SheetSync — Privacy Policy

Last updated: 8 July 2026 · Effective: 8 July 2026

1. Who we are

SheetSync (“SheetSync”, “we”, “us”) is a software service that lets UK landlords send their quarterly property income and expense figures to HMRC under Making Tax Digital for Income Tax, from within Google Sheets.

2. The personal data we collect

WhatWhyKept
Your email addressTo create your account and sign you in by magic link, and to send you service messagesWhile your account is active
Subscription status (via Stripe)To manage your £49/year subscription and access. We never see or store your card details — Stripe handles paymentWhile active + as required for accounting/tax
Your HMRC connection tokensSo SheetSync can submit to HMRC on your behalf. Stored encrypted (AES-256-GCM); we never see your Government Gateway passwordUntil you disconnect HMRC or delete your account
Fraud-prevention data (device identifier, browser, screen size, IP address)HMRC legally requires this “fraud prevention” data on every Making Tax Digital submissionAs needed to make and evidence submissions

3. What we deliberately do NOT store

Your actual tax figures — your income and expense amounts — are never stored on our systems. They pass through in transit only, straight from your Google Sheet to HMRC, and are never written to our database or our logs. This is a core design promise of the product, enforced in our code.

4. Legal bases for processing (UK GDPR)

5. Who we share data with (our processors)

We use trusted providers to run SheetSync. Each processes data only on our instructions:

We do not sell your data or share it for advertising.

6. International transfers

We choose UK/EU hosting regions where available (e.g. Supabase is configured to the London/EU region). Where a provider processes data outside the UK (e.g. Vercel, Stripe, Resend may process in the US), that transfer is protected by appropriate safeguards — UK “adequacy” regulations, the UK Extension to the EU–US Data Privacy Framework, or the International Data Transfer Addendum to the EU Standard Contractual Clauses, as applicable to each provider.

7. How long we keep data

We keep personal data only as long as needed for the purposes above, or as required by law (e.g. tax/accounting records). When you delete your account, we delete or anonymise your personal data within 30 days, except where we must retain limited records to meet a legal obligation.

8. Your rights

Under UK GDPR you can ask to: access your data; correct it; delete it; restrict or object to processing; and receive a portable copy. To exercise any right, email privacy@sheetsyncmtd.co.uk. You can also complain to the Information Commissioner’s Office (ICO)at ico.org.uk, though we’d appreciate the chance to help first.

9. Cookies

SheetSync uses only the essential cookies needed to sign you in and keep your session secure. We do not use advertising or cross-site tracking cookies.

10. Security

We encrypt your HMRC tokens at rest, sign you in without a stored password (magic link), and never store your tax figures. No system is perfectly secure, but we take reasonable technical and organisational measures to protect your data.

Data breaches. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will report it to the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to you, we will also notify you without undue delay.

11. Changes to this policy

We may update this policy; we’ll post the new version here and update the “Last updated” date. Significant changes will be notified by email.

12. Contact

privacy@sheetsyncmtd.co.uk · Samuel Stevens, trading as SheetSync, Flat 3 Camberwell House, 89 Havisham Drive, Swindon, SN25 1BS.