Legal

Privacy Policy

Last updated: May 2026

Who we are
What data we collect
Legal basis
How we use it
Third-party processors
Retention
Your rights
Cookies
International transfers
Updates
Contact

1. Who we are

FineBeater is operated by MD PORTRAITS & EVENTS LTD (Company No. 15832934), a company registered in England & Wales. We are the data controller for all personal data processed through the FineBeater service.

If you have questions about how we handle your data, email us at support@finebeater.win.

2. What data we collect

We collect only what we need to run the service:

Account information — your email address when you register, and your name if you sign in via Google OAuth.
Fine notice images and extracted text — each image you upload, plus the text and structured data our system extracts from it. These are stored on a per-case basis and linked to your account.
Payment data — handled entirely by Stripe. We never see your card number, sort code, or full bank details. We receive only a payment confirmation and a Stripe customer reference.
Outcome reports — if you voluntarily tell us the result of your appeal (won, lost, conceded, etc.), we record that against your case.
Server logs — IP address, user-agent string, and request timestamps, retained for security purposes and not linked to your personal profile beyond what is necessary for fraud detection.

3. Legal basis

We process your personal data under UK GDPR on the following bases:

Article 6(1)(b) — contract performance: processing your fine notice, generating your appeal letter, and sending transactional emails are all necessary to deliver the service you have requested.
Article 6(1)(f) — legitimate interests: we have a legitimate interest in detecting fraud, preventing abuse of the service, and using anonymised aggregate statistics (operator name + location only — no user identifiers) to improve our hotspot intelligence product.

4. How we use it

Generate your appeal letter and evidence checklist using our AI-assisted analysis engine.
Send transactional emails: magic-link sign-in codes, paid-pack-ready notifications, and appeal deadline reminders.
Aggregate anonymised hotspot statistics. These aggregates contain operator name and approximate location only — no user identifiers, no case identifiers, and no outcome details that could be traced back to an individual. This is in accordance with our hotspot privacy policy (SP16-T8).
Detect and prevent fraud, account sharing, and abuse of the service.

We do not sell your data to third parties, use it for advertising, or share it with insurers, enforcement authorities, or parking operators.

5. Third-party processors

We share data with the following processors under written data-processing agreements:

Stripe — payment processing. Stripe is an independent data controller for payment data under its own privacy policy.
Anthropic — AI language model used to draft your appeal letter. Fine notice text (not images) may be sent to Anthropic's API for processing.
Google — Gemini API for document image extraction, and Google OAuth for sign-in. Google is an independent data controller for OAuth data. Image data may be processed by Google's API services.
Email SMTP provider — your email address and transactional email content are processed by our configured mail server to deliver service emails.

6. Retention

Authenticated user case data: retained for a minimum of 365 days from creation.
Anonymous free-scan results: expire after 10 days and are not linked to any personal identifier.
Anonymised outcome aggregates: retained indefinitely in anonymised form for product improvement and hotspot intelligence.
Server logs: retained for 90 days, then purged.

7. Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you.
Rectify inaccurate data.
Delete your account and associated case data (right to erasure).
Port your data to another service in a machine-readable format.
Object to processing based on legitimate interests.
Restrict processing while a dispute is resolved.

To exercise any of these rights, email support@finebeater.win. We will respond within 30 calendar days. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office.

8. Cookies

We use only two essential cookies. We do not use marketing, analytics, or advertising cookies.

session_token — a secure, HttpOnly cookie that keeps you signed in. Expires when your session ends or after 30 days, whichever comes first.
stripe.com cookies — set by Stripe during checkout to prevent fraud. These are Stripe's cookies, not ours; see Stripe's Privacy Policy.

A cookie consent banner is shown on your first visit. Your preference is stored in localStorage — not in a cookie — so it persists across sessions without additional tracking.

9. International transfers

Anthropic and Google operate data centres outside the United Kingdom. Where data is transferred to a country not deemed adequate by the UK ICO, both providers are bound by Standard Contractual Clauses (SCCs) under UK GDPR Article 46, ensuring an equivalent level of protection.

10. Updates to this policy

If we make material changes to how we process your personal data, we will notify you by email at least 14 days before the change takes effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Your continued use of FineBeater after the effective date constitutes acceptance of the updated policy.

11. Contact

Data controller: MD PORTRAITS & EVENTS LTD, Company No. 15832934.

For all data protection enquiries: support@finebeater.win.