Privacy policy.

Draft notice. This document is a working draft. Where this page and the final policy disagree, the final policy will govern. For the current binding version write to [email protected].

1. Controller

RobinReturn is the data controller for personal data processed through the platform. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What we collect

• Account data: name, email, business name, telephone, billing address, password hash.
• Case data: invoice details, debtor contact details, payment terms, the underlying contract or work record.
• Payment data: handled by Stripe; we never see your full card number, only a token and the last four digits.
• Usage data: log lines, IP address, browser, time stamps — used to keep the platform secure and improve it.

We do not collect special-category personal data (health, biometrics, etc.) and do not knowingly collect data from children.

3. Why we collect it (lawful bases)

• Contract: to provide the services you sign up for — drafting reminders, Letter Before Action, claim forms.
• Legal obligation: to keep audit trails, accounting records, anti-money-laundering checks where applicable.
• Legitimate interest: to improve the platform, prevent fraud and abuse, and contact you about your cases.

4. Processors and sub-processors

We rely on these third parties to operate the platform:

• Cloudflare — DNS, CDN, DDoS protection, hosting for the marketing site.
• Hetzner — server infrastructure for the SaaS app, located in the EU.
• Clerk — authentication and user accounts.
• Stripe — payment processing.
• Resend — outbound email delivery.
• Sentry — error monitoring.

We have data-processing agreements with each. None of them sells your data.

5. How long we keep it

Active case data is retained while your account is active and for six years after closure, in line with HMRC and legal limitation periods. Marketing analytics are retained for 26 months. You can request earlier deletion subject to our legal obligations.

6. International transfers

We keep production data in the UK / EU where possible. Where a sub-processor operates outside the UK / EEA (e.g. Stripe), the transfer is covered by the UK International Data Transfer Agreement or equivalent UK–EU adequacy provisions.

7. Your rights

You have the right to:

• Access the personal data we hold about you.
• Correct it if it is inaccurate.
• Erase it (subject to our legal obligations to retain).
• Restrict or object to certain processing.
• Receive your data in a portable format.
• Withdraw consent where consent is the lawful basis.

To exercise any of these, write to [email protected]. We will respond within one calendar month.

8. Security

Data is encrypted in transit (TLS) and at rest. Production databases are accessible only via private networks. Access to personal data is restricted to staff who need it to operate the platform. We follow industry-standard security practices and review them regularly.

9. Cookies

The marketing site uses only the cookies needed to keep the site working and to remember your preferences. The SaaS app uses authentication cookies (set by Clerk) and a small number of first-party cookies for state and security.

10. Complaints

If you are not happy with how we handle your data, please tell us first at [email protected] so we can put it right. You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.