Privacy Policy

    Last updated: 9 June 2026

    This Privacy Policy explains how Raemedy Limited (“we”, “us”) collects, uses and protects personal data when you use Unfiled (the “Service”). We are the data controller for personal data processed through the Service. Our registered office is 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, England.

    For any privacy request, email support@unfiled.co.uk.

    1. Data we collect

    Account data

    • Email address, name (optional), authentication identifiers.
    • Account preferences and settings.

    Business and tax data

    • Profile information (sole trader, landlord, or company), company number, registered address, financial year end.
    • Bank transactions, invoices, receipts and other financial documents you upload or import.
    • Tax calculations, draft filings, submitted returns (e.g. MTD VAT, Corporation Tax), and confirmation references returned by HMRC or Companies House.
    • HMRC and Companies House credentials (e.g. OAuth tokens) where you connect those services. These are stored encrypted.

    Technical data

    • IP address, browser type, device information, log data.
    • Usage analytics (pages viewed, features used) via Google Analytics, only where you have consented to analytics cookies. See our Cookie Policy for how to manage this.

    Communications

    • Messages you send us via support or feedback channels.
    • Conversations with our in-app assistant when you choose to use it.

    2. How we use your data and lawful basis

    • Provide the Service (contract): operate your account, store and process your records, calculate tax, prepare and submit filings on your instruction.
    • Security and fraud prevention (legitimate interests): protect the Service, detect abuse, keep audit logs.
    • Improve the Service (legitimate interests): debugging, performance monitoring, aggregated product analytics.
    • Service communications (contract): account, billing, security and transactional emails.
    • Marketing communications (consent): only where you have opted in; you can withdraw at any time.
    • Legal compliance (legal obligation): meeting our own tax, accounting and regulatory obligations.

    3. Sharing your data

    We do not sell your personal data. We share data only where necessary to deliver the Service, comply with the law, or act on your instructions (e.g. submitting a return to HMRC).

    Sub-processors

    We rely on the following providers to operate the Service:

    • Supabase — database, authentication, file storage and edge functions (data hosted in the EU).
    • OpenAI — AI features (in-app assistant, categorisation help). Content sent to OpenAI is not used to train their models under the OpenAI API terms. The assistant only accesses your personal financial data when you explicitly opt in.
    • HMRC — tax submissions and queries made on your instruction.
    • Companies House — company lookups and (where applicable) filings made on your instruction.
    • Email delivery provider — transactional and account emails.
    • Hosting and CDN provider — serving the Service to your browser.

    We will update this list when our sub-processors change. Material changes are highlighted via the “last updated” date at the top of this page.

    4. International transfers

    Where data is transferred outside the UK or EEA (for example to providers based in the US), we rely on appropriate safeguards such as the UK International Data Transfer Addendum, Standard Contractual Clauses, or adequacy decisions.

    5. Retention

    • Account data: retained while your account is active and for up to 12 months after closure, except where longer retention is required by law.
    • Tax and filing records: retained for at least 6 years from the end of the relevant tax year, to align with HMRC record-keeping requirements.
    • Backups and logs: typically purged within 90 days of being superseded.

    6. Security

    We use encryption in transit (TLS) and at rest for sensitive fields (including HMRC and Companies House credentials), role-based access controls, row-level security on the database, audit logging, and the principle of least privilege for internal access. No system is perfectly secure; please report any suspected vulnerability to support@unfiled.co.uk.

    7. Your rights

    Under UK GDPR you have the right to:

    • Access the personal data we hold about you.
    • Rectify inaccurate data.
    • Erase data (subject to legal retention obligations).
    • Restrict or object to certain processing.
    • Data portability.
    • Withdraw consent at any time where processing is based on consent.
    • Complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

    To exercise any of these rights, email support@unfiled.co.uk.

    8. Children

    The Service is not intended for anyone under 18 and we do not knowingly collect data from children.

    9. Changes

    We may update this Privacy Policy from time to time. The “last updated” date at the top reflects the latest version. Material changes will be communicated by email or in-app notice.

    10. Contact

    Raemedy Limited, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, England. Email: support@unfiled.co.uk.

    We use cookies

    We use strictly necessary cookies to keep you signed in and optional cookies to help us improve the site. See our Cookie Policy for more.