Privacy Policy

Last updated: March 2026

1. Who We Are

Sansford Law Limited (trading as “Refund Club”) is the data controller responsible for your personal data. We are a law firm authorised and regulated by the Solicitors Regulation Authority (SRA).

  • Company Name: Sansford Law Limited
  • Company Number: 15376769
  • SRA Number: 8008114
  • Registered Address: 3rd Floor, 45 Albemarle Street, Mayfair, London, W1S 4JL
  • Data Protection Contact: dpo@refundclub.co.uk

2. What Data We Collect

We collect and process the following categories of personal data:

Identity & Contact Information

  • Full name
  • Email address
  • Phone number
  • Date of birth
  • Home address

Financial & Claim Information

  • Bank name, account details, and sort code
  • Details of the fraud (type, amount lost, timeline of events)
  • Payment information related to the fraudulent transaction
  • Supporting documents (bank statements, correspondence, police reports)

Sensitive Information

  • Vulnerability information (health conditions, financial hardship, or other circumstances that may have made you more susceptible to fraud) — collected only with your explicit consent and used solely to strengthen your claim

Technical & Verification Data

  • Electronic signature
  • IP address
  • Device information (browser type, operating system)
  • UTM parameters and referral source

3. Why We Collect Your Data (Lawful Basis)

We rely on the following lawful bases under the UK GDPR:

  • Contract performance — to process your fraud claim and provide our legal services to you
  • Legitimate interests — fraud prevention, improving our services, and internal analytics to better serve our clients
  • Legal obligation — to comply with SRA record-keeping requirements, anti-money laundering regulations, and other legal obligations
  • Consent — for marketing communications and processing of vulnerability data. You can withdraw consent at any time.

4. How We Use Your Data

  • Processing and managing your fraud claim
  • Communicating with your bank or card provider on your behalf
  • Submitting complaints to the Financial Ombudsman Service (FOS) where necessary
  • Sending you status updates about your claim
  • Generating complaint letters and legal correspondence
  • Improving our service and user experience
  • Complying with our regulatory obligations as a law firm

5. Who We Share Your Data With

We may share your personal data with the following parties, only to the extent necessary to process your claim or fulfil our legal obligations:

  • Your bank or card provider — to submit and pursue your complaint
  • Financial Ombudsman Service (FOS) — if your complaint is escalated
  • Action Fraud / Police — with your consent, to support criminal investigations
  • Our technology providers (data processors acting on our instructions):
    • Supabase — database and authentication hosting
    • Vercel — website hosting
    • Anthropic — AI-assisted complaint letter drafting (see Section 6)
    • Resend — email delivery

We do not sell your personal data to any third party.

6. AI Processing

We use AI technology (Anthropic Claude) to assist in drafting complaint letters and analysing claim details. This helps us provide a faster and more thorough service. Important points:

  • All AI-generated content is reviewed by qualified legal professionals before it is used or sent on your behalf
  • Client data is sent to Anthropic's API for processing but is not retained by Anthropic beyond the immediate request
  • AI processing is used to assist our lawyers, not to replace their professional judgement
  • No automated decisions with legal or significant effects are made without human oversight

7. Data Retention

  • Claim data — retained for 6 years after case closure, as required by SRA regulations and the Limitation Act 1980
  • Marketing consents — retained until you withdraw your consent
  • Server logs — retained for 90 days
  • Cookie consent records — retained for 12 months, then renewed

8. Data Security

We take the security of your personal data seriously and implement the following measures:

  • Encryption in transit using TLS 1.3
  • Encryption at rest using AES-256
  • Row-level security on our database ensuring clients can only access their own data
  • Application-level encryption for sensitive fields (such as vulnerability details)
  • Regular security audits and access reviews
  • Multi-factor authentication for staff accounts
  • Strict access controls — only authorised staff can view your data

9. Your Rights

Under the UK GDPR, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your data (subject to our SRA retention obligations)
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to restriction — request that we limit how we use your data
  • Right to withdraw consent — where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, please contact us at dpo@refundclub.co.uk. We will respond within one month of receiving your request.

If you are unsatisfied with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies

We use cookies and similar technologies on our website. For full details, please see our Cookie Policy.

11. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or through a notice on our website. We encourage you to review this policy periodically.

12. Contact Us

If you have any questions about this privacy policy or our data practices, please contact us:

  • Email: dpo@refundclub.co.uk
  • Post: Data Protection Officer, Sansford Law Limited, 3rd Floor, 45 Albemarle Street, Mayfair, London, W1S 4JL