Privacy Policy
Effective from 2026-05-27 · Version 2026-05-27
This page explains what personal information OTOFILL collects about you, why we collect it, how long we keep it, and the rights you have over it under UK GDPR.
1. Who we are
OTOFILL is bookkeeping software run by OTOFILL Ltd, a company registered in England and Wales under company number 17168411. Our registered office is at 77 Alston Drive, Bradwell Abbey, Milton Keynes, England, MK13 9HG.
We are the “data controller” for the personal information you give us when you use OTOFILL — that means we’re the ones legally responsible for it. We’re registered with the UK Information Commissioner’s Office (ICO).
2. What information we collect
We collect only what we need to run your account and do the bookkeeping work you’ve asked us to do:
- Your account details — name, email, password (stored as an unreadable scramble called a hash), and, if you turn on two-factor sign-in, the secret your authenticator app uses.
- Sign-in history — the dates, times, IP addresses and browser information of your logins, so we can show you a list of recent activity and spot anything unusual.
- Your business information — the organisation(s) you set up, who else is a member, and your role in each.
- HMRC Government Gateway sign-in, if you choose to save it. We encrypt the password so even OTOFILL staff can’t read it. See our HMRC Filing Terms for what we use it for.
- Payment information, handled by our payments provider. We do not store your card number — the provider does, on systems built for the job. We only see a record that a payment happened.
3. Why we collect it
Under UK GDPR we need a “lawful basis” for everything we do with your data. Here are ours:
- Performance of a contract — we need your account details to give you access to the service you signed up for, and we need to keep your bookkeeping records on your behalf for as long as you need them (including the period HMRC requires you to retain them — that retention obligation rests on you as the business owner, and we deliver against it as part of the service).
- Legitimate interests — sign-in history and basic security logs help us detect break-in attempts and protect your account. We keep these to the minimum needed.
- Legal obligation — this basis applies to the records OTOFILL Ltd is itself legally required to keep, such as our own company accounts, our own staff PAYE records, and information we must produce in response to a lawful HMRC, ICO or court order. It does not apply to your bookkeeping data — that is held under the contract with you.
We do not rely on “consent” for any of the core processing above. That keeps things simple: there is nothing to withdraw. If you want us to stop, the route is to close your account (see section 7).
4. How long we keep it
- Your account — for as long as your subscription is active. If you ask us to delete it, we wait 30 days (in case you change your mind), then permanently remove your personal details.
- Bookkeeping & payroll records — HMRC generally requires businesses to keep these for at least 6 years after the end of the relevant tax year. When you delete your account, the financial records of the organisations you own are kept for the HMRC retention period that applied while you ran them, but your personal name and email are removed from them. Once that retention period has lapsed, the records are deleted.
- HMRC Government Gateway sign-in — for as long as your subscription is active, then deleted 30 days after it ends.
- Sign-in history — kept for as long as your account is active. Removed when you delete your account.
- Records of access / deletion requests you have made — we keep these in an anonymised form (your name and email replaced with “deleted user”) so we can prove we acted on your requests. These rows do not contain your personal data and we keep them as evidence of compliance.
5. Who else sees your data
OTOFILL relies on a small number of trusted suppliers (sometimes called “sub-processors”) to run the service. They process your data on our behalf, only for what they’re hired to do, and only for the categories of work below:
- Hosting — the servers your account and data live on, pinned to the European Union.
- Backups — encrypted copies of the database, stored in Western Europe, separate from the main servers.
- Payments — subscription billing and card processing.
- Email delivery — sending operational emails such as password resets and notifications, routed through our provider’s European Union region.
- HMRC — when you approve a filing, we send only the figures and identifiers needed for that filing.
If you want the names of the specific suppliers we currently use, email support@otofill.com and we’ll send the current list.
International transfers
Most of your data stays in the European Union or the United Kingdom. The one exception is payments: although we use a UK-based payments provider entity, some of that provider’s backend infrastructure sits in the United States, which means a small portion of your billing data is transferred there.
UK GDPR requires us to put a safeguard in place for any transfer outside the UK or EEA. We rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses — the legal mechanism the UK Government and ICO have approved for transfers of this kind. It binds the recipient to broadly the same level of protection your data would receive under UK GDPR.
We do not sell your data, ever, to anyone, for any reason.
6. When OTOFILL handles data about other people
Some of what you put into OTOFILL is information about other people — your employees’ payroll data, your suppliers’ contact details, your customers’ names and email addresses. For that data we act as a “data processor”: you decide what to put in and what to do with it, and we hold it on your behalf.
That arrangement is governed by a separate Data Processing Agreement (DPA), which is required by UK GDPR Article 28 and sets out our obligations to you when we hold other people’s data on your instruction. Our DPA is published at /legal/dpa/; once you’re signed in, you can download a PDF copy with your business’s details completed and accept the current version on your business’s record.
If the version on the page is still marked as a draft, or if you need a written processor commitment tailored to your specific circumstances (for example because your own customers or employees are asking for one in a particular form), email support@otofill.com and we’ll provide one.
7. Your rights
UK GDPR gives you the following rights over your data. You can act on the first two yourself from inside OTOFILL; the rest, get in touch and we’ll handle them.
- Right of access (Article 15) — download everything we hold about you as a ZIP. Settings → Privacy → Download my data.
- Right to erasure (Article 17) — ask us to delete your personal data. Settings → Privacy → Delete my account.
- Right to rectification (Article 16) — correct anything that’s wrong. Most fields you can edit yourself; for the rest, email us.
- Right to restriction (Article 18) — ask us to pause processing in specific circumstances (for example, while you’re contesting whether some data is accurate). We’ll keep the data but stop actively using it until the question is resolved.
- Right to data portability (Article 20) — the download above is in a machine-readable format (JSON) so you can take it to another service.
- Right to object (Article 21) — ask us to stop using your data for a particular purpose. Email us and we’ll explain whether we have to keep it (for example HMRC-retained records) or whether we can stop.
- Rights about automated decision-making (Article 22) — we don’t make automated decisions about you that have a legal or similarly significant effect. No credit scoring, no automated account closures, nothing of that nature. If that ever changes, this page will be updated and you’ll be told.
8. Cookies
OTOFILL uses a small number of essential cookies — the kind that keep you signed in and stop forms being submitted by anyone other than you. We do not use advertising or analytics cookies.
9. Changes to this policy
We may update this policy as OTOFILL evolves or as the law changes. If we make material changes — new lawful bases, new categories of data, new sub-processors, anything that affects your rights — we’ll notify you by email and update the version number at the top of this page before the change takes effect.
10. Contact
For anything to do with your data, email support@otofill.com. We aim to reply within a few working days and to fulfil formal rights requests within the one-month window UK GDPR allows.
You can also write to us: OTOFILL Ltd, 77 Alston Drive, Bradwell Abbey, Milton Keynes, England, MK13 9HG.
11. Complaints
If you’re unhappy with how we’ve handled your data, you can complain to the Information Commissioner’s Office (ICO) at ico.org.uk. We’d rather you came to us first so we have a chance to put it right, but it’s your right to go straight to the ICO if you prefer.