Skip to main content
RobinReturn
Start a case £2
Legal · Privacy policy

Privacy policy.

How RobinReturn collects, uses, stores, and shares personal and business data. Plain-language draft — final version pending legal review.

Draft notice. This document is a working draft. Where this page and the final policy disagree, the final policy will govern. For the current binding version write to hello@robinreturn.co.uk.

1. Controller

RobinReturn is the data controller for personal data processed through the platform. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What we collect

  • Account data: name, email, business name, telephone, billing address, password hash.
  • Case data: invoice details, debtor contact details, payment terms, the underlying contract or work record.
  • Payment data: handled by Stripe; we never see your full card number, only a token and the last four digits.
  • Usage data: log lines, IP address, browser, time stamps — used to keep the platform secure and improve it.

We do not collect special-category personal data (health, biometrics, etc.) and do not knowingly collect data from children.

3. Why we collect it (lawful bases)

  • Contract: to provide the services you sign up for — drafting reminders, Letter Before Action, claim forms.
  • Legal obligation: to keep audit trails, accounting records, anti-money-laundering checks where applicable.
  • Legitimate interest: to improve the platform, prevent fraud and abuse, and contact you about your cases.

4. Processors and sub-processors

We rely on these third parties to operate the platform:

  • Cloudflare — DNS, CDN, DDoS protection, hosting for the marketing site.
  • Hetzner — server infrastructure for the SaaS app, located in the EU.
  • Clerk — authentication and user accounts.
  • Stripe — payment processing.
  • Resend — outbound email delivery.
  • Sentry — error monitoring.

We have data-processing agreements with each. None of them sells your data.

5. How long we keep it

Active case data is retained while your account is active and for six years after closure, in line with HMRC and legal limitation periods. Marketing analytics are retained for 26 months. You can request earlier deletion subject to our legal obligations.

6. International transfers

We keep production data in the UK / EU where possible. Where a sub-processor operates outside the UK / EEA (e.g. Stripe), the transfer is covered by the UK International Data Transfer Agreement or equivalent UK–EU adequacy provisions.

7. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct it if it is inaccurate.
  • Erase it (subject to our legal obligations to retain).
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent where consent is the lawful basis.

To exercise any of these, write to hello@robinreturn.co.uk. We will respond within one calendar month.

8. Security

Data is encrypted in transit (TLS) and at rest. Production databases are accessible only via private networks. Access to personal data is restricted to staff who need it to operate the platform. We follow industry-standard security practices and review them regularly.

9. Cookies and similar storage

The marketing site groups cookies and similar browser storage into four categories. You can choose which categories to accept when you first arrive and change your mind any time via the Cookie settings link in the footer.

  • Strictly necessary. Required for the site to work safely. Today this is Cloudflare’s bot-management cookie (__cf_bm) and challenge cookie (cf_clearance), plus the local-storage entry (rr-consent) that remembers your cookie choice. Cannot be switched off.
  • Functional. Optional storage that remembers preferences improving repeat visits. Currently unused.
  • Analytics. Aggregate, anonymised data about which pages are read so we can improve content. We do not profile individual visitors. Currently we use Cloudflare Web Analytics where enabled, which is cookieless and privacy-friendly.
  • Marketing. Cookies that would measure the effectiveness of future advertising or social campaigns. Currently unused.

Google Consent Mode v2. The site defaults all non-essential consent signals to denied until you choose. If you have enabled Global Privacy Control (GPC) in your browser, we honour it automatically and never load analytics or marketing storage.

The SaaS app (app.robinreturn.co.uk) uses authentication cookies set by Clerk and a small number of first-party cookies for state and security. Those cookies are functionally necessary to keep you signed in.

10. Debtor and other third-party personal data

Provisional — under solicitor review (ROB-288). A case file usually contains personal data about your debtor — for example a contact name, business details and the invoice history. Where the debtor is an individual or a sole trader, that information is their personal data under UK GDPR even though they do not hold a RobinReturn account.

  • We process debtor personal data only to provide the recovery workflow you ask us to — drafting reminders, a Letter Before Action and claim documents — and to keep the audit trail those documents require.
  • A debtor is a data subject and may have rights over the personal data we hold about them. Because that data originates from your case, we will work with you to handle any such request.
  • Debtor personal data is protected by the same security controls (section 8) and kept for the same six-year period as the rest of the case file (section 5).

The precise controller and processor responsibilities and the lawful basis for debtor data are being finalised with our solicitor and will be set out in the final version of this policy.

11. Complaints

If you are not happy with how we handle your data, please tell us first at hello@robinreturn.co.uk so we can put it right. You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.