Privacy Policy

Last updated: 1 March 2026

Effective from: 1 March 2026

Applies to: All consumer-facing services operated by Almost Legal Limited, including FightFines, FightMyFines, CancelMyParkingTicket, AppealMyParkingTicket, CancelMyCitation, AppealMyCitation, ToolyKit, CarDamageAdvisor, WriteMyLegalLetter, and ImproveMyResume.

1. Who we are

This service is operated by Almost Legal Limited, a company incorporated in the Isle of Man under company number 139020C, with its registered office at 9 Tynwald Street, Douglas, IM1 1BF.

Almost Legal Limited is the data controller for personal information collected through this website and any related Almost Legal service. Almost Legal Limited is part of the Muerto Limited group of companies.

Our supervisory authority: The Isle of Man Information Commissioner (https://www.inforights.im).

Our registration: We are registered with the Isle of Man Information Commissioner under registration number [IOM REGISTRATION NUMBER].

Contact for any privacy matter: hello@almostlegal.ai

We have not appointed a Data Protection Officer because we are not legally required to. Privacy enquiries go to the address above.

2. The short version

We’ve designed this service to keep as little of your information as possible.

We don’t store the content you submit (parking ticket details, contract text, dispute information, CV text, etc.) in our own systems.
We don’t store the documents we generate for you in our own systems.
We email the document to you as an attachment so you have a permanent copy under your control.
Some of our service providers — specifically the AI provider that generates your document and the email provider that delivers it — temporarily retain copies for their own operational reasons. We’ve documented exactly what they retain and for how long below.
We keep operational records (your email address, what credits you bought, how many you’ve used) so we can deliver the service.

You can request access, correction, or deletion of your information at any time by emailing hello@almostlegal.ai.

3. The information we collect

We collect three categories of information.

3.1 Account and purchase information

Email address
Payment confirmation (handled by Stripe — we never see your card details)
Number of credits purchased and remaining
Date and amount of each purchase
The brand or product the credits were used for

We use this to deliver the service you’ve paid for and to support you if you contact us.

3.2 Content you submit while using a tool

When you use a tool — for example, plugging a parking ticket into the strength-checker, pasting contract text into WriteMyLegalLetter, or submitting CV details — that content is processed in real time to generate your document. We do not retain a copy of this content in our own database, file storage, or backups. Once your document is generated and delivered, our copy is gone.

The exception is short-lived processing memory while your request is in flight. This is unavoidable — the document literally has to exist in our systems for the seconds or minutes it takes to generate and email it. After that, it’s gone from our infrastructure.

3.3 Standard website information

Your IP address (truncated for analytics purposes)
Browser type and version
Pages visited and the order they were visited
The website that referred you to us, if any

We use this to keep the service running, fix problems, and understand which parts of the service work and which don’t.

4. Where your information goes — our service providers

To deliver this service, we use the providers below. Each one is named, what they do, where they’re located, and what they retain.

4.1 Anthropic (AI provider)

What they do: Process your input to generate the document. They are the AI engine behind every tool we operate.
Where: United States.
What they retain: Anthropic operates under their Commercial Terms of Service. Under those terms, they do not use your data to train their AI models. They retain the input and the generated output for up to 30 days for security and abuse-monitoring purposes, after which it is automatically deleted.
How they’re regulated: We have signed Anthropic’s Data Processing Addendum.
More information: Commercial Terms and privacy.claude.com.

4.2 Resend (email provider)

What they do: Deliver the email containing your generated document to your inbox.
Where: United States.
What they retain: Resend keeps a copy of every email sent through their service — including the email body and any attachments — in their logs and dashboard for the period set by our service plan with them. Resend also keeps point-in-time backups for up to 7 days. After their stated retention period expires, the copy is deleted from their systems.
How they’re regulated: We have signed Resend’s Data Processing Addendum.
More information: Resend privacy policy.

If you’d like the specific retention period that applies to our account with Resend, email hello@almostlegal.ai and we’ll tell you.

4.3 Stripe (payment processor)

What they do: Take your payment and confirm it to us.
Where: Ireland (for EU/UK customers) and United States (corporate parent).
What they retain: Stripe retains your payment details and transaction history under their own privacy policy. They are a separate data controller for the payment data, not our processor.
What they don’t see: They never see the content of your input or the document we generate for you. They only see that a transaction happened.
More information: stripe.com/privacy.

4.4 Vercel (web hosting)

What they do: Host our websites and run the code that generates your document.
Where: United States, with edge servers worldwide.
What they retain: Vercel retains operational logs (which requests happened, how long they took, error rates) for their own service-quality purposes. Our configuration is set so that the request body — i.e. the content you submit — is not written to Vercel’s logs.
More information: Vercel privacy policy.

4.5 Account, authentication, and data storage providers

Different services in our portfolio use different providers for account records and authentication. The list below names every provider we use across the portfolio. Not every brand uses every provider — for example, the creator programme dashboard at almostlegal.ai uses Clerk and Upstash; the consumer tools may use Supabase.

Clerk (authentication)

What they do: Provide the sign-in system on almostlegal.ai (the creator programme dashboard). Hold your email and sign-in metadata while your account is active.
Where: United States.
What they retain: Your email address and authentication metadata. Clerk does not see the content you submit through any tool.
How they’re regulated: We have signed Clerk’s Data Processing Addendum.
More information: clerk.com/legal/privacy.

