Privacy Policy

Last updated: 2026-04-25

1. Who we are

SARTastic ("we", "us", "our") is operated by Destiny Wills and Legal Services Ltd of 21 Chapel Lane, Hale Barns, Cheshire, WA15 0AB.

We are the data controller for the personal data described in this notice. You can reach our data protection contact at info@SARTastic.co.uk. We are registered with the UK Information Commissioner's Office under registration number ZB897878.

2. What we collect, why, and our lawful basis

DataPurposeLawful basis (UK GDPR Art. 6)
Email, name, password Account creation; sign-in; communication Contract (Art. 6(1)(b))
Postal address, date of birth, phone Inserted into your SAR letters so the recipient can identify you Contract (Art. 6(1)(b))
SAR records (which lender, which letter, status, dates) Tracking responses, deadlines, escalations Contract (Art. 6(1)(b))
IP address, request timestamps Security, abuse prevention, rate limiting Legitimate interest (Art. 6(1)(f))
Aggregated usage statistics (page views, feature usage) Improving the service Legitimate interest (Art. 6(1)(f))

We do not collect "special category" data (health, race, religion, etc.). If you choose to include special category data in a SAR letter you write yourself, you consent to it being processed solely for the purpose of fulfilling that SAR.

3. Who we share your data with

We share your personal data only with:

  • Companies you direct your SARs to. When you generate a SAR letter, the letter contains your name, address, and contact details so the recipient organisation can find your records and respond to you. When you click "Send via SARTastic" we dispatch the letter from info@sartastic.co.uk on your behalf, acting solely as an administrative conduit at your direction. The letter makes our role explicit in a footer and sets Reply-To to your own email so the lender's response goes directly to you (not to us). We BCC you on every outbound so you have a verbatim copy. Once the letter is sent, the recipient becomes a separate data controller for whatever they do next with that information.
  • Audit archive of letters we send in your name. We keep an immutable copy of the exact HTML body, subject, recipient and SMTP message-id of every letter we dispatch on your behalf. This evidences what we sent, when, and to whom — essential if a recipient later disputes receipt, or if you need to demonstrate to the ICO that a valid request was issued.
  • Pro-tier inbound processing (optional). If you have signed our Letter of Authority and your account has been enabled for Pro-tier routing, lender responses are delivered to a per-request forwarding address (e.g. sar-xxxxxx@replies.sartastic.co.uk). The inbound mail flow uses Mailgun (operated by Sinch, EU region) as our email-receiving processor — Mailgun accepts the lender's email at our subdomain, briefly stores the message for delivery, and then POSTs the content to SARTastic over an HTTPS webhook with HMAC signature verification. We ingest those replies, use an AI-assisted analyser to extract structured details (commission figures, broker names, agreement references, vehicle registration marks), log them to the corresponding SAR in your dashboard, and relay the original reply to your email address without delay. The analyser processes the response via Anthropic's Claude API under their enterprise data-processing agreement (no training on your data, short retention). Lender attachments (PDFs etc.) are stored in Azure Blob in the UK/EU region. Pro-tier ingest can be revoked at any time by written notice, and we can delete any Mailgun-held message logs on request.
  • Our infrastructure providers. Microsoft Azure (UK / EU data centres) hosts our application and database. Cloudflare and our DNS provider serve our domain. These are processors acting on our instructions only.
  • Email delivery providers. When we email you (account confirmation, password reset, deadline reminders), we use a third-party SMTP provider (Microsoft 365). They process the email envelope and body strictly to deliver the message.
  • Payments processor (Pro tier only). If you subscribe to SARTastic Pro we use Stripe Payments Europe Ltd (Dublin, Ireland; with onward transfers to Stripe Inc. in the United States) to take and process your payment. Stripe receives the personal data necessary to process the payment — your name, email address, billing address, the card details you enter on Stripe's hosted checkout (which never touch our servers), and your subscription history. We receive back from Stripe a customer reference, your subscription status (active / past-due / cancelled), and invoice metadata, which we store on your account so we know whether to grant Pro features. Card numbers and CVV are held by Stripe under PCI-DSS Level 1; we never see them. The transfer to Stripe Inc. in the US is covered by Stripe's UK International Data Transfer Addendum and EU Standard Contractual Clauses, and Stripe self-certifies under the EU–US and UK–US Data Privacy Frameworks. Stripe's privacy notice at stripe.com/privacy sets out their processing in full.
  • Where we are legally required. Court order, regulator request, fraud investigation, etc.

We do not sell your personal data. We do not share it with advertisers, marketers, claims management companies, or solicitors.

