RandForge Privacy Policy
Last Updated: May 20, 2025
1. Introduction
RandForge LTD ("we," "us," or "our"), a company registered in the United Kingdom at 124 City Road, London EC1V 2NX, with Company number 16396809, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our software-as-a-service applications and related services (collectively, the "Services") or our websites at https://www.randforge.com and https://www.randforge.co.uk (collectively, the "Site"). By registering for, accessing, or using our Services or Site, you agree to the practices described in this Privacy Policy.
For questions or to exercise your data protection rights, contact us at:
• Email: support@randforge.com
• Mail: RandForge LTD, 124 City Road, London EC1V 2NX, United Kingdom
2. Scope
This Privacy Policy applies to personal data we collect from:
• Users who register for or use our Services, including during the 14-day free trial ("Users").
• Companies or entities that subscribe to our Services ("Customers").
• Visitors to our Site.
It does not apply to data collected by third-party services integrated with our Services, which are governed by their respective privacy policies.
3. Data We Collect
We collect only the minimum necessary information to provide and improve our Services, as required for our SaaS operations. The types of personal data we collect include:
3.1. Data Provided by You
• Registration Information: When you sign up for an account or the 14-day free trial, we collect your name, email address, company name, and billing information (processed securely via Stripe, as described in Section 5).
• Customer Content: Files, images, PDFs, or other content you upload to our Services ("Customer Content"). We do not access or use this content except as necessary to provide the Services or comply with legal obligations.
• Feedback and Communications: Information you provide when you contact us (e.g., via email or support forms), including questions, comments, or feedback.
• Reviews: If you post reviews or ratings on our Services, we collect the content of those reviews and associated metadata (e.g., username).
3.2. Data Collected Automatically
• Usage Data: Information about your interaction with our Services or Site, such as IP address, browser type, device information, pages visited, and actions taken (e.g., login times, feature usage).
• Cookies and Tracking Technologies: We use cookies solely for authentication during login. See Section 9 for details on cookies.
3.3. Data from Third Parties
• Payment Processors: Our payment processor, Stripe, collects and processes payment information (e.g., credit card details). We do not store or have access to your full payment card details.
• Third-Party Services: If you enable third-party integrations (e.g., analytics or support tools), we may receive data from those services as authorised by you, subject to their privacy policies.
3.4. Open Banking Data
• Where enabled by the Customer, we may collect bank account information via Open Banking-enabled Account Information Services (AIS). This data is accessed only with the Customer’s explicit consent and authenticated directly with their bank using Strong Customer Authentication (SCA).
• The categories of data collected via Open Banking may include account identifiers, balances, transaction history, and related metadata, as authorised by the Customer and permitted under applicable Open Banking standards.
• RandForge LTD does not access or store banking credentials. Open Banking services are provided by authorised third-party providers regulated by the UK Financial Conduct Authority, and RandForge acts solely as a technical platform and agent to facilitate access to such data.
3.5. HMRC Making Tax Digital (MTD) Integration Data (Optional Feature)
The HMRC MTD integration is an optional service provided by RandForge. When you enable and use this feature (for example, to retrieve VAT obligations or submit VAT returns via HMRC APIs), we collect and process the following additional data as necessary to deliver the functionality:
• VAT registration number (VRN) and related business identifiers.
• Financial and transactional data derived from your uploaded or entered records in the Services, which is formatted and transmitted to HMRC in accordance with MTD requirements.
• Fraud prevention header data, as legally mandated by HMRC for VAT (MTD) API usage. This includes device, connection, and audit information (such as IP address, connection method, and multi-factor authentication details) submitted in HTTP headers during API calls to support HMRC's fraud monitoring and prosecution efforts. This feature is optional; it is not activated by default, and you may choose not to enable or use it at any time. Data processing for this feature occurs only when you explicitly authorise HMRC API connections (via OAuth) and use the related tools.
We act as the data controller for this processing. The lawful basis is: - Contract: to provide the optional MTD submission and retrieval services you request. - Legal obligation: to comply with HMRC's mandatory fraud prevention requirements for API usage. We do not store your HMRC login credentials long-term; authentication uses secure OAuth tokens managed in accordance with HMRC specifications.
4. How We Use Your Data
We use your personal data for the following purposes:
• To provide the Services: To create and manage your account, process subscriptions, provide access to the Services, deliver support, and facilitate the 14-day free trial.
• To process Payments: To handle billing and subscription renewals via Stripe, including during and after the free trial.
• To improve the Services: To analyse usage patterns, troubleshoot issues, and enhance functionality or performance.
• To Communicate: To send account-related notifications (e.g., billing confirmations, trial reminders), updates, or responses to your inquiries.
• To Ensure Security: To detect and prevent fraud, unauthorised access, or prohibited activities, including monitoring for compliance with our Terms.
• To Manage Reviews: If applicable, to display, moderate, or respond to reviews or ratings you submit.
• To Comply with Legal Obligations: To meet requirements under UK GDPR, the Data Protection Act 2018, or other applicable laws, such as tax or consumer protection regulations.
We do not use your data for automated decision-making or profiling that produces legal or significant effects.
5. Legal Basis for Processing
Under UK GDPR, we process your personal data based on the following legal grounds:
• Contract: To fulfil our contract with you (e.g., providing the Services, processing payments, managing subscriptions).
