Legal & Compliance

Privacy Notice

Last updated: May 2026  ·  Version 1.0

Contents

  1. Who we are
  2. What data we collect
  3. Why we collect it (purpose and lawful basis)
  4. How we process your information
  5. Special category data
  6. Who we share data with
  7. How long we keep data
  8. Your rights
  9. Security
  10. International transfers
  11. Contact and complaints

1. Who we are

Dueback is the data controller for personal data processed through this website. We are a UK-based document preparation and submission service that helps households apply for council tax discounts, exemptions, and reductions. We prepare and submit the relevant correspondence to your billing authority on your behalf, with your explicit written consent.

Note: you can apply to your local council directly, for free, without using this service. Dueback charges £7.99 to prepare and submit the paperwork on your behalf.

For data protection enquiries, please contact us at: privacy@dueback.co.uk

2. What data we collect

We collect only the minimum personal data necessary to provide the service:

FieldPurpose
Email addressTo send you your claim pack and follow-up notifications
PostcodeTo identify your local council authority and council tax area
Council tax bandTo calculate potential savings and verify your current charge
Annual council tax billTo estimate the size of any potential saving
Number of adultsTo assess eligibility for single-person discount
Age rangeTo assess eligibility for pension-age council tax reductions
Full-time studentsTo assess student discount or exemption eligibility
Disability status / SMISpecial category data — see section 5
Live-in carersTo assess carer disregard eligibility

3. Why we collect it — purpose and lawful basis

We process your personal data under the following lawful bases (UK GDPR Article 6):

  • Performance of a contract (Article 6(1)(b)): analysing your household circumstances, generating your personalised application pack, and submitting it to your billing authority — the core service you have requested.
  • Legitimate interests (Article 6(1)(f)): storing anonymised analysis data to improve service accuracy.
  • Explicit consent (Article 6(1)(a)): sharing your personal data with your local billing authority when we submit your application. You give this consent by signing the authority declaration at the submission stage. You may withdraw consent at any time before submission.

We collect data only for the purposes described above (purpose limitation). We do not use your data for marketing, profiling, or selling to third parties.

4. How we process your information

Dueback uses an automated analysis system to evaluate your household data and generate a personalised savings report and council letter. The system does not make binding decisions — it produces a draft analysis used as a starting point for your claim pack. You review the output before anything is sent to your council.

AI and special category data: raw health, disability, or immigration details you provide (such as a diagnosed condition or benefit type) are never sent to the AI system in their original form. We convert your answers into anonymised eligibility flags (e.g. "qualifies for SMI disregard: yes") before any data is passed to the AI for analysis. The AI sees only these pre-computed flags, not the underlying sensitive information.

We maintain an audit trail of analysis inputs and outputs to support transparency and incident response, in accordance with ICO guidance on automated processing.

Your data is processed by a third-party analysis service under a Data Processing Addendum (DPA) between Dueback and that processor, as required by UK GDPR Article 28. The processor does not use submitted data to improve or train its models by default, and all data is processed under confidentiality obligations. You can request a summary of our DPA arrangements by emailing privacy@dueback.co.uk.

5. Special category data

If you indicate that a resident has a disability or severe mental impairment (SMI), this constitutes special category data under UK GDPR Article 9.

We process this data only:

  • with your explicit consent, given via the declaration checkbox at the claim pack stage;
  • for the narrow purpose of preparing a council tax reduction claim pack;
  • and in accordance with our Data Protection Impact Assessment (DPIA) for this workflow.

You may withdraw this consent at any time by contacting us. Withdrawal does not affect processing that has already taken place.

6. Who we share data with — sub-processors

We share your personal data only in the following circumstances:

  • Your local council: with your explicit consent, when we submit your claim. Only the data necessary for the claim is included in the letter.
  • OpenAI (AI analysis service — US): anonymised, pre-computed eligibility flags are sent to generate your savings report and claim letter. Raw health, disability, or immigration data is never included. Covered by a Data Processing Addendum.
  • MongoDB Atlas (database — EU/UK): your order records, consent logs, and claim status are stored in a managed cloud database. Data is encrypted at rest and in transit.
  • Vercel Blob (document storage — US): supporting documents you upload (e.g. benefit letters) are stored in Vercel's managed blob storage and deleted after 6 months.
  • Stripe (payment processing — US): if you purchase a paid service, your payment data is handled entirely by Stripe. We do not store card numbers or CVV details.
  • SMTP email provider: we use a transactional email provider to send you confirmation, status update, and claim pack emails. Only your email address and the content of the relevant email is shared.

We do not sell, rent, or trade your personal data to any third party. Each sub-processor is bound by a data processing agreement (DPA) or standard contractual clauses (SCCs) as required by UK GDPR Article 28 and the UK Addendum to the EU SCCs. A full sub-processor register — including transfer mechanisms, DPA status, and data types — is available at dueback.co.uk/sub-processor-register.

7. How long we keep data

We retain your personal data only for as long as necessary to fulfil the purposes described above, or as required by law. Our retention schedule is:

Data categoryRetention period
Consent records and authority declarations30 days after claim fully resolved, then deleted
Uploaded supporting documents (Vercel Blob)6 months from upload date, then automatically deleted
AI analysis records12 months from date of analysis
Email communications (status updates, pack delivery)30 days after claim resolved
Signature images30 days after claim resolved, then deleted
Order records (non-special category fields)6 years from order date, in line with limitation period for contractual claims
Special category data (disability/SMI/immigration flags)Deleted or anonymised within 30 days of claim resolution

You may request early deletion of your data at any time by emailing data@dueback.co.uk. See section 8 for your full rights.

8. Your rights

Under UK GDPR you have the following rights:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right of rectification: You may ask us to correct inaccurate data.
  • Right of erasure: You may ask us to delete your data, subject to legal obligations.
  • Right to object: You may object to processing based on legitimate interests.
  • Right to restrict processing: You may ask us to pause processing while a dispute is resolved.
  • Right to data portability: Where technically feasible, you may request your data in a machine-readable format.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights — including making a Subject Access Request (SAR) or requesting erasure of your data — contact us at: data@dueback.co.uk

Please include your full name, email address, and order reference number (if applicable). We will respond within 30 days (one calendar month). Where a request is complex, we may extend this by a further two months and will notify you within the first 30 days if an extension is needed.

Data portability: you can request a copy of your order data and form answers in JSON format. Email data@dueback.co.uk with your order reference and we will provide a machine-readable export within 30 days.

9. Security

We use industry-standard technical and organisational measures to protect your data, including HTTPS/TLS for all data in transit and access controls on stored data. No system is completely secure; if you have concerns about a specific interaction, please contact us.

10. International transfers

Your data is processed in the UK. Where it is transferred to processors based outside the UK, we rely on Standard Contractual Clauses (SCCs) and data processing agreements as the transfer safeguard, in line with ICO guidance on international transfers.

11. Contact and complaints

For any data protection questions, to exercise your rights, or to make a complaint, contact us at: privacy@dueback.co.uk

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint

← Back to homeRead our Terms of Service →