FightBack — Privacy Policy
Last updated: 9 June 2026
This policy explains what personal data FightBack collects, why, how long we keep it, and what your rights are. It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who Is the Data Controller?
The data controller for FightBack is [COMPANY NAME], registered in England and Wales (company number [COMPANY NUMBER]), with registered address at [REGISTERED ADDRESS].
If you have any questions about how we use your data, contact us at [CONTACT EMAIL].
2. What Personal Data We Collect
Account data: your name and email address, collected when you register.
Dispute and chat data: details of your dispute as you describe it through the service, including any uploaded documents (such as letters, invoices, or contracts) and the full conversation history between you and our AI assistant, Sarah.
Payment data: records of transactions, including the amount, date, and type of purchase. Your card details are processed by Stripe and are not stored by FightBack.
Usage data: technical information about how you use the service — pages visited, features used, session duration, device type, and IP address.
3. Why We Collect It and the Lawful Basis
| Data category | Purpose | Lawful basis |
|---|---|---|
| Account data | Creating and managing your account; communicating with you | Contract performance (Article 6(1)(b) UK GDPR) |
| Dispute and chat data | Providing the service — generating correspondence based on your dispute | Contract performance (Article 6(1)(b) UK GDPR) |
| Payment data | Processing transactions and maintaining financial records | Contract performance + legal obligation (Article 6(1)(b) and (c) UK GDPR) |
| Usage data | Improving and maintaining the service | Legitimate interests (Article 6(1)(f) UK GDPR) |
Where we rely on legitimate interests for usage data, those interests are: understanding how the service is used so we can fix problems and improve it. We have assessed this against your interests and rights and do not consider it to override them, given the technical and non-sensitive nature of the data.
4. How Long We Keep Your Data
| Data category | Retention period |
|---|---|
| Account data | For the duration of your account, plus 2 years after closure |
| Dispute and chat data | For the duration of your account, plus 2 years after closure |
| Payment data | 7 years from the date of transaction (to meet legal and tax obligations) |
| Usage data | 13 months on a rolling basis |
Where you ask us to delete your account, we will delete or anonymise your personal data within 30 days, subject to any retention obligations imposed by law (for example, the 7-year retention of payment records).
5. Who We Share Your Data With
We do not sell your personal data. We share it only with the following service providers, each acting as a data processor under our instruction:
Anthropic — provides the AI model that powers the correspondence generation. Dispute descriptions and chat history are transmitted to Anthropic's API to generate letters. Anthropic's data processing terms apply to this transmission.
Neon — provides the PostgreSQL database where your account, dispute, and usage data are stored. Data is held within the European Economic Area.
Stripe — processes payments. Stripe receives your payment card data directly and is subject to PCI DSS compliance standards.
Vercel — hosts the FightBack web application. Your requests pass through Vercel's infrastructure.
Each of these providers is contractually bound to process your data only as necessary to provide their services to us and to maintain appropriate security standards.
We may also disclose personal data if required to do so by law, or where we reasonably believe disclosure is necessary to protect our legal rights or to prevent fraud.
6. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
Access: you can ask us to confirm whether we hold personal data about you and to provide a copy.
Rectification: you can ask us to correct any inaccurate or incomplete data.
Erasure: you can ask us to delete your personal data where there is no longer a lawful reason to keep it. This right is subject to any legal obligation we have to retain certain records.
Restriction: you can ask us to stop using your data in certain ways — for example, while you contest its accuracy.
Portability: you can ask us to provide your account and dispute data in a structured, machine-readable format so you can transfer it to another service.
Objection: you can object to processing based on legitimate interests. If you object, we will stop unless we can demonstrate a compelling legitimate ground that overrides your interests.
To exercise any of these rights, contact us at [CONTACT EMAIL]. We will respond within one month. We may ask you to verify your identity before acting on a request.
7. Cookies
FightBack uses session cookies to keep you logged in while you use the service. These are strictly necessary for the service to function and do not require your consent.
We do not use advertising cookies or third-party tracking cookies.
8. Security
We take reasonable technical and organisational steps to protect your personal data against accidental or unlawful destruction, loss, alteration, or disclosure. These include encrypted data transmission (HTTPS), access controls limiting who within our systems can access your data, and regular security reviews of our infrastructure.
No method of transmission over the internet is completely secure. If you become aware of any security issue affecting your account, contact us at [CONTACT EMAIL] immediately.
9. Changes to This Policy
We may update this privacy policy from time to time. Where changes affect how we use your data in a material way, we will notify you by email or by notice on the platform before the changes take effect. The date at the top of this page shows when the policy was last updated.
10. Your Right to Complain to the ICO
If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.
ICO website: ico.org.uk
ICO helpline: 0303 123 1113
We would encourage you to contact us first at [CONTACT EMAIL] so we have the opportunity to address your concern directly.