• Consent: For optional activities, such as sending marketing emails (where you opt-in) or using non-essential cookies (if introduced in the future).
• Legitimate Interests: For purposes like improving the Services, ensuring security, or analysing usage, where our interests are not overridden by your rights.
• Legal Obligation: To comply with applicable laws, such as reporting to HMRC or responding to regulatory requests.
• HMRC: Transmission of necessary data (including fraud prevention headers) to HMRC when you use the optional MTD integration features, strictly as required to fulfil API submissions and comply with HMRC regulations.
6. Data Sharing
We do not sell or rent your personal data. We may share your data in the following circumstances:
• Service Providers: With trusted third-party providers who assist us in operating the Services (e.g., Stripe for payments, hosting providers). These providers are bound by data processing agreements to protect your data in accordance with UK GDPR.
• Third-Party Integrations: If you enable third-party services, we may share Customer Content or other data as authorised by you, subject to their privacy policies.
• Legal Requirements: If required by law, court order, or regulatory authority (e.g., UK Information Commissioner’s Office), we may disclose your data to comply with legal obligations or protect our rights.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, with notice to you and safeguards in place as required by UK GDPR.
7. Data Storage and Security
• Location: Your data is stored and processed in the United Kingdom. If you access the Services from outside the UK, you consent to the transfer of your data to the UK.
• Retention: We retain personal data only for as long as necessary to fulfil the purposes outlined in Section 4 or to comply with legal obligations. For example:
o Account data is retained for the duration of your subscription and up to 6 years thereafter for tax and accounting purposes, as required by UK law.
o Customer Content is deleted upon account termination, unless retention is required by law (e.g., for audit purposes).
o Usage data is retained for up to 12 months for analytics and service improvement.
• Security Measures: We implement industry-standard security measures, including encryption (e.g., TLS for data in transit, AES-256 for data at rest), access controls, and regular backups, to protect your data. We perform regular security audits to maintain compliance with best practices. However, no system is completely secure, and we cannot guarantee absolute security.
8. Your Data Protection Rights
Under UK GDPR, you have the following rights regarding your personal data:
• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your data, subject to legal retention obligations (e.g., tax records).
• Restriction: Request that we restrict the processing of your data in certain circumstances.
• Portability: Receive your data in a structured, commonly used, machine-readable format or have it transferred to another controller.
• Objection: Object to processing based on legitimate interests, including for marketing purposes.
• Withdraw Consent: Withdraw consent for processing (e.g., marketing emails or non-essential cookies, if introduced) at any time, without affecting prior processing.
To exercise these rights, contact us at support@randforge.com . We will respond within one month, though complex requests may take up to three months with notice. If you are dissatisfied with our response, you can lodge a complaint with the UK Information Commissioner’s Office (ICO) at www.ico.org.uk or by phone at 0303 123 1113.
8.1 How to Request Data Deletion
You can request the deletion of your personal data at any time by contacting us at support@randforge.com with the subject line “Data Deletion Request”. Please include your account email and any relevant details to help us process your request promptly. We will respond within one month (or up to three months for complex requests) and delete your data unless we are legally required to retain it (e.g., for tax or accounting purposes).
9. Cookies and Tracking Technologies
We currently use cookies solely for authentication purposes during login to ensure secure access to the Services. These essential cookies are necessary for the operation of the Services and do not require your consent under the Privacy and Electronic Communications Regulations (PECR).
If we introduce additional cookies in the future (e.g., for analytics to improve the Services or marketing to deliver personalised content), we will:
• Inform you about the types and purposes of these cookies.
• Obtain your explicit consent for non-essential cookies through a clear opt-in mechanism on the Site or Services.
• Allow you to manage or refuse non-essential cookies via our consent tool or your browser settings.
You can disable cookies through your browser settings, but this may affect your ability to log in or use the Services. For more details, contact us at support@randforge.com
10. International Data Transfers
If you access the Services from outside the UK, your data is transferred to and processed in the UK. We ensure that any international data transfers comply with UK GDPR, using safeguards such as UK-approved Standard Contractual Clauses (SCCs) or adequacy decisions where applicable. By using the Services, you consent to this transfer, subject to these safeguards.
11. Third-Party Services
Our Services may integrate with third-party services (e.g., Stripe for payments). These services have their own privacy policies, and we are not responsible for their data practices. We recommend reviewing their policies before enabling integrations. For example, Stripe’s privacy policy is available at https://stripe.com/gb/privacy.
12. Children’s Privacy
Our Services are not intended for individuals under 18 years old. We do not knowingly collect personal data from children. If we learn that we have collected such data, we will delete it promptly. Contact us at support@randforge.com if you believe we have collected data from a child.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the UK Information Commissioner’s Office (ICO) without undue delay, as required by UK GDPR. Notifications will be sent to the email address associated with your account.
14. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, Services, or legal requirements. We will notify you of significant changes via email or in-app notice at least 14 days before they take effect. Continued use of the Services after changes constitutes acceptance of the updated polic
15. Contact Us
For questions, concerns, or to exercise your data protection rights, contact our Data Protection Officer at:
• Email: support@randforge.com
• Mail: RandForge LTD, 124 City Road, London EC1V 2NX, United Kingdom
You may also contact the UK Information Commissioner’s Office (ICO) at www.ico.org.uk or 0303 123 1113 if you have concerns about our data practices.