Upstash (account database)

What they do: Store account records (creator code, email, payout details, credit balance, purchase history) for almostlegal.ai and the credit system used across the portfolio. Operates as a managed Redis service via the Vercel Marketplace.
Where: United States and EU regions.
What they retain: Only the operational data described in Section 3.1 — never the content you submit through a tool, and never the documents we generate.
How they’re regulated: We have signed Upstash’s Data Processing Addendum (via the Vercel Marketplace).
More information: upstash.com/trust/privacy.

Supabase (database and authentication on selected services)

What they do: Where used, store account records and provide the login system for that service.
Where: United States and EU regions.
What they retain: Whatever we’ve configured to be stored — see Section 3.1 above. We have not configured Supabase to store the content you submit or the documents we generate.
More information: supabase.com/privacy.

4.6 No advertising or marketing tracking

We don’t use Meta Pixel, Google Analytics, advertising trackers, retargeting cookies, or session-replay tools on the consumer-facing tools. We may use a privacy-respecting analytics provider on the marketing pages of some of our brands. Where we do, that provider is named on the cookie banner of that specific site.

5. International transfers

Our service providers (Anthropic, Resend, Vercel, Stripe, Clerk, Upstash, Supabase) are based outside the Isle of Man. When your information is transferred to them, the transfer is protected by:

The recognised adequacy decisions between the Isle of Man, the United Kingdom, and the European Union.
The Standard Contractual Clauses contained in our Data Processing Addendums with each provider.
The technical and organisational security measures each provider has in place (encryption in transit, encryption at rest, access controls).

You don’t need to take any action — these protections are in place by default.

6. How long we keep things

What	How long we keep it	Why
Account record (email, credits, purchase history)	For as long as your account is active, plus 6 years after closure	Tax record-keeping requirements
Content you submit through a tool	Not retained by us	We’ve designed the service this way
Document we generate for you	Not retained by us	We’ve designed the service this way
Marketing emails (if you’ve opted in)	Until you unsubscribe	You’re in control
Anonymised website analytics	12 months	Service improvement

The 6-year retention on purchase records exists because tax authorities require us to keep transaction records for that period. We can’t delete your purchase history before that, even if you ask. Everything else, we can.

7. Your rights under data protection law

The Isle of Man has adopted the GDPR through the GDPR and LED Implementing Regulations 2018, supplementing the Data Protection Act 2018. You have the following rights over your personal information.

7.1 The right to be informed

This policy is part of fulfilling that right. If anything is unclear, ask.

7.2 The right of access

You can ask for a copy of every piece of personal information we hold about you. We’ll provide it within 30 days, free of charge unless your request is excessive or repetitive.

7.3 The right to rectification

If anything we hold about you is wrong, tell us and we’ll fix it within 30 days.

7.4 The right to erasure (“right to be forgotten”)

You can ask us to delete your personal information. We’ll do so within 30 days, except for records we’re legally required to keep (the 6-year tax record retention above).

Because we don’t retain the content of what you generated, there’s nothing to delete on that side — your documents only exist in your own inbox and downloads folder.

7.5 The right to restrict processing

You can ask us to stop processing your information in certain circumstances — for example, while we investigate a rectification request.

7.6 The right to data portability

You can ask us for a portable copy of your account data in a structured, machine-readable format.

7.7 The right to object

You can object to our processing of your information for direct marketing at any time. We’ll stop straight away. You can object to other processing on grounds relating to your particular situation, and we’ll consider the request.

7.8 Rights in relation to automated decision-making

We don’t make automated decisions about you that produce legal or similarly significant effects. The strength-check tools generate a verdict on the appeal-worthiness of your case, but the decision to act on that verdict is yours.

7.9 How to exercise any of these rights

Email hello@almostlegal.ai. We’ll acknowledge within a few working days and respond fully within 30 days.

7.10 Your right to complain

If you’re not happy with how we’ve handled your information or your rights request, you can complain to:

Isle of Man Information Commissioner
PO Box 69, Douglas, Isle of Man, IM99 1EQ
Telephone: +44 1624 693260
Email: ask@inforights.im
Website: https://www.inforights.im

If you live in the UK or the EU, you can also complain to your local data protection authority. We’d appreciate the chance to fix the problem first if you’re willing — but you don’t have to come to us before going to a regulator.

8. Cookies and similar technologies

We use only essential cookies on the consumer-facing tools — the ones strictly necessary to keep you logged in and to remember your shopping basket. We don’t use marketing or advertising cookies on these tools.

On our marketing pages, we may use a small number of analytics cookies. These are listed in the cookie banner on each marketing page and you can decline them.

9. Children’s privacy

Our services are not directed at children under the age of 18 and we don’t knowingly collect personal information from anyone under 18. If you believe a child has used our services, contact us at hello@almostlegal.ai and we’ll delete the relevant information.

10. Security

We use industry-standard measures to protect your information:

TLS 1.2+ encryption in transit on every connection.
Encryption at rest on every database and object store we operate.
Multi-factor authentication on every administrative account.
Principle of least privilege — only the people who need access to do their job have access.
Regular review of which third-party services have access to your data.

No system is perfectly secure. If something goes wrong, we’ll tell you and the IoM Information Commissioner within 72 hours of becoming aware, as the law requires.

11. Changes to this policy

We’ll update this policy when our services or the law changes. The “Last updated” date at the top of the page tells you when. Material changes will be communicated by email to active customers and prominently on our websites.

12. Questions

Email hello@almostlegal.ai. We read everything that arrives there and we respond.

This policy applies to Almost Legal Limited and the consumer-facing services it operates. The Muerto Limited holding company does not directly process consumer personal data and is named here only for ownership transparency.