Privacy Notice

heyrefund.me ("we", "us", "our") is the data controller for personal data collected through this website and service. We operate at heyrefund.me and can be contacted at [email protected].

This notice explains what personal data we collect, why we collect it, and your rights under UK GDPR and the Data Protection Act 2018.

We collect the following personal data when you use our service:

• Contact information: your email address (collected before payment) and name (collected after payment)
• Case information: details of your complaint — the company involved, amounts, dates, and a description of what happened
• Voice recordings: if you use the voice input feature, we record and transcribe your audio
• Uploaded documents: any files you upload as supporting evidence (receipts, emails, screenshots, policy documents)
• Payment data: payment is processed by our payment provider (Stripe). We do not store your card details
• Usage data: basic technical information such as your browser type, device type, and IP address, collected automatically

We use your personal data to:

• Prepare your complaint letter and case pack
• Communicate with you about your case (status updates, delivery)
• Process your payment
• Improve the accuracy of our AI system (using anonymised and aggregated data only)
• Comply with legal obligations

We do not use your data for marketing without your explicit consent. We do not sell your data to third parties.

We process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b) UK GDPR): processing your case information and contact details is necessary to deliver the service you paid for
• Legitimate interests (Article 6(1)(f) UK GDPR): basic usage analytics to improve the service, fraud prevention, and system security
• Legal obligation (Article 6(1)(c) UK GDPR): retaining transaction records as required by law

We use the following third-party services to deliver our product:

• OpenAI / Anthropic: your case description and conversation are sent to AI model APIs to generate your complaint letter. These providers process data under their own privacy policies and data processing agreements. Data sent to AI APIs is used only to generate your output and is not used to train their models (under our API agreements).
• Stripe: payment processing. Stripe is a PCI-DSS compliant payment provider and processes your payment data under their own privacy policy.

We do not share your personal data with any other third parties except where required by law.

We retain your personal data for the following periods:

• Case information and documents: up to 12 months after your case is closed
• Payment records: 7 years (required by UK law)
• Voice recordings: deleted within 90 days once transcription is complete
• Usage/technical data: 90 days

You may request earlier deletion — see Your Rights below.

Under UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data (subject to our legal obligations)
• Restriction — ask us to limit how we use your data
• Data portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

If you are not satisfied with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

We use essential cookies only — those required for the site to function (session management, security). We do not use advertising or tracking cookies. No cookie consent banner is required for essential cookies.

We may update this privacy notice from time to time. Material changes will be posted on this page with an updated date. Your continued use of the service after changes are posted constitutes acceptance of the updated notice.

For any privacy-related queries or to exercise your rights, contact us at [email protected].