ReturnSorted.

Legal

Privacy Policy

Last updated: 9 March 2026

ReturnSorted Ltd (“ReturnSorted”, “we”, “us”, “our”) is the data controller for personal information collected through this website and service. This policy explains what data we collect, why we collect it, and your rights under UK GDPR and the Data Protection Act 2018.

We are registered with the Information Commissioner’s Office (ICO). If you have any questions about this policy, contact us at privacy@returnsorted.co.uk.

1. What data we collect

We collect the following categories of personal data:

  • Account data - your email address, used to create and access your account via magic link sign-in.
  • Tax return data - income figures, employment details, dividends, pension contributions, and other information you enter when completing your Self Assessment return. This is financial data and is treated with the highest level of care.
  • HMRC OAuth tokens - temporary access tokens issued by HMRC when you authorise ReturnSorted to connect to your HMRC account. These are stored in encrypted, session-only cookies and are never written to our database.
  • Payment data - your email address and payment method details, processed by Stripe. We do not store card numbers. We retain a record of your payment (amount, date, status) to manage your subscription.
  • Usage data - basic technical information such as your browser type, IP address, and pages visited. This is used to keep the service secure and running correctly.

2. How we use your data

We use your personal data to:

  • Provide, operate, and improve the ReturnSorted service.
  • Submit your Self Assessment return to HMRC on your instruction, using your own HMRC OAuth credentials. You submit as yourself - we act as the software you file through.
  • Process your payment and manage your subscription.
  • Send you transactional emails - confirmation of payment, submission receipts, and account access links. We do not send marketing emails without your explicit consent.
  • Comply with legal obligations, including tax and financial regulation.

Our lawful basis for processing is contract (to provide the service you have paid for), legitimate interests (security, fraud prevention, service improvement), and legal obligation where applicable.

3. Who we share your data with

We do not sell your data. We share it only with the third-party processors necessary to provide the service:

  • Supabase - our database and authentication provider, hosted in the EU. Your account data and tax return data are stored here.
  • Stripe - payment processing. Stripe is PCI DSS compliant. Their privacy policy is available at stripe.com/privacy.
  • Amazon Web Services (AWS) - our backend infrastructure, hosted in eu-west-2 (London).
  • HMRC - your tax return data is transmitted to HMRC when you instruct us to submit your return. This is the core purpose of the service.
  • Vercel - our web hosting provider. Serves the ReturnSorted website.

All processors are contractually bound to handle your data in accordance with UK GDPR.

4. International transfers

Some of our processors (including Stripe and Vercel) may process data outside the UK or EU. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions recognised by the UK ICO.

5. How long we keep your data

  • Tax return data - retained for 7 years from the date of filing, in line with HMRC record-keeping requirements. You can request earlier deletion of draft data that has not been submitted to HMRC.
  • Account data - retained for as long as your account is active, plus 12 months after account closure.
  • Payment records - retained for 7 years for accounting and legal compliance purposes.

6. Your rights

Under UK GDPR, you have the right to:

  • Access - request a copy of the personal data we hold about you.
  • Rectification - ask us to correct inaccurate data.
  • Erasure - ask us to delete your data, subject to legal retention obligations (e.g. submitted tax records).
  • Portability - receive your data in a structured, machine-readable format.
  • Objection - object to processing based on legitimate interests.
  • Restriction - ask us to restrict processing of your data in certain circumstances.

To exercise any of these rights, email privacy@returnsorted.co.uk. We will respond within one calendar month. If you are unsatisfied with our response, you have the right to lodge a complaint with the ICO at ico.org.uk.

7. Cookies

We use the following cookies:

  • satr_session_id - stores your anonymous session identifier so your in-progress return is saved between visits. Essential for the service to function.
  • hmrc_oauth_state / hmrc_oauth_return_to - short-lived cookies used during HMRC authorisation to prevent CSRF attacks. Expire after 10 minutes.
  • Supabase auth cookies - store your authentication session if you are signed in. Httponly, secure.

We do not use advertising, tracking, or analytics cookies. We do not use Google Analytics or any third-party analytics platform that tracks you across other websites.

8. Security

We take security seriously. All data is encrypted in transit (TLS) and at rest. Sensitive fields in our database are encrypted at the application layer. HMRC tokens are stored only in httpOnly cookies and never written to our database. Payment data is handled entirely by Stripe and never passes through our servers.

9. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email. The latest version is always available at returnsorted.co.uk/privacy.