Privacy Policy
How we collect, use, and protect your personal data.
Last updated:
1. Who we are
Lettr(“Lettr”, “we”, “our”, “us”) is operated as a sole trader based in the United Kingdom, providing the self-service drafting tool at lettr.uk. Lettr is not a law firm and is not regulated by the Solicitors Regulation Authority, the Bar Standards Board, the Financial Conduct Authority or any other legal regulator.
For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”), we are the “data controller” of the personal data we collect through the Service. This Privacy Policy explains what data we collect, why, how we use it, and your rights.
2. What personal data we collect
2.1 Information you provide to us
- Email address — for account access (via magic link) and letter delivery.
- Case details — facts about your dispute that you enter into our intake form (e.g. dates, amounts, names of parties, description of events).
- Recipient details — the name and contact details of the party you intend to send the letter to.
- Payment information — handled by Stripe. We never see or store full card numbers; we receive only a transaction identifier and the last four digits.
- Communications — emails you send us in support requests, complaints, or feedback.
2.2 Information we collect automatically
- Usage data — pages visited, features used, links clicked, time on page.
- Device data — browser type, operating system, screen size, language preference.
- IP address and approximate location — for security, fraud prevention, and to determine the country (we do not track precise geolocation).
- Cookies and similar technologies — see our Cookie Policy.
2.3 Information from third parties
- Stripe — payment confirmations and refund records.
- Anthropic — letter content generated by their AI in response to the case details we send.
- Email engagement — opens and clicks of our transactional emails (via Resend).
We do not buy, rent, or otherwise acquire personal data from data brokers, social platforms, or advertising networks.
3. Why we use your data and our legal bases
| Purpose | Legal basis (UK GDPR Art. 6) |
|---|---|
| Generate and deliver the legal letter you ordered | Performance of a contract (Art. 6(1)(b)) |
| Process payment for the Service | Performance of a contract |
| Send service emails (delivery, account, security) | Performance of a contract |
| Marketing emails (only with your consent) | Consent (Art. 6(1)(a)) |
| Analytics and service improvement | Legitimate interests (Art. 6(1)(f)) |
| Fraud prevention and security | Legitimate interests |
| Compliance with tax, accounting and legal obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have completed a balancing assessment and concluded that our interest does not override your rights and freedoms. You may object at any time (see Section 7).
You can withdraw your consent for marketing emails at any time using the unsubscribe link in any marketing email or by contacting privacy@lettr.uk.
4. How long we keep your data
- Generated letters and case data — 7 years from generation (consistent with the limitation period for contract claims under English law).
- Account data — until you delete your account, or 3 years of inactivity, whichever is sooner.
- Payment records — 7 years (HMRC requirement).
- Marketing consent records — until withdrawn, plus 2 years thereafter for evidential purposes.
- Server access logs — 30 days.
- Backups — 14 days rolling, then deleted.
You can request earlier deletion under your right to erasure (see Section 7), subject to our legal obligations.
5. Who we share data with
We share personal data only with the following processors, each subject to a written data processing agreement compliant with UK GDPR Article 28:
- Stripe Payments Europe Ltd (payment processing) — Republic of Ireland.
- Anthropic PBC (AI letter generation) — United States. Transfers are made under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses.
- Resend Inc. (transactional email delivery) — United States. Same safeguards as above.
- Hetzner Online GmbH (hosting infrastructure) — Germany.
- Cloudflare Inc. (DNS, DDoS protection) — United States, with UK SCCs.
We do not sell, rent, or otherwise transfer personal data to advertising networks or data brokers. Where we use marketing cookies (e.g. Meta Pixel) to measure ad performance, we do so only with your explicit consent — see our Cookie Policy.
We may also disclose personal data where required by law (court order, regulator, fraud investigation, or to protect the safety of any person).
6. International data transfers
Some of our processors operate outside the UK (notably Anthropic, Resend, and Cloudflare in the United States). For such transfers, we use one of the following safeguards as required by UK GDPR Article 46:
- The UK International Data Transfer Agreement (IDTA);
- The UK Addendum to the EU Commission’s Standard Contractual Clauses; or
- UK adequacy regulations, where the receiving country is recognised as offering an adequate level of protection.
7. Your rights
Under UK GDPR you have the right to:
- Access — receive a copy of the personal data we hold about you (Article 15).
- Rectification — correct inaccurate or incomplete data (Article 16).
- Erasure— also known as the “right to be forgotten” (Article 17).
- Restriction — pause processing in certain circumstances (Article 18).
- Data portability — receive your data in a machine- readable format (Article 20).
- Object — to processing based on legitimate interests or for direct marketing (Article 21).
- Withdraw consent — at any time, where processing is based on consent.
- Not be subject to solely-automated decisions with legal or similarly significant effect (Article 22).
To exercise any right, email privacy@lettr.uk. We will respond within one month. There is no fee, except where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse).
8. Cookies
Our use of cookies and similar technologies is described in our separate Cookie Policy.
9. Security
We protect personal data using technical and organisational measures, including:
- Encryption in transit (TLS 1.3 via Caddy and Let’s Encrypt);
- Encryption at rest for the database storage volume;
- Strict access controls (passwordless authentication, session-based admin gate);
- Regular security updates and dependency patching;
- Audit logs for administrative access;
- Off-site encrypted backups, retained for 14 days.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours and the affected individuals without undue delay where required.
10. Children
Lettr is intended for users aged 18 and over. We do not knowingly collect personal data from children under 18. If you believe a child has submitted data to us, please contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be notified to registered users by email at least 30 days before they take effect.
12. Complaints
If you are unhappy with how we handle your personal data, please contact us first at privacy@lettr.ukso we can try to resolve your concern. You also have the right to complain to the UK Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
13. Contact
Data controller: Lettr (sole trader, United Kingdom)
Email: privacy@lettr.uk
ICO registration: in progress (will be completed prior to scaling beyond initial pilot users)