GetSorted
Sign in

Privacy Policy

Last updated: 26 February 2026

1. Who we are

GetSorted is a Making Tax Digital (MTD) compliance tool operated by OshyLabs. If you have any questions about this policy or how we handle your data, please contact us at securitygs@oshylabs.eu.

2. What data we collect

We collect and process the following personal data:

  • Full name
  • Email address and account credentials
  • Unique Taxpayer Reference (UTR)
  • National Insurance Number (NINO)
  • Income and expense data from uploaded spreadsheets
  • Self-employment, property, and supplementary income figures
  • HMRC OAuth tokens (stored securely, server-side only)

3. Why we collect it

We process your data for the following purposes:

  • To submit quarterly MTD ITSA updates to HMRC on your behalf
  • To track your filing obligations and deadlines
  • To maintain an audit trail of submissions as required by HMRC

4. Lawful basis

We process your personal data on the basis of contractual necessity (Article 6(1)(b) UK GDPR). Processing is necessary to perform the service you have signed up for — submitting tax data to HMRC on your behalf.

5. Data retention

Account data is retained for the duration of your subscription plus 7 years, in line with HMRC record-keeping requirements.

You may request deletion of your data at any time. We will comply subject to any legal retention obligations that require us to keep certain records.

6. Data sharing

  • Your data is shared with HMRC as required to fulfil MTD submissions on your behalf.
  • We do not sell or share your data with third parties for marketing purposes.
  • Our infrastructure providers are Supabase (EU region) and Vercel, who may process data as part of hosting and database services.

7. Your rights under UK GDPR

You have the following rights in relation to your personal data:

  • Right to access — request a copy of the data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your data (subject to retention obligations)
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing of your data in certain circumstances

To exercise any of these rights, please email securitygs@oshylabs.eu.

8. Data security

  • All data is encrypted in transit (TLS) and at rest
  • Row-level security (RLS) is enforced at the database level
  • HMRC OAuth tokens are stored server-side only and are never exposed to the browser
  • Sensitive identifiers (UTR, NINO) are encrypted with AES-256 at the application layer

9. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email before the changes take effect.

10. Contact and complaints

If you have any questions or concerns about how we handle your data, please email us at securitygs@oshylabs.eu.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.