Privacy Policy

Last updated: January 2026

ByteLogic Ltd ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Key Points:
  • We only collect data necessary to provide our service
  • Your financial data is never sold to third parties
  • Data is stored securely in UK/EU data centers
  • You can export or delete your data at any time

1. Data Controller

ByteLogic Ltd is the Data Controller for all personal data processed through ByteLogic CT600.

As the Data Controller, we are responsible for protecting your data and ensuring it is processed lawfully, fairly, and transparently.

Data Controller ByteLogic Ltd
Company Number 15601545
Registered Address England & Wales
Privacy Contact edward@bytelogic.ltd
Security Contact edward@bytelogic.ltd

2. Personal Data We Process and Why

We collect and process the following personal data to provide our CT600 filing service:

Data Type Why We Process It Lawful Basis
Name, Email Address Create your account, verify your identity, communicate service updates and support Contract performance
Company Details
Name, address, company number, UTR, accounting period		 Prepare CT600 returns and supporting iXBRL documents Contract performance
Tax Return Figures
P&L, balance sheet, tax adjustments, tax payable		 Generate draft packages, HMRC submissions, and status records Contract performance
Payment Information
Card details (handled by Stripe)		 Process your subscription payments Contract performance
Usage Data
Features used, pages visited		 Improve our service, fix bugs, understand user needs Legitimate interest

3. Lawful Basis for Processing

Under UK GDPR, we must have a valid lawful basis to process your personal data. We rely on the following:

📜 Contract Performance (Article 6(1)(b))

Processing necessary to provide the CT600 filing service you've signed up for, including draft package generation, billing, and HMRC submission status.

⚖️ Legal Obligation (Article 6(1)(c))

Processing required by law, such as retaining filing records and responding to legal requests.

🎯 Legitimate Interest (Article 6(1)(f))

Processing in our legitimate business interest — such as analyzing usage to improve the service, fraud prevention, and security monitoring. You can object to this processing at any time.

✅ Consent (Article 6(1)(a))

Where we rely on consent (e.g., marketing emails), you can withdraw it at any time by contacting us or using the unsubscribe link.

4. How We Use Your Data

  • Provide services: CT600 package preparation, iXBRL generation, and status tracking
  • HMRC submissions: Submit CT600 Corporation Tax returns when you instruct us to do so
  • Communication: Service updates, support responses
  • Billing: Process subscription payments via Stripe
  • Improve service: Analyze usage patterns (anonymized)

5. Special Category Data

Under UK GDPR Article 9, "special category data" includes health information and requires additional protections.

The CT600 filing product is not designed to collect special category data such as health information, racial origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, or sexual orientation.

6. Data Sharing

We share data only with:

  • HMRC: For tax submissions you authorize
  • Stripe: Payment processing (PCI compliant)
  • Cloud providers: Secure hosting (UK/EU only)

We never sell your data or share it for marketing purposes.

7. Data Security

We are responsible for protecting your data. We implement appropriate technical and organisational measures including:

  • All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • HMRC and payment integration secrets stored using industry-standard encryption
  • Regular security audits and penetration testing
  • Staff access limited, logged, and subject to confidentiality agreements
  • Daily backups with 90-day retention
  • Two-factor authentication available for all accounts

For full security details, see our Security Policy.

8. Data Retention

  • Active accounts: Data retained while account is active
  • Cancelled accounts: Data deleted after 30 days (with export notice)
  • Financial records: Retained 7 years as required by UK law
  • Backups: Fully purged within 90 days of deletion request

9. Your Rights (UK GDPR)

Under UK GDPR, you have the following rights:

  • Right of Access (Article 15): Request a copy of all personal data we hold about you
  • Right to Rectification (Article 16): Correct inaccurate or incomplete data
  • Right to Erasure (Article 17): Request deletion of your data (subject to legal retention requirements)
  • Right to Data Portability (Article 20): Export your data in machine-readable format (CSV, JSON)
  • Right to Object (Article 21): Object to processing based on legitimate interest
  • Right to Restrict Processing (Article 18): Limit how we use your data
  • Right to Complain: Lodge a complaint with the ICO if you're not satisfied

To exercise any of these rights, email edward@bytelogic.ltd. We will respond within 30 days.

10. Cookies

We use minimal cookies:

  • Session cookies: Keep you logged in (essential, no consent required)
  • Preference cookies: Remember your settings (essential)

We do not use third-party tracking or advertising cookies.

11. International Transfers

Your data is stored in UK/EU data centers. If any processing occurs outside the UK, we ensure adequate protection through Standard Contractual Clauses or UK adequacy decisions.

12. Changes to This Policy

We may update this policy and will notify you of significant changes via email. The "Last updated" date at the top of this page indicates when it was last revised.

Data Protection Contact

For privacy-related questions or requests:

Email: edward@bytelogic.ltd

ICO: ico.org.uk (supervisory authority)