Privacy Policy

Benefits Robin is operated by Viral Pas Digital Marketing L.L.C, registered in the United Arab Emirates (“we”, “us”, “our”). We are the data controller for the personal data we process through our website and services at www.benefitsrobin.co.uk.

We are committed to complying with UK data protection law. Our ICO registration details will be published here once confirmed.

As required by Article 27 UK GDPR, we are appointing a UK-based representative whose details will be published here once confirmed.

By using our service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our service.

We collect the following categories of personal data:

2.1 Account Data

• Your name and email address, collected when you create an account (via email/password or Google OAuth).

2.2 Eligibility Assessment Data

• Your answers to questions about your health conditions, financial situation, and living circumstances, used to check your potential benefit eligibility.

2.3 Intake Assessment Data

• Detailed information you provide for benefit claims, including descriptions of care needs, daily living difficulties, and medical conditions.

2.4 Payment Metadata

• Transaction ID, amount, and payment status. We do not store your card details — all card information is handled directly by Stripe, our PCI DSS-compliant payment processor.

2.5 Family Member Data

• Names, dates of birth, relationships, and health conditions of family members you add to your case, used to assess household benefit eligibility.

2.6 Special Category Data

Some of the information we collect constitutes special category data under the UK GDPR, including health conditions, disability information, and care needs. We process this data on the basis of your explicit consent under Article 9(2)(a) UK GDPR, which you provide when you complete our eligibility and intake assessments. You can withdraw your consent at any time by deleting your account or contacting us.

2.7 Information Collected Automatically

• Essential cookies: Authentication tokens and session data required for the service to function.
• Device information: Browser type, operating system, and device type.

We use your personal data for the following purposes:

• To provide our service: Checking your potential benefit eligibility, generating personalised results, and helping you prepare application materials.
• To maintain your account: Managing your account, saving your progress, and allowing you to return to your assessment.
• To process payments: Facilitating payment for our services via Stripe.
• To communicate with you: Responding to your enquiries and sending service-related updates.
• To improve our service: Analysing usage patterns to improve our eligibility checker, fix bugs, and enhance the user experience.
• To ensure security: Detecting and preventing fraud, abuse, and unauthorised access to our systems.
• To comply with legal obligations: Meeting our legal and regulatory requirements.

Legal Basis for Processing

We rely on the following legal bases under the UK GDPR:

• Consent (Article 6(1)(a) and Article 9(2)(a)): For processing special category data (health conditions, disability information, care needs).
• Contract (Article 6(1)(b)): For providing our service to you when you create an account and purchase our eligibility and application assistance service.
• Legitimate interests (Article 6(1)(f)): For improving our service, ensuring security, and analysing usage patterns, where these interests do not override your rights.
• Legal obligation (Article 6(1)(c)): Where we are required to process or retain your data by law (e.g., payment records for tax compliance).

Your data is stored and processed using the following service providers:

• Supabase: Our database and authentication provider. Supabase hosts data on cloud infrastructure which may be located outside the UK.
• Vercel: Our website hosting provider, based in the United States.
• Stripe: Our payment processor, which processes payment data in the US and EU. Stripe is PCI DSS Level 1 compliant.

We implement appropriate technical measures to protect your data, including encryption in transit (TLS/HTTPS) and at rest, access controls, and Row Level Security (RLS) policies on our database to ensure users can only access their own data.

Benefits Robin is operated by a company registered in the United Arab Emirates. Your personal data may be transferred to, and processed in, countries outside the United Kingdom, including:

• United States: Vercel (hosting) and Stripe (payment processing) are US-based companies.
• Supabase infrastructure: Database hosting which may involve data centres outside the UK/EEA.
• United Arab Emirates: Where the operating company is registered.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V. These may include the International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or reliance on adequacy regulations where applicable.

We share your personal data only with the following third-party service providers, and only to the extent necessary to operate our service:

• Supabase: Database hosting, authentication, and data storage.
• Stripe: Payment processing. Stripe receives your payment details directly — we only store transaction metadata (transaction ID, amount, status).
• Vercel: Website hosting and server-side rendering.
• Google: If you choose to sign in with Google OAuth, Google processes your authentication data.

All third-party processors are bound by data processing agreements that require them to protect your data and process it only on our instructions.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data, eligibility data, intake data, and family data: Retained while your account is active. Deleted within 30 days of an account deletion request.
• Payment records: Retained for 6 years after the transaction date, as required for legal and tax compliance purposes.
• Communications: Retained for up to 12 months after the enquiry is resolved, then deleted.

When data is no longer needed, it is securely deleted so that it cannot be linked back to you.

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can request that we correct any inaccurate or incomplete personal data.
• Right to erasure (right to be forgotten): You can request that we delete your personal data. We will do so within 30 days unless we have a legal obligation to retain it.
• Right to restrict processing: You can request that we limit how we use your data in certain circumstances.
• Right to data portability: You can request a copy of your data in a structured, commonly used, and machine-readable format.
• Right to object: You can object to the processing of your personal data where we are relying on legitimate interests as the legal basis.
• Right to withdraw consent: Where we rely on your consent to process data (including special category data), you can withdraw that consent at any time. This will not affect the lawfulness of processing carried out before the withdrawal.

How to Delete Your Data

You can delete your data at any time through your Account Settings page, or by contacting us at support@benefitsrobin.co.uk. Upon receiving a deletion request, we will delete your account and personal data within 30 days, except for payment records which are retained for 6 years for legal compliance.

Exercising Your Rights

To exercise any of these rights, please contact us at support@benefitsrobin.co.uk. We will respond within 30 days. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it:

• Encryption: All data is encrypted in transit using TLS (HTTPS). Data at rest is encrypted by our infrastructure providers.
• Access controls: Access to personal data is restricted to authorised personnel. Our database enforces Row Level Security (RLS) so users can only access their own data.
• Authentication security: Passwords are hashed and never stored in plain text. We support Google OAuth for secure sign-in.
• Incident response: We have procedures in place to detect, report, and investigate personal data breaches. In the event of a breach that poses a risk to your rights, we will notify you and the ICO within 72 hours as required by UK GDPR.

We use cookies and similar technologies on our website. Cookies are small text files stored on your device that help us provide and improve our service.

Essential Cookies

These are necessary for the website to function and cannot be switched off. They include cookies for authentication (Supabase session tokens), OAuth PKCE verification, and security. Without these cookies, the service cannot operate.

Local Storage

We use browser local storage to cache certain non-sensitive data (such as payment status hints and UI preferences) to improve performance. This data remains on your device and is not transmitted to our servers.

Managing Cookies

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking essential cookies will prevent you from using our service.

Our service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will take steps to delete that information.

We do collect information about family members (including children) that you choose to add to your case for the purpose of assessing household benefit eligibility. This data is provided by you as the account holder and parent or guardian.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by posting a notice on our website. The “Last updated” date at the top of this policy will be revised accordingly. We encourage you to review this policy periodically.