Privacy Policy

GetMySAR operates the website https://getmysar.com. In this Privacy Policy, "GetMySAR", "we", "us" and "our" refer to GetMySAR.

If you have any privacy questions or want to exercise your data protection rights, please contact us via our contact form.

This policy applies to personal data we process about:

• people who visit our website;
• people who submit a Subject Access Request through our service;
• people on whose behalf a Subject Access Request is submitted;
• contacts at organisations named in a request; and
• people who contact us with questions or privacy requests.

Our service is intended for UK users and is designed to help users make Subject Access Requests under UK GDPR and the Data Protection Act 2018.

The personal data we collect depends on how you use the site and what you submit to us.

We use personal data to:

• provide and operate the GetMySAR website and service;
• prepare, submit and manage Subject Access Requests on your instructions;
• send the request and supporting materials to the organisation you identify;
• contact or notify the target organisation that a Subject Access Request has been made and that they are expected to respond within the applicable timeframe under UK GDPR;
• process payments and maintain transaction records;
• communicate with you about your request or our service;
• monitor, secure and improve our website and systems;
• prevent misuse, fraud and abuse; and
• comply with legal and regulatory obligations.

GetMySAR acts in different roles depending on the activity.

• As data controller: we act as controller for personal data processed to run our website and business, including site administration, security, analytics, payment administration, customer support and legal compliance.
• As a service provider acting on your instructions: when you use GetMySAR to prepare and send a Subject Access Request, we generally handle the submitted information for that purpose on your instructions.
• The target organisation: the organisation to which the SAR is sent is responsible for its own handling of your request and will usually act as an independent data controller for its own processing.

Under UK GDPR, we rely on one or more of the following lawful bases, depending on the processing activity:

• Contract — where processing is necessary to provide the service you ask us to provide, including preparing and submitting a SAR.
• Consent — where you choose to provide optional documents or where you instruct us to share supporting materials such as consent forms or ID documents.
• Legitimate interests — where necessary for website security, fraud prevention, service administration and improving our services, provided those interests are not overridden by your rights.
• Legal obligation — where we must process personal data to comply with applicable law, regulation or lawful requests.
• Consent — for analytics or advertising-related cookies where consent is required.

By submitting the form through GetMySAR, you instruct us to send the Subject Access Request and supporting materials to the organisation you identify.

Depending on what you provide, this may include any information submitted through the form, including identity details, contact details, date of birth, address information, reference numbers, request details, signed consent forms and ID documents.

We may contact the target organisation by email, SMS and/or letter, depending on the details available and how the request is being handled.

We may share personal data with:

• the organisation or data controller identified in your request;
• service providers who help us operate the service, including:
  • Vercel for hosting and website infrastructure;
  • Supabase for database services;
  • AWS S3 for file storage;
  • Amazon SES for email delivery;
  • Stripe for payment processing;
  • Google Analytics for analytics; and
  • Google Tag Manager for tag management.
• professional advisers, auditors, insurers or legal advisers where reasonably necessary;
• law enforcement, regulators, courts or public authorities where required by law or to protect our legal rights; and
• a buyer, investor or successor organisation in connection with a merger, acquisition, financing or sale of assets, subject to appropriate confidentiality protections.

Our main storage locations for SAR-related data are in the UK, including:

• AWS S3 in eu-west-2 (London); and
• Supabase in eu-west-2 (London).

However, some of our service providers may process personal data outside the UK, including in connection with analytics, hosting, infrastructure, support or payment services.

Where personal data is transferred outside the UK, we will seek to ensure appropriate safeguards are in place where required, such as adequacy regulations or approved contractual protections.

We use appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse or alteration.

These measures may include:

• restricted access to systems and stored data;
• use of established hosting and infrastructure providers;
• secure transmission methods where applicable; and
• encryption for stored files, including server-side encryption in AWS S3 using AES-256.

No method of transmission or storage is completely secure, but we take reasonable steps to protect the data we hold.

We keep personal data for as long as it is reasonably necessary for the purposes described in this Privacy Policy, including to:

• provide the GetMySAR service;
• keep records of submitted requests and consent materials;
• maintain administrative records, including whether an organisation responded;
• handle disputes, complaints or legal issues; and
• meet regulatory, accounting or legal obligations.

In some cases this may mean we keep certain records for a long time. When data is no longer needed, we may delete it or anonymise it.

If you ask us to delete your data, we will review the request and, where appropriate, delete or anonymise data unless we need to keep it for legal, operational or legitimate business reasons.

Our website may use cookies and similar technologies to operate the site, understand usage and manage tags and measurement tools.

These may include:

• essential cookies needed for site functionality;
• Google Analytics cookies; and
• Google Tag Manager related technologies.

You can usually control cookies through your browser settings. Where required by law, non-essential cookies should only be used with your consent.

If you have a question about cookies or similar technologies, please use our contact form.

Some Subject Access Requests may relate to children or be made on a child's behalf. Where you submit a request for another person, including a child, you are responsible for ensuring you are authorised to do so.

Depending on the circumstances, you may have the right to:

• request access to your personal data;
• request correction of inaccurate or incomplete data;
• request deletion of your personal data;
• request restriction of processing;
• object to certain processing;
• request data portability where applicable; and
• withdraw consent where we rely on consent, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please use our contact form.

If you have concerns about how we handle your personal data, please contact us first using our contact form.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.

ICO website: https://ico.org.uk/make-a-complaint/

We may update this Privacy Policy from time to time. Any changes will be posted on this page and the "Last updated" date will be revised.