Skip to main content

Privacy Policy

Last updated: 9 March 2026

1. Who we are

LetSort is operated by ToggleKit Ltd, a company registered in England and Wales. We are the data controller for the personal data processed through the LetSort platform.

Contact: privacy@letsort.co.uk

2. What data we collect

We collect and process the following categories of personal data:

  • Account data — name, email address, password (hashed)
  • Property data — property addresses, purchase details, EPC ratings, ownership structures
  • Tenant data — tenant names, contact details, tenancy terms, deposit information
  • Financial data — income and expense records, SA105 category classifications, quarterly submission totals
  • HMRC data — Government Gateway authorisation tokens, National Insurance numbers, MTD Income Tax IDs, submission records
  • Payment data — Stripe customer IDs and subscription status (card details are handled entirely by Stripe and never touch our servers)
  • Technical data — IP addresses, browser information, device identifiers, screen dimensions, and timezone (collected as required by HMRC fraud prevention regulations)

3. Why we process your data

We process personal data for the following purposes:

  • Service delivery — to provide MTD ITSA quarterly reporting and Renters' Rights Act compliance features
  • HMRC submissions — to submit quarterly updates and final declarations to HMRC on your behalf, using your authorised Government Gateway connection
  • HMRC fraud prevention — to collect and transmit device and connection information as required by HMRC's fraud prevention regulations for all MTD API calls
  • Compliance tracking — to calculate certificate expiry dates, tenancy obligations, and penalty exposure
  • Account management — to manage your subscription, process payments, and communicate about your account
  • Legal obligation — to comply with applicable laws, including UK GDPR and HMRC requirements

4. Legal basis for processing

  • Contract — processing necessary to provide the LetSort service you have subscribed to
  • Legal obligation — HMRC fraud prevention header requirements; tax record keeping obligations
  • Legitimate interest — service improvement, security monitoring, and fraud prevention
  • Consent — marketing communications (where applicable)

5. HMRC data handling

When you connect your Government Gateway account, we store OAuth access and refresh tokens to make API calls on your behalf. These tokens are stored encrypted and are used solely to submit your quarterly updates and retrieve your obligation status from HMRC.

We are required by HMRC to collect and transmit fraud prevention headers with every API request. This includes your IP address, device information, browser details, screen dimensions, and timezone. This data is sent directly to HMRC and is not used by LetSort for any other purpose.

You can disconnect your HMRC connection at any time from your account settings, which will delete your stored tokens.

6. Data sharing and server locations

We share personal data with the following third parties:

  • HMRC — quarterly income/expense submissions, obligations queries, and fraud prevention data (when you authorise the connection)
  • Stripe — payment processing (name, email, subscription details)
  • Neon — database hosting (all application data, stored in AWS eu-west-2, London, UK)
  • Vercel — web application hosting (edge network, primary region: London, UK)
  • Cloudflare — API hosting and file storage (global edge network)
  • Resend — transactional email delivery

Your data is primarily stored and processed within the United Kingdom and the European Economic Area. Where data is processed outside the EEA (e.g. by Cloudflare's global edge network), appropriate safeguards are in place as required by UK GDPR.

We do not sell your personal data to any third party.

7. Data retention

We retain your data for as long as your account is active. Financial records (income, expenses, HMRC submissions) are retained for a minimum of 6 years after the end of the relevant tax year, in line with HMRC record-keeping requirements.

When you delete your account, we will remove all personal data within 30 days, except where retention is required by law.

8. Your rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your data (subject to legal retention requirements)
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — request that we limit processing of your data
  • Objection — object to processing based on legitimate interest

To exercise any of these rights, contact us at privacy@letsort.co.uk. We will respond within 30 days.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted storage of sensitive credentials, parameterised database queries, server-side input validation, and secure authentication mechanisms.

If you believe you have found a security vulnerability in LetSort, please report it to security@letsort.co.uk. We will acknowledge your report within 48 hours and aim to provide a resolution timeline within 5 working days.

10. Cookies

LetSort uses essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising cookies.

11. Changes to this policy

We may update this privacy policy from time to time. We will notify you of any material changes by email or through a notice on the platform.

12. Contact and complaints

If you have questions about this privacy policy or wish to make a complaint, contact us at privacy@letsort.co.uk.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk (opens in new tab).