easySAR is built on a zero-storage, client-side principle. Your SAR letter is generated entirely within your browser on your own device — your personal data never touches any system we own or operate during this process. If you choose to send automatically, your completed letter passes through Resend (our email delivery provider) solely to deliver it to the recipient organisation. This is the only processing that occurs. No personal data is written to any database or persistent storage at any point.
easySAR is a free public interest tool operated as an independent project. The data controller is the individual operator of easySAR, trading under the name easySAR.
You can contact us at hello@easysar.org or dpo@easysar.org. We aim to respond to all data-related enquiries within 5 working days.
As easySAR does not store, retain or persistently process any personal data — all processing is transient and in-memory only during the generation and transmission of your SAR letter — we have assessed that ICO registration is not currently required under the relevant exemptions. This position is kept under review.
When you use easySAR, you enter personal information such as your name, address, date of birth, and email address. This information never leaves your device during the letter generation process. Your SAR letter is generated entirely within your browser — on your own device — using only local JavaScript. No data is sent to any server, system, or third party during this stage.
The only point at which your data leaves your device is if you choose to send your SAR automatically. At that point, your completed letter is transmitted directly to Resend (our email delivery provider) solely to deliver it to the recipient organisation's Data Protection Officer. This is the entirety of the processing that occurs. Your personal data is never stored, logged, retained, or accessible to us at any point — before, during, or after this transmission.
If you choose to download a copy of your letter rather than send automatically, no data ever leaves your device at all.
Like most websites, our web server automatically receives standard technical information when you visit, including:
This data is held in server logs for a maximum of 30 days and used solely for security monitoring and abuse prevention.
We use privacy-respecting aggregate analytics to understand how the tool is used. We count anonymous metrics such as total SARs sent, submissions per day, and which organisations are most requested. These are simple counters stored in Upstash Redis (our EU-based data store) and contain no personally identifiable information whatsoever. No tracking cookies, fingerprinting or behavioural profiling is used.
To prevent abuse, we use localStorage in your browser to record the number of SAR submissions made per day. This data is stored only on your device and is not accessible to us.
Where we process any personal data (limited to technical/server log data), our legal basis is:
Server log data (IP addresses, access records) is retained for a maximum of 30 days before automatic deletion. We do not retain any data entered into the SAR tool. Email enquiries sent to us are retained for 12 months.
We do not sell, rent or share your personal data with third parties for marketing purposes. We may share technical data with:
All data processors are bound by UK GDPR-compliant Data Processing Agreements.
Some of our data processors may transfer or process data outside the UK and EEA:
All international transfers are subject to appropriate safeguards in accordance with UK GDPR Chapter V.
You have the following rights regarding any personal data we hold about you:
To exercise any of these rights, contact us at dpo@easysar.org. We will respond within one calendar month.
easySAR uses minimal cookies. Please see our Cookie Policy for full details. We do not use cookies for advertising or third-party tracking.
We implement appropriate technical and organisational measures to protect against unauthorised access, alteration, disclosure or destruction. Because personal data is processed in memory only and never written to any database or persistent storage, the risk of a data breach affecting your SAR information is minimised by design.
easySAR is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact dpo@easysar.org and we will delete it promptly.
We may update this policy from time to time. We will notify users of material changes by posting a notice on the homepage. The "last updated" date at the top of this page will always reflect the most recent revision.
This is a fair and important question. When easySAR sends your SAR letter by email, your letter content passes through Resend's servers to be delivered — exactly as any email passes through an email provider's servers. Resend acts as a data processor on our behalf under a formal Data Processing Agreement.
This is the same legal relationship that exists when any solicitor, GP surgery, bank or other organisation sends you an email — they use an email provider, and your data briefly transits through that provider's infrastructure. This is a necessary and legally recognised form of processing under UK GDPR Article 6(1)(b) (processing necessary to perform a service you have requested).
Resend does not retain email content beyond delivery. Their logs retain metadata (sender, recipient, timestamp, delivery status) for a limited period for delivery tracking — standard across all transactional email services. You can review Resend's privacy policy at resend.com/legal/privacy-policy.
Crucially: easySAR itself never stores your personal data, and your data never touches any system we own. Your letter is generated entirely in your browser. We have no database, no server-side logs of your personal information, and no way to retrieve what you submitted. The only system your data touches (other than your own device) is Resend, solely to deliver your email.
Many services claim "we don't store your data" but log extensively on their own servers. easySAR is different — our server-side code (a Cloudflare Worker) processes your data purely in memory for the duration of the send request, typically under two seconds, then that memory is discarded. We have no database, no file storage, and no logging of personal content. The only thing we write to persistent storage is anonymous aggregate counters (total SARs sent, bounce counts) which contain no personal data whatsoever.
Yes. easySAR operates under UK GDPR as a data controller in respect of the brief processing necessary to deliver your SAR. The legal basis is Article 6(1)(b) — performance of a service at your request. We have a Data Processing Agreement with Resend, operate a zero-storage architecture, and do not process data beyond what is strictly necessary to deliver your letter.
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the ICO:
ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
We would always appreciate the chance to address your concerns directly before you contact the ICO — please email dpo@easysar.org first.