Privacy Policy
Last updated: 8 May 2025
1. Who we are
The Unclaimed Billions Project is operated by Cassius Group Limited (“we”, “us”, “our”), the data controller for your personal information.
If you have any questions about how we handle your data, please contact us via our contact form.
2. Our approach to your data
This Service is built around a simple principle: we don’t want your data.
- There are no user accounts.
- Your personal information is never stored on our servers.
- All data you enter stays in your browser’s local storage until you clear it.
- Payslip images are processed in memory and immediately discarded - they are never saved to disk on our servers.
3. What data we collect and why
| Data | Purpose | Lawful basis |
|---|---|---|
| Name, address | Included in your HMRC claim letter as the claimant | Contract performance |
| National Insurance number | Required by HMRC to identify your tax record | Contract performance |
| Employer name, PAYE reference | Required by HMRC to verify pension contributions | Contract performance |
| Salary, pension contributions | Used to calculate tax relief amounts | Contract performance |
| Bank details (sort code, account number) | Included in letter so HMRC can pay your refund via BACS | Contract performance |
| Payslip images | Analysed to extract employment and pension data; optionally attached as evidence | Contract performance |
| Payment card details | Processed by Stripe to collect the £30 fee (we never see full card details) | Contract performance |
| Contact form submissions (name, email, message, attachments) | To respond to your enquiry or process a refund request | Legitimate interests |
4. Third-party processors
We use a small number of trusted third parties to deliver the Service. Your personal information is only shared with them to the extent necessary:
Google (Gemini API)
Payslip images are sent to Google’s Gemini API for automated data extraction. Google processes these images to return structured text data (employer name, salary, pension contributions, etc.). Images are not used to train Google’s models and are deleted within 30 days.
Stripe
Stripe processes your £30 payment. Stripe is PCI-DSS Level 1 certified. We never see or store your full card number. Stripe retains payment data in accordance with their own privacy policy.
Stannp
Stannp prints and posts your claim letter to HMRC. We send the letter as a pre-rendered PDF - your personal details are embedded in the document only, not passed as separate data fields. Stannp deletes letter data within 30 days of posting.
Vercel
Vercel hosts the website and runs our server-side code. No personal data is stored persistently on Vercel - all processing is stateless and in-memory.
5. Data retention
| Where | Retention |
|---|---|
| Your browser (localStorage) | Until you clear your browser data. You can do this at any time. |
| Our servers | No persistent storage. All data is processed in-memory and discarded immediately. |
| Google (Gemini API) | Payslip images deleted within 30 days. |
| Stannp | Letter PDF deleted within 30 days of posting. |
| Stripe | Payment records retained per Stripe’s privacy policy and legal obligations. |
6. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectify any inaccurate data.
- Erase your data (“right to be forgotten”).
- Port your data to another service.
- Object to processing based on legitimate interests.
Because we do not store your personal data on our servers, most of these rights are satisfied automatically. Your data exists only in your own browser and you can delete it at any time by clearing your browser’s local storage.
To exercise any of these rights, or if you have questions, please contact us via our contact form.
7. Cookies
We use only essential cookies required for the website to function (such as maintaining your session during the payment process). We do not use analytics cookies, advertising cookies, or any third-party tracking. No cookie consent banner is needed because we only use strictly necessary cookies.
8. International transfers
Some of our processors (Google, Stripe, Vercel) may process data outside the UK. Where this occurs, transfers are protected by appropriate safeguards including Standard Contractual Clauses approved by the UK Information Commissioner’s Office.
9. Security
We protect your data through the following measures:
- All data transmitted over HTTPS (encrypted in transit).
- Server-side processing is stateless - no personal data persists after each request.
- Personal information in your HMRC letter is embedded in the PDF only, never sent as structured API fields to third parties.
- Payment processing handled by Stripe (PCI-DSS Level 1 certified).
10. We do not sell your data
We do not sell, rent, trade, or otherwise share your personal data with third parties for marketing or any purpose other than delivering this Service.
11. Complaints
If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner’s Office (ICO):
Information Commissioner’s OfficeWycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
ico.org.uk/make-a-complaint
12. Changes to this policy
We may update this policy from time to time. Any changes will be posted on this page with an updated revision date.