovTalk envelope, IRmark, timestamps, HMRC response evidence, payment evidence, and authority-manifest provenance.

## 6. Who we share it with

- **HMRC** — your CT600 + iXBRL accounts + iXBRL computation are transmitted to HMRC.
- **Companies House** — read-only public API lookups for company information and last-filed accounts.
- **Stripe** — payment authorisation, capture, cancellation, and payment-status webhooks.
- **Clerk** — authentication.
- **Neon** — Postgres database hosting.
- **Resend** — transactional email.
- **Sentry** — production error monitoring with sensitive filing contents removed before events are sent.

We do not sell your data.

## 7. Your rights

Under UK GDPR you have the right to access, correct, erase, restrict, port, or object to processing of your data. Contact privacy@render.my.

You can complain to the Information Commissioner's Office (ico.org.uk) about how we handle your data.

## 8. Cookies and tracking

Render uses essential authentication cookies and may use strictly necessary payment-session cookies or redirects operated by Stripe. We do not use advertising cookies in this filing app.

## 9. Changes to this policy

We will publish a new version of this policy here when we make material changes. The version number above moves on each change.

## 10. Contact

Render Technologies Limited<br>
Company number: 17088258<br>
Registered office: 39 Islingword Road, Brighton, BN2 9SF<br>
privacy@render.my

Complaints about privacy can be sent to privacy@render.my. You also have the right to complain to the UK Information Commissioner's Office.