Privacy Policy
Last updated: 20 March 2026
1. Who we are
Paybacker LTD (“we”, “us”, “our”) is a UK-based service that helps consumers dispute bills, cancel subscriptions, and exercise their rights under UK consumer law. Our website is paybacker.co.uk.
We are registered as a data controller with the Information Commissioner's Office (ICO).
2. What data we collect
Account data
Name, email address, and password (hashed). Collected when you create an account.
Email access (OAuth)
When you connect Gmail or Outlook, we receive a read-only OAuth token. We use this token to scan your emails for billing-related content only. We do not store full email bodies — only the metadata and snippets required to identify savings opportunities. We never send emails on your behalf without your explicit approval of each individual email.
Generated content
Complaint letters and cancellation emails created by our AI are stored so you can access them later. You can delete these at any time.
Payment data
We use Stripe to process payments. We do not store card details — Stripe handles all payment data under PCI-DSS compliance.
Usage data
Pages visited, features used, scan runs, and letter generation counts. Used to improve the product and enforce fair-use limits.
3. How we use your data
- To provide the Paybacker LTD service — scanning, letter generation, subscription tracking
- To send you transactional emails (account, billing, complaint status)
- To enforce plan limits and prevent abuse
- To improve our AI models and service quality (anonymised and aggregated only)
- To comply with our legal obligations under UK law
We do not sell your data to third parties. We do not use your data for advertising.
4. Legal basis for processing
Under UK GDPR, we process your data on the following legal bases:
- Contract — processing necessary to provide the service you signed up for
- Legitimate interest — product analytics and fraud prevention
- Consent — email marketing (you can withdraw at any time)
5. Data retention
We retain your account data for as long as your account is active. Email OAuth tokens are retained until you disconnect the integration or delete your account. Generated letters are retained indefinitely so you can access your complaint history, but can be deleted by you at any time. We delete inactive accounts (no login for 24 months) after 30 days' notice.
6. Your rights under UK GDPR
- Access — request a copy of all data we hold on you
- Rectification — correct inaccurate data
- Erasure — delete your account and all associated data (available in Profile → Delete Account)
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interest
- Restriction — request we limit how we use your data
To exercise any of these rights, email us at privacy@paybacker.co.uk. We will respond within 30 days.
7. Third-party processors
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication | EU (AWS eu-west-2) |
| Vercel | Hosting and edge functions | EU |
| Anthropic (Claude) | AI letter generation | US (SCCs apply) |
| Stripe | Payment processing | US / EU (SCCs apply) |
| Resend | Transactional email | US (SCCs apply) |
| PostHog | Product analytics | EU |
8. Cookies
We use strictly necessary cookies for authentication sessions. We use PostHog analytics cookies to understand how users interact with the product. You can opt out of analytics cookies by contacting us, though this does not affect core functionality.
9. Contact & complaints
Email us at privacy@paybacker.co.uk for any data protection queries.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.