Privacy Policy
In plain English. No legal jargon. Last updated 5 June 2026.
- We collect your email, name, password (encrypted), the letters you generate and any documents you upload.
- We use this data to give you the service. We do not sell it. We do not share it for advertising.
- Your letter content is sent to Anthropic (the AI maker) for processing. Anthropic does not use it to train their models.
- We keep your data while your account is active and for 30 days after you close it, except where law requires longer.
- You have UK GDPR rights to see your data, correct it, export it or delete it. Email hello@fightingback.uk.
1. Who we are and what this policy covers
Creative Sauce Ltd is the data controller for Fightingback. We are responsible for what happens to your personal data when you use Fightingback.
This policy explains what data we collect, why, who else sees it, how long we keep it, and what rights you have. It applies to fightingback.uk and any Fightingback subdomain or app.
2. What we collect
When you sign up:
- Your name (so we can address letters and emails to you).
- Your email address (your login and how we contact you).
- Your password (stored as a one-way hash, we cannot read it back).
- The fact you ticked the Terms checkbox, with a timestamp.
When you use Fightingback:
- The questions you answer to generate a letter (e.g. PCN number, landlord name, dates).
- The letters we generate for you. Stored against your account so you can come back to them.
- Any documents you upload to Decoded.
- Your conversations with the Fightingback chatbot widget. We retain these for 30 days for quality and safeguarding review, then they are deleted. We do not share them with anyone and they are never used for advertising.
- Technical info: browser, device, IP address, page views, when you logged in.
- If you subscribe: your Stripe customer ID and subscription status. We do not see or store your card number.
3. Why we use it (and our legal basis)
We use your data for these reasons:
- To run the service - generate your letters, show your account, take payment. Legal basis: contract.
- To improve the service - look at aggregated patterns (which tools are popular, where users get stuck). We anonymise before doing this. Legal basis: legitimate interest.
- To prevent abuse - bot defence, rate limiting, account security. Legal basis: legitimate interest.
- To communicate with you - service emails (welcome, password reset, billing). Legal basis: contract.
- For marketing nurture emails - if you opted in. You can opt out anytime in Settings. Legal basis: consent.
- To comply with the law - keeping records HMRC requires us to keep, responding to legitimate authority requests. Legal basis: legal obligation.
4. Who else sees it
We use these third-party services to run Fightingback. Each only sees the data it needs:
- Anthropic (USA) - the AI that drafts your letters. Receives the question content and any document text. Does not use it to train models. Anthropic privacy policy.
- OpenAI (USA) - generates the small vector embedding used by our learning system. Receives a short summary of the letter category. OpenAI privacy policy.
- Supabase (EU) - our database. Stores your account and letter history.
- Vercel (EU/USA) - hosts our website and APIs.
- Stripe (UK/USA) - takes payment if you subscribe. They see card details, we do not.
- Brevo (EU) - sends our transactional emails.
- Upstash (EU) - rate limiting (sees IP address only).
- Google Analytics - anonymised page-view stats so we know what is working.
We do not sell your data. We do not share it for advertising. We do not transfer it to any other third party without your consent, except where the law forces us to (for example, in response to a court order).
5. How long we keep it
- Active account - all the data above, for as long as you have an account.
- Closed account - personal data deleted within 30 days. Anonymised usage stats (without your identity) may remain in our analytics.
- Billing records - we keep invoice and payment records for 7 years where HMRC requires it.
- Letters and documents - deleted when your account is deleted.
- Backups - we hold encrypted database backups for up to 30 days for disaster recovery.
6. Your rights under UK GDPR
You have the right to:
- See what data we hold about you (Subject Access Request).
- Correct anything wrong.
- Ask us to delete your data ("right to be forgotten").
- Export your data in a portable format.
- Object to certain processing (e.g. marketing).
- Withdraw consent at any time (for the things you consented to).
- Complain to the UK Information Commissioner's Office at ico.org.uk if you think we have got it wrong.
To exercise any of these, email hello@fightingback.uk. We will respond within 30 days.
7. Cookies
We use a small number of cookies, all of which are strictly necessary or analytics. See our Cookie Policy for the full list and how to turn analytics off.
8. Children
Fightingback is for adults (18+). We do not knowingly collect data from anyone under 18. If you believe a child has an account, email us and we will close it.
9. Changes to this policy
If we change this policy materially, we will email you. The version in force is shown at the bottom of the page.