Privacy Policy

1. Data controller

W Technologies Ltd (“Get Sorted”, “we”, “us”, “our”) is the data controller for personal data processed through the Get Sorted service (getsorted.tax). We are registered with the Information Commissioner's Office (ICO) under registration number [ICO NUMBER].

2. What data we collect

We collect the following categories of personal data:

•Account data: Name, email address, and password (hashed) when you register.
•Tax identity data: Unique Taxpayer Reference (UTR), National Insurance Number (NINO), and VAT registration status — used to submit returns to HMRC on your behalf.
•Business data: Trade type, business name, business start date, and self-employment income/expenses.
•Financial transaction data: Bank transactions retrieved via Open Banking (TrueLayer), including amounts, dates, descriptions, and merchant names.
•Receipts and documents: Images and extracted data (amount, merchant, date, category) from receipts you upload.
•HMRC submission data: Quarterly updates and final declarations submitted to HMRC through the Making Tax Digital (MTD) API.
•Usage data: Pages visited, features used, and error logs — collected via PostHog analytics (with your consent).
•Device data: IP address, browser type, and device identifiers — collected to meet HMRC fraud prevention requirements.

3. How we use your data

We process your personal data to:

•Provide the Get Sorted service and maintain your account.
•Submit quarterly MTD updates and final declarations to HMRC on your instruction.
•Categorise transactions and extract receipt data using AI (Anthropic Claude).
•Connect to your bank account via Open Banking to retrieve transaction data.
•Send transactional emails (submission confirmations, deadline reminders, account notices).
•Meet our legal obligations, including HMRC fraud prevention header requirements.
•Improve the service through anonymised analytics (with your consent).

Our legal bases for processing are: contract performance (providing the service you've signed up for), legal obligation (HMRC MTD requirements), legitimate interests (fraud prevention, security), and consent (analytics, marketing communications).

4. Open Banking data

When you connect your bank account, we use TrueLayer (an FCA-authorised Open Banking provider) to retrieve your transaction history. We access your account data in read-only mode — we cannot initiate payments or modify your account. Bank access tokens are encrypted at rest and in transit. You can disconnect your bank at any time from Settings.

We retrieve transaction data to help you categorise income and expenses for your Self Assessment return. We do not sell or share your bank data with third parties other than those described in this policy.

5. AI processing

We use Anthropic Claude to process receipt images and transaction descriptions. This helps automatically extract merchant names, amounts, and HMRC expense categories. Receipt images and transaction text are sent to Anthropic's API for processing and are subject to Anthropic's privacy policy. We do not use your data to train AI models.

6. Data sharing

We share your data with the following third parties only as necessary to deliver the service:

•HMRC: Quarterly MTD submissions on your instruction.
•TrueLayer: Open Banking connection and transaction retrieval.
•Anthropic: AI-powered receipt and transaction categorisation.
•Supabase: Cloud database and authentication infrastructure. Data is hosted in the EU (Frankfurt, Germany — AWS eu-central-1).
•Stripe: Payment processing and subscription management.
•Resend: Transactional email delivery.
•PostHog: Product analytics (with your consent only).
•Accountants: If you use the accountant marketplace, your accountant can view your transactions and submissions. You control which accountant has access.

We do not sell your personal data.

7. Data retention

We retain your data for as long as your account is active. When you delete your account, your data is soft-deleted immediately and permanently purged within 30 days. HMRC submission records may be retained for up to 6 years to comply with tax record-keeping requirements.

Bank access tokens are automatically purged when you disconnect your bank or when they expire. Audit logs are retained for 12 months for security and fraud prevention purposes.

8. Your rights

Under UK GDPR, you have the right to:

•Access: Request a copy of your personal data (available via Settings → Export my data).
•Rectification: Correct inaccurate data (update via Settings → Profile).
•Erasure: Delete your account and data (Settings → Delete my account).
•Portability: Export your data in machine-readable JSON format.
•Restriction: Request we limit processing of your data in certain circumstances.
•Objection: Object to processing based on legitimate interests.

To exercise your rights, contact us at hello@getsorted.tax. We will respond within 30 days.

9. Cookies

We use essential cookies to keep you logged in and maintain your session. With your consent, we also use analytics cookies (PostHog) to understand how the service is used. You can manage your cookie preferences at any time via the cookie banner or by contacting us.

10. Security

We use industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest for sensitive fields (tokens, NINO, UTR), and row-level security in our database. We conduct regular security reviews and maintain an audit log of sensitive operations.

11. ICO registration and complaints

If you have a concern about how we handle your data that we cannot resolve, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

12. Contact

For all privacy-related queries:
Get Sorted Ltd
Email: hello@getsorted.tax

Privacy at a glance