SheetSync — Privacy Policy
Last updated: 8 July 2026 · Effective: 8 July 2026
1. Who we are
SheetSync (“SheetSync”, “we”, “us”) is a software service that lets UK landlords send their quarterly property income and expense figures to HMRC under Making Tax Digital for Income Tax, from within Google Sheets.
- Data controller: Samuel Stevens, trading as SheetSync, Flat 3 Camberwell House, 89 Havisham Drive, Swindon, SN25 1BS.
- Contact: privacy@sheetsyncmtd.co.uk.
- ICO registration: registration pending (we are registered with the UK Information Commissioner’s Office as we process personal data).
2. The personal data we collect
| What | Why | Kept |
|---|---|---|
| Your email address | To create your account and sign you in by magic link, and to send you service messages | While your account is active |
| Subscription status (via Stripe) | To manage your £49/year subscription and access. We never see or store your card details — Stripe handles payment | While active + as required for accounting/tax |
| Your HMRC connection tokens | So SheetSync can submit to HMRC on your behalf. Stored encrypted (AES-256-GCM); we never see your Government Gateway password | Until you disconnect HMRC or delete your account |
| Fraud-prevention data (device identifier, browser, screen size, IP address) | HMRC legally requires this “fraud prevention” data on every Making Tax Digital submission | As needed to make and evidence submissions |
3. What we deliberately do NOT store
Your actual tax figures — your income and expense amounts — are never stored on our systems. They pass through in transit only, straight from your Google Sheet to HMRC, and are never written to our database or our logs. This is a core design promise of the product, enforced in our code.
4. Legal bases for processing (UK GDPR)
- Performance of a contract — to provide the service you signed up for (account, HMRC submissions).
- Legal obligation / legitimate interests — to send HMRC the fraud-prevention data it requires, and to keep our service secure.
- Consent — for any optional marketing emails (you can withdraw at any time).
5. Who we share data with (our processors)
We use trusted providers to run SheetSync. Each processes data only on our instructions:
- Supabase — database and sign-in (hosted in the UK/EU region).
- Vercel — application hosting.
- Stripe — subscription payments.
- Resend — sending service emails.
- HMRC — the recipient of your submissions (governed by HMRC’s own terms).
- Google — the SheetSync add-on runs inside your Google Sheets; Google processes your spreadsheet within your own Google account.
We do not sell your data or share it for advertising.
6. International transfers
We choose UK/EU hosting regions where available (e.g. Supabase is configured to the London/EU region). Where a provider processes data outside the UK (e.g. Vercel, Stripe, Resend may process in the US), that transfer is protected by appropriate safeguards — UK “adequacy” regulations, the UK Extension to the EU–US Data Privacy Framework, or the International Data Transfer Addendum to the EU Standard Contractual Clauses, as applicable to each provider.
7. How long we keep data
We keep personal data only as long as needed for the purposes above, or as required by law (e.g. tax/accounting records). When you delete your account, we delete or anonymise your personal data within 30 days, except where we must retain limited records to meet a legal obligation.
8. Your rights
Under UK GDPR you can ask to: access your data; correct it; delete it; restrict or object to processing; and receive a portable copy. To exercise any right, email privacy@sheetsyncmtd.co.uk. You can also complain to the Information Commissioner’s Office (ICO)at ico.org.uk, though we’d appreciate the chance to help first.
9. Cookies
SheetSync uses only the essential cookies needed to sign you in and keep your session secure. We do not use advertising or cross-site tracking cookies.
10. Security
We encrypt your HMRC tokens at rest, sign you in without a stored password (magic link), and never store your tax figures. No system is perfectly secure, but we take reasonable technical and organisational measures to protect your data.
Data breaches. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will report it to the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to you, we will also notify you without undue delay.
11. Changes to this policy
We may update this policy; we’ll post the new version here and update the “Last updated” date. Significant changes will be notified by email.
12. Contact
privacy@sheetsyncmtd.co.uk · Samuel Stevens, trading as SheetSync, Flat 3 Camberwell House, 89 Havisham Drive, Swindon, SN25 1BS.