Privacy Policy
Last updated: 2026-04-19
1. Who we are
SARTastic ("we", "us", "our") is operated by Destiny Wills and Legal Services Ltd of 21 Chapel Lane, Hale Barns, Cheshire, WA15 0AB.
We are the data controller for the personal data described in this notice. You can reach our data protection contact at info@SARTastic.co.uk. We are registered with the UK Information Commissioner's Office under registration number ZB897878.
2. What we collect, why, and our lawful basis
| Data | Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|---|
| Email, name, password | Account creation; sign-in; communication | Contract (Art. 6(1)(b)) |
| Postal address, date of birth, phone | Inserted into your SAR letters so the recipient can identify you | Contract (Art. 6(1)(b)) |
| SAR records (which lender, which letter, status, dates) | Tracking responses, deadlines, escalations | Contract (Art. 6(1)(b)) |
| IP address, request timestamps | Security, abuse prevention, rate limiting | Legitimate interest (Art. 6(1)(f)) |
| Aggregated usage statistics (page views, feature usage) | Improving the service | Legitimate interest (Art. 6(1)(f)) |
We do not collect "special category" data (health, race, religion, etc.). If you choose to include special category data in a SAR letter you write yourself, you consent to it being processed solely for the purpose of fulfilling that SAR.
3. Who we share your data with
We share your personal data only with:
- Companies you direct your SARs to. When you generate a SAR letter, the letter contains your name, address, and contact details so the recipient organisation can find your records and respond to you. Once you send the letter, the recipient becomes a separate data controller for whatever they do next with that information.
- Our infrastructure providers. Microsoft Azure (UK / EU data centres) hosts our application and database. Cloudflare and our DNS provider serve our domain. These are processors acting on our instructions only.
- Email delivery providers. When we email you (account confirmation, password reset, deadline reminders), we use a third-party SMTP provider (Microsoft 365). They process the email envelope and body strictly to deliver the message.
- Where we are legally required. Court order, regulator request, fraud investigation, etc.
We do not sell your personal data. We do not share it with advertisers, marketers, claims management companies, or solicitors.
4. How long we keep your data
- Account data: while your account is active, plus 30 days after deletion.
- SAR letters and timeline: kept while your account is active. You can delete individual SARs at any time.
- Server logs: 30 days for operational/security purposes, then deleted.
- Backups: rolling 14-day encrypted backups; data is purged from backups in line with the same retention windows.
5. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data (you can do this in your profile)
- Delete your data ("right to be forgotten")
- Restrict or object to certain processing
- Data portability — receive your data in a structured format
- Withdraw consent at any time where processing relies on consent
- Lodge a complaint with the Information Commissioner's Office
To exercise any of these rights, email info@SARTastic.co.uk or use the in-app account deletion option. We respond to all rights requests within one calendar month.
6. International transfers
Your data is stored in UK / EU Microsoft Azure data centres. We do not routinely transfer your data outside the UK / EEA. Where any future processor is based outside the UK / EEA, we will rely on appropriate safeguards (UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an adequacy decision).
7. Cookies
We use a small number of strictly necessary cookies — these keep you logged in (the session cookie), protect against cross-site request forgery, and remember any cookie consent choice. You cannot disable strictly-necessary cookies if you want to use the service.
We do not use:
- Advertising or marketing cookies
- Third-party tracking pixels (Facebook, etc.)
- Cross-site behavioural advertising tools
For analytics we use a privacy-respecting tool that does not set any cookies and does not collect personal data (see our Cookies notice for details).
8. Security
We protect your data with:
- Transport encryption (HTTPS / TLS 1.2+) on every page
- Passwords hashed with industry-standard algorithms (we never store plain-text passwords)
- Cross-site request forgery protection on every form
- Strict Content Security Policy and security headers
- Rate limiting on sensitive endpoints
- Encrypted database storage and encrypted backups
9. Automated decision-making
We do not use automated decision-making (including profiling) that produces legal effects concerning you. The SAR letters are generated from a template — there is no automated decision about your eligibility.
10. Children
SARTastic is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18.
11. Changes to this notice
We may update this notice from time to time. The "last updated" date at the top of this page tells you when. Material changes will be highlighted in-app and (where you have a verified email) by email.
12. Contact
Privacy questions: info@SARTastic.co.uk
ICO complaint route: ico.org.uk/make-a-complaint