Draft, pending solicitor review
Privacy Policy
Last updated: 20 May 2026
This policy explains how RegisterTrack collects, uses and protects personal data when you visit registertrack.com or use the RegisterTrack service. We process personal data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
1. Who we are
RegisterTrack is operated by [Company name], a company registered in England and Wales (company number [Company number]). Our registered office is [Registered office address].
For any privacy-related question, write to privacy@registertrack.com or to the address above. We do not currently have a statutory obligation to appoint a Data Protection Officer; the privacy mailbox reaches the team responsible for data-protection matters.
2. Who this policy applies to
This policy applies to:
- Visitors to registertrack.com
- Individuals who join our waitlist or request early access
- Customers (UK accountancy firms and equivalent authorised service providers) and their authorised users
- Suppliers, partners and other parties we interact with in the course of our business
Where we process personal data on behalf of a customer (for example, data about their corporate clients' officers or persons with significant control), the customer is the data controller and we act as a processor. That processing is governed by a Data Processing Agreement (DPA) between us and the customer firm. See Section 9.
3. Data we collect
3.1 When you visit registertrack.com or join our waitlist
- Email address (which you provide)
- Aggregate site analytics: page views, referrer, country, device type
- IP address and connection metadata, captured by our hosting provider for security, abuse prevention and service operation
3.2 When you use the Service as a customer or authorised user
- Account information: full name, work email, firm name, role and optional phone number
- Authentication data: hashed passwords and session tokens, managed by our authentication provider
- Billing information: name, billing address, VAT number where applicable, and the last four digits of the payment card (full card details are processed by Stripe; we do not see or store them)
- Service usage: events, actions, audit logs and support correspondence
3.3 When you upload personal data about your clients' officers or PSCs
- Full names, role (director, secretary or person with significant control), date-of-birth month and year, nationality (as published by Companies House)
- Verification status and history, personal-code references (stored in masked form), and evidence files you upload
- We process this data as a processor on your behalf, in line with our DPA
4. Lawful basis for processing
Under Article 6 of the UK GDPR we rely on the following lawful bases:
| Activity | Lawful basis |
|---|---|
| Operating the website and waitlist | Legitimate interests (running our business and offering services to UK accountancy firms) |
| Providing the Service to a customer | Contract (the Terms of Service) |
| Taking payment from a customer | Contract; legal obligation (tax and accounting law) |
| Marketing communications about the Service | Consent (you can withdraw at any time) |
| Security, fraud and abuse prevention | Legitimate interests |
| Compliance with our own legal obligations | Legal obligation |
Where we rely on legitimate interests, we have carried out a balancing assessment between those interests and your rights and freedoms. We are happy to share that assessment on request.
5. How we use personal data
We use personal data to:
- Provide, maintain, secure and improve the Service
- Send transactional messages (account confirmations, billing, security alerts, deadline reminders configured by the customer)
- Send marketing communications where you have agreed
- Respond to enquiries and provide customer support
- Detect, prevent and address abuse, fraud and security incidents
- Comply with legal, regulatory and tax obligations
We do not use personal data for automated decision-making that produces legal or similarly significant effects, and we do not profile individuals.
6. Sub-processors and other recipients
We work with a small set of trusted infrastructure and operational suppliers. Each is bound by a written processing agreement (where they act as a processor) or by their own data-protection obligations (where they act as an independent controller). We do not share personal data with advertising networks or data brokers, and we do not sell personal data.
| Supplier | Purpose | Location |
|---|---|---|
| Vercel Inc. | Web hosting, content delivery, serverless runtime | EU and UK regions |
| Neon Inc. | Database hosting | EU regions |
| Clerk Inc. | Account authentication | EU and US (SCCs in place) |
| Stripe Payments UK Ltd | Payment processing | UK |
| Resend, Inc. | Transactional email delivery | EU |
| Cloudflare, Inc. | Evidence file storage (R2) | EU regions |
| Sentry Software, Inc. | Application error monitoring | EU region |
| PostHog, Inc. | Product analytics (signed-in users only) | EU instance |
| Plausible Insights OÜ | Cookieless website analytics | EU |
| Twilio Ireland Ltd | SMS deadline alerts (Practice and Firm tiers) | EU and UK |
| Our professional advisers | Legal, accounting and tax advice | UK |
An up-to-date list of sub-processors is available on request and is published inside the Service for active customers. We give at least 30 days' notice of any material change to this list, during which a customer may object on reasonable grounds.
