Skip to main content
GetSorted
Sign in

Privacy Policy

Last updated: 26 February 2026

1. Who we are

GetSorted is a Making Tax Digital (MTD) compliance tool operated by Oshy Labs Ltd ("we", "us", "our"). We are the data controller for your personal data. If you have any questions about this policy or how we handle your data, please contact us at oshylabs@gmail.com.

2. What data we collect

We collect and process the following personal data:

  • Full name
  • Email address and account credentials
  • Unique Taxpayer Reference (UTR)
  • National Insurance Number (NINO)
  • Income and expense data from uploaded spreadsheets
  • Self-employment, property, and supplementary income figures
  • HMRC OAuth tokens (stored securely, server-side only)
  • Device information for HMRC fraud prevention headers (browser type, screen size, timezone, device ID cookie)
  • Usage analytics and IP addresses

3. Why we collect it

We process your data for the following purposes:

  • To submit quarterly MTD ITSA updates to HMRC on your behalf
  • To track your filing obligations and deadlines
  • To maintain an audit trail of submissions as required by HMRC

4. Lawful basis

We process your personal data on the following lawful bases:

  • Contract performance (Article 6(1)(b) UK GDPR) — processing is necessary to provide the MTD bridging service you signed up for
  • Legal obligation (Article 6(1)(c) UK GDPR) — HMRC legally requires fraud prevention headers on every API call, which necessitates collecting device and network information
  • Legitimate interest (Article 6(1)(f) UK GDPR) — improving the service, maintaining security, and preventing fraud

We only collect what is strictly necessary for the purposes above.

5. Data retention

Account data is retained for the duration of your subscription plus 7 years, in line with HMRC record-keeping requirements.

You may request deletion of your data at any time. We will comply subject to any legal retention obligations that require us to keep certain records.

6. Data sharing

  • Your data is shared with HMRC as required to fulfil MTD submissions on your behalf.
  • We do not sell or share your data with third parties for marketing purposes.
  • Payment processing is handled by Stripe, who processes your payment card details directly. We never see or store your full card number. Stripe's privacy policy is available at stripe.com/gb/privacy.
  • Our infrastructure providers are Supabase (EU region) and Vercel, who may process data as part of hosting and database services.
  • Transactional emails are sent via Resend, who processes your email address solely for delivery purposes.

7. Your rights under UK GDPR

You have the following rights in relation to your personal data:

  • Right to access — request a copy of the data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your data (subject to retention obligations)
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing of your data in certain circumstances

To exercise any of these rights, please email oshylabs@gmail.com.

8. Data security

  • All data is encrypted in transit (TLS) and at rest
  • Row-level security (RLS) is enforced at the database level
  • HMRC OAuth tokens are stored server-side only and are never exposed to the browser
  • Sensitive identifiers (UTR, NINO) are encrypted with AES-256 at the application layer

9. Cookies

We use the following cookies:

  • Session cookies (Supabase auth) — required for you to stay logged in
  • Device ID cookie (getsorted_device_id) — a unique identifier stored on your browser, required by HMRC for fraud prevention. This cookie persists for 10 years or until you clear your browser data.

We do not use advertising or analytics cookies.

10. ICO registration

Our ICO registration is pending (registration number TBC). We are committed to complying with the UK GDPR and the Data Protection Act 2018.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email before the changes take effect.

12. Contact and complaints

If you have any questions or concerns about how we handle your data, please email us at oshylabs@gmail.com.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.