Privacy Policy

Last updated: 21 April 2026

1. Who we are

Basics is a trading name of SGAA Limited, a company registered in England and Wales (company number 16871943). Our registered office is 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ. When we say “we”, “us”, or “our” in this policy, we mean SGAA Limited.

This policy covers both our website (get-basics.com) and the Basics product — the dashboard you sign into to manage your UK limited company’s formation, filings, and compliance.

SGAA Limited is the data controller for personal data processed under this policy. If you have questions, contact us at [email protected].

2. What we collect and why

We organise data by category. For each one, the table below sets out what it is, where it comes from, why we use it, and our lawful basis under UK GDPR.

Category	What	Source	Why	Lawful basis
Account data	Name, email address, hashed password, account preferences, and any two-factor authentication secrets you enrol.	You, when you sign up.	To create and secure your account, authenticate you, and send service-related messages.	Performance of our contract with you (Art. 6(1)(b)).
Company data	Company number, registered office, officer and PSC details, share structure, SIC codes, and related records.	You directly, plus public-register data fetched from Companies House to keep your dashboard in sync.	To operate the dashboard, pre-populate filings, and track your compliance obligations.	Performance of our contract with you.
Filings data	The information you submit through Basics to Companies House or HMRC — for example the IN01 incorporation form, CS01, annual accounts, or CT600.	You. We assemble and transmit on your behalf; by using Basics to file, you authorise us to act as your filing agent.	To submit your filings to the correct authority and keep a record of what was filed, as required by UK company law.	Performance of contract (Art. 6(1)(b)) and compliance with legal obligations (Art. 6(1)(c)).
Identity verification data	The verification outcome and a reference to it, plus access to the original ID document images, biometric selfie, and liveness data held on our identity-verification provider’s platform. We hold this data in our capacity as an Authorised Corporate Service Provider (ACSP).	You, submitted to our identity-verification provider during the verification flow.	To meet our obligations as an Authorised Corporate Service Provider under the UK’s Economic Crime and Corporate Transparency Act, which requires us to verify the identity of directors and PSCs before filing on their behalf.	Your explicit consent to processing of special-category biometric data (Art. 9(2)(a)) plus compliance with a legal obligation (Art. 6(1)(c)).
Payment data	A payment-processor customer identifier, the amount and date of each payment, the last four digits of your card, and the payment status. We don’t receive or store your full card number, expiry, or CVC.	Our payment processor’s hosted checkout. Card details are captured by the payment processor directly.	To process payments, issue refunds, and keep financial records.	Performance of our contract with you and compliance with our own tax-record obligations.
Technical data	IP address, device and browser information, pages visited, and timestamped request logs — including authentication events and significant actions in the dashboard.	Collected automatically when you use the website or product.	To keep the service secure, diagnose problems, and maintain an authentic record of actions taken.	Our legitimate interest in operating a secure and reliable service (Art. 6(1)(f)).
Communications	Emails you send us, in-product messages, and support correspondence.	You.	To respond to your questions and keep a record for continuity.	Performance of contract and our legitimate interest in providing support.

3. Who we share it with

We only share data with service providers we need to run the service. Each one is contractually bound to process data on our instructions and to meet UK GDPR standards. We share data with the following categories of recipient:

Hosting and database providers — to run our application and store your data.
Network and security providers — for content delivery, DNS, and bot protection.
Payment processors — to take payments and issue refunds. They hold your card details; we don’t.
Identity-verification providers — to run the ID check required by UK law. They hold your original ID documents and biometric data; we store only the verification outcome.
Email delivery providers — for transactional email (sign-up confirmations, reminders, support replies).
Registered-office and mail-handling providers — only if you use our Virtual Addresses service, to receive and digitise your postal mail.
UK government bodies — Companies House and HMRC, when we file on your behalf, as required to complete each filing.

We don’t sell your personal data to anyone, for any purpose.

4. International transfers

Some of our service providers may be based outside the UK or EEA, or route traffic through infrastructure outside it — including network and security providers, payment processors, and identity-verification providers. In those cases, your personal data may be transferred outside the UK or EEA to countries including the United States.

Where personal data is transferred outside the UK or EEA, the transfer is covered by the UK’s International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs), together with any additional safeguards the provider operates.

5. How long we keep it

We keep personal data only as long as we need it. Our current retention floors, by category, are:

Account data — retained while your account is active; deleted 30 days after you close your account.
Company data (your company links) — retained while active; 1 year after deletion for restore/audit.
Formations and service orders — 2 years after deletion.
Filings submitted to Companies House or HMRC — 7 years from submission (the statutory retention period for company and tax records).
Identity verification records — 7 years (UK anti-money-laundering / KYC retention).
Payment and refund records — 7 years (UK tax-record retention).
Audit log of security-relevant events — 7 years.
Payment webhook events — 2 years.
API keys — 30 days after you revoke them.

Where the law requires us to keep records for longer (HMRC, Companies House, anti-money-laundering), statutory retention overrides the floors above.

6. How we protect it

We apply appropriate technical and organisational security measures. For the detail, see our Security page.

7. Your rights

Under UK GDPR, you have the right to:

Access — ask for a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — ask us to delete your data, subject to our statutory retention obligations.
Restriction — ask us to pause processing while we investigate an issue.
Portability — receive your data in a structured, machine-readable format so you can move it elsewhere.
Objection — object to processing we carry out on the basis of legitimate interests.
Withdraw consent — where we rely on consent (e.g. identity verification), withdraw it at any time. Withdrawal doesn’t affect the lawfulness of processing before the withdrawal.

To exercise any of these rights, email [email protected] or use the tools in your dashboard. We’ll respond within one month.

8. Cookies and analytics

The Basics website does not use advertising or cross-site tracking cookies.

We use a privacy-first, cookieless analytics service provided by our network-security provider to understand how the site is used — for example pages viewed, country, and referrer. It doesn’t set cookies, doesn’t use persistent identifiers, and doesn’t track you across other sites. Only aggregated, pseudonymous data is retained.

Our network-security provider also automatically sets a small number of strictly necessary cookies for bot protection and challenge verification. These cookies are required for site security, aren’t used for analytics or advertising, and you can’t opt out of them without breaking site security.

9. Complaints

If you think we’ve mishandled your personal data, please contact us first at [email protected]. We take complaints seriously and will investigate. From June 2026, under the UK Data (Use and Access) Act 2025, controllers are required to provide a clear internal complaints process — this is ours.

If we don’t resolve your concern, you have the right to complain to the Information Commissioner’s Office (ICO), the UK’s data protection regulator, at ico.org.uk.