7. International transfers
Where personal data is transferred outside the UK, we rely on UK GDPR-compliant safeguards, including:
- The UK adequacy regulations covering the EEA
- The International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK addendum
- Other safeguards permitted by UK GDPR Article 46
Where a sub-processor offers EU or UK hosting, we default to that. Copies of the relevant transfer mechanisms are available on request.
8. How long we keep data
We keep personal data only for as long as needed for the purpose for which it was collected, plus any period required for legal, accounting or audit obligations.
| Data | Retention period |
|---|---|
| Waitlist email | Until you withdraw consent, or 24 months without engagement, whichever is sooner |
| Customer account and Service data | For the duration of the subscription, plus 6 years (Limitation Act 1980) |
| Billing and tax records | 7 years (HMRC requirement) |
| Audit logs and security records | Up to 24 months |
| Personal data we process on behalf of a customer | As directed by the customer; returned or deleted within 30 days of contract termination unless we are required by law to retain |
| Support and correspondence | Up to 6 years from the date of last contact |
When the retention period expires, we securely delete or anonymise the data.
9. Data we process on behalf of customers
For personal data uploaded or generated by a customer through the Service (including data about their corporate clients' directors, secretaries and persons with significant control), the customer firm is the controller and RegisterTrack is the processor.
That processing is governed by our Data Processing Agreement, which is entered into before any production customer data is loaded. The DPA covers, at minimum:
- The scope, nature, duration and purpose of processing
- Categories of data subjects and personal data
- Sub-processor authorisation and change notification
- Technical and organisational security measures
- Co-operation in handling data-subject requests
- Personal-data breach notification within 72 hours of becoming aware
- International transfer safeguards
- Return or deletion of personal data on termination
- Audit and inspection rights
If you are an individual whose data is being processed by a RegisterTrack customer (for example, you are a director of a company whose accountancy firm uses RegisterTrack), please contact that firm directly to exercise your rights. We will support the firm in handling your request.
A copy of our DPA is available on request from privacy@registertrack.com.
10. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Erase your data in certain circumstances
- Restrict how we use your data
- Receive a copy of your data in a portable format
- Object to certain processing, including direct marketing
- Withdraw consent at any time, where consent is the lawful basis
- Not be subject to a decision based solely on automated processing
To exercise any of these rights, email privacy@registertrack.com. We will normally respond within one month of receiving a verifiable request. We may ask for proof of identity before disclosing or amending personal data.
If you are concerned about how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Online: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We would, however, appreciate the chance to address your concern first.
12. Security
We protect personal data using:
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256)
- Access control on the principle of least privilege
- Regular dependency, infrastructure and code reviews
- Documented incident-response procedures, including ICO notification within 72 hours and affected-individual notification where required
- Confidentiality obligations for all personnel with access to personal data
No system is perfectly secure. If you become aware of a vulnerability or suspect a personal-data incident, please email security@registertrack.com and we will respond promptly.
13. Children
The Service is not intended for individuals under 18 years old. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
14. Changes to this policy
We may update this policy from time to time. Material changes will be notified to registered users by email at least 14 days before they take effect, and the “Last updated” date at the top of this page will always reflect the latest revision.
15. Contact
For any privacy-related question, contact privacy@registertrack.com or write to us at the registered office in Section 1.
Companies House data. The Service incorporates public sector information from Companies House. Contains public sector information licensed under the Open Government Licence v3.0. RegisterTrack is not affiliated with or endorsed by Companies House, GOV.UK or any government body.