All sub-processors named above (Microsoft Azure, Cloudflare, Microsoft 365, Mailgun, Anthropic, Stripe) operate under written data-processing agreements with us that meet the UK GDPR Article 28 requirements, including confidentiality, security, breach-notification and onward-transfer restrictions.

4. How long we keep your data

  • Account data: while your account is active, plus 30 days after deletion.
  • SAR letters and timeline: kept while your account is active. You can delete individual SARs at any time.
  • Server logs: 30 days for operational/security purposes, then deleted.
  • Backups: rolling 14-day encrypted backups; data is purged from backups in line with the same retention windows.

5. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data (you can do this in your profile)
  • Delete your data ("right to be forgotten")
  • Restrict or object to certain processing
  • Data portability — receive your data in a structured format
  • Withdraw consent at any time where processing relies on consent
  • Lodge a complaint with the Information Commissioner's Office

To exercise any of these rights, email info@SARTastic.co.uk or use the in-app account deletion option. We respond to all rights requests within one calendar month.

6. International transfers

Your data is stored in UK / EU Microsoft Azure data centres. We do not routinely transfer your data outside the UK / EEA. Where any future processor is based outside the UK / EEA, we will rely on appropriate safeguards (UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an adequacy decision).

7. Cookies

We use a small number of strictly necessary cookies — these keep you logged in (the session cookie), protect against cross-site request forgery, and remember any cookie consent choice. You cannot disable strictly-necessary cookies if you want to use the service.

We do not use:

  • Advertising or marketing cookies
  • Third-party tracking pixels (Facebook, etc.)
  • Cross-site behavioural advertising tools

For analytics we use a privacy-respecting tool that does not set any cookies and does not collect personal data (see our Cookies notice for details).

8. Security

We protect your data with:

  • Transport encryption (HTTPS / TLS 1.2+) on every page
  • Passwords hashed with industry-standard algorithms (we never store plain-text passwords)
  • Cross-site request forgery protection on every form
  • Strict Content Security Policy and security headers
  • Rate limiting on sensitive endpoints
  • Encrypted database storage and encrypted backups
  • Role-based access controls on the administrative interface; no direct production-database access for day-to-day operations
  • Written data-processing agreements in place with every third-party processor (see section 3)
  • Incident-response procedure covering detection, containment, ICO notification, and data-subject notification where required

8a. Data breaches

If we become aware of a personal data breach that affects your information, we will notify the Information Commissioner's Office within 72 hours where UK GDPR requires us to. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly, without undue delay, with a plain-English description of what happened, what data was affected, and what we're doing about it. Our internal incident-response process is documented separately and reviewed periodically.

8b. Identity documents — Optional Uploads

To assist with lender verification, SARTastic offers an optional ID-document storage feature.

  • Purpose: We store these documents solely so you can attach them to future requests at your discretion.
  • No Verification: SARTastic does not verify the authenticity of uploaded documents.
  • Retention: You may delete these documents at any time. If not deleted manually, they are automatically purged from our systems 180 days after your last active request or upon account deletion.
  • Data Minimisation: You are not required to upload ID to use SARTastic. You may choose to provide ID directly to the lender only when they request it.

Identity checking inside SARTastic. When you register we verify your email address by sending a confirmation link. For Pro-tier services, we require the typed Letter of Authority signing name to match your profile name exactly. SARTastic does not cross-reference your identity against any external identity provider, credit bureau, electoral roll, or government database. We rely on the warranty you give us when you register (see Section 5A of our Terms of Use) that you are the data subject or a validly authorised agent.

Lender verification sits with the lender. The organisations you send Subject Access Requests to ("data controllers" — typically lenders) are responsible, where necessary and proportionate, for satisfying themselves that the request is made by or on behalf of the correct person before releasing personal data (UK GDPR Article 12(6)). That verification is done by the data controller directly with you — they may ask for photo ID, proof of address, account numbers, or other confirmation. SARTastic is not a party to that verification step.

If you believe SARTastic is being misused to submit fraudulent requests in your name — either as a consumer or as a data controller — please contact us via our abuse reporting page.

9. Automated decision-making

We do not use automated decision-making (including profiling) that produces legal effects concerning you. The SAR letters are generated from a template — there is no automated decision about your eligibility.

10. Children

SARTastic is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18.

11. Changes to this notice

We may update this notice from time to time. The "last updated" date at the top of this page tells you when. Material changes will be highlighted in-app and (where you have a verified email) by email.

12. Contact

Privacy questions: info@SARTastic.co.uk

ICO complaint route: ico.org.uk/make-a-complaint