Legal

Privacy Policy

This policy explains how CISSimple collects and uses personal data when you use our website and software. It is written for users in the United Kingdom and reflects UK GDPR and the Data Protection Act 2018.

Last updated: 23 June 2026

1. Who we are (data controller)

CISSimple is operated by CISsimple, 5 Brayford Square,London,E1 0SG. We are the data controller for personal data processed through the CISSimple website and application.

If you have questions about this policy or how we handle your data, contact us at info@cissimple.co.uk.

2. What data we collect

We may collect and process the following data:

  • Account data: your name, email address and a secure password hash used to sign in. We do not store your password in plain text.
  • Business records you enter: subcontractor names, Unique Taxpayer References (UTRs), verification details, payment records, CIS statements and related information you add to the platform. This may include personal data about you, your staff or your subcontractors.
  • Contact form submissions: your name, email address, message content and any other details you choose to send when you contact us through the website.
  • Billing data: subscription and payment status handled by Stripe. We do not store full card numbers on our servers.
  • Technical and usage data: IP address, browser type, device information, log files and cookies (see section 8). This helps us run, secure and improve the service.

3. Why we use your data (lawful bases)

Under UK GDPR we must have a lawful basis for processing personal data. We rely on the following, depending on the activity:

  • Contract: to create and manage your account, provide the CISSimple service, process subscriptions and respond to support requests.
  • Legitimate interests: to operate, secure and improve the platform, prevent fraud and misuse, and keep internal records — balanced against your rights.
  • Legal obligation: where we must comply with applicable law, for example tax or accounting record requirements that apply to us.
  • Consent: where required for non-essential cookies or optional marketing communications. You may withdraw consent at any time.

4. Who we share data with (processors)

We use trusted third-party providers who process data on our behalf under contract. They may only use your data as we instruct them and must protect it appropriately. Our main processors are:

  • Supabase — database hosting, authentication and secure storage of account and business records.
  • Stripe — subscription billing and payment processing.
  • Resend — sending transactional emails such as account messages and CIS statement delivery.
  • Vercel — website and application hosting, content delivery and infrastructure logs.

Some processors may store or process data outside the UK. Where that happens, we use appropriate safeguards such as UK adequacy decisions or standard contractual clauses approved for UK GDPR.

5. How long we keep data

We keep personal data only for as long as necessary for the purposes described in this policy, including:

  • Account and business records: for the life of your subscription and for a reasonable period afterwards so you can export data or reactivate your account, unless you ask us to delete them sooner and we are not required to retain them by law.
  • Contact form messages: for as long as needed to respond and maintain a record of enquiries, typically up to two years unless a longer period is required.
  • Billing records: as required for accounting, tax and legal purposes, typically up to six years.
  • Server logs: for a limited period for security and troubleshooting, then deleted or anonymised.

6. Your rights

Under UK GDPR you have rights over your personal data, including:

  • the right to be informed about how we use your data (this policy);
  • the right of access to a copy of your personal data;
  • the right to rectification of inaccurate or incomplete data;
  • the right to erasure (“right to be forgotten”) in certain circumstances;
  • the right to restrict processing in certain circumstances;
  • the right to data portability where applicable;
  • the right to object to processing based on legitimate interests; and
  • rights related to automated decision-making (we do not use solely automated decisions with legal or similarly significant effects).

To exercise any of these rights, email info@cissimple.co.uk. We may need to verify your identity before responding. We aim to reply within one month.

If you close your account and request erasure, we will delete or anonymise personal data where we are not legally required or permitted to keep it. Some information may remain in encrypted backups for a short period before being overwritten.

7. Complaints to the ICO

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not handled your personal data properly. We encourage you to contact us first so we can try to resolve your concern.

ICO website: ico.org.uk/make-a-complaint

8. Cookies

We use cookies and similar technologies on our website and application. These are small files stored on your device that help the service work properly.

Essential cookies

Required for sign-in, security and core functionality. The service cannot operate properly without them.

Analytics and preference cookies

Where used, these help us understand how the site is used and remember your preferences. Non-essential cookies are only placed with your consent where required by law.

You can control cookies through your browser settings. Blocking essential cookies may affect how the platform works.

9. Changes to this policy

We may update this policy from time to time. We will post the revised version on this page and update the “Last updated” date. Significant changes may also be notified by email or in-app notice where appropriate.

See also our Terms of Service.