Privacy Policy

Last updated: 8 June 2026

Who we are

Beat It ("we", "us", "our") operates usebeatit.com — an AI-powered service that generates and submits parking appeals on your behalf. We act as your agent when communicating with parking operators and local councils.

For privacy queries: privacy@usebeatit.com

Use Beat It Ltd · ICO Registration: C1924112 · Registered in England & Wales.

1. Data we collect

  • Account data: Email address and name when you sign up.
  • Ticket details: PCN/ticket reference, issuing authority, date, time, location, alleged violation, and vehicle registration.
  • Ticket photos: Images you upload of your ticket or the parking scene.
  • Accessibility data (optional): If your appeal relies on a disabled person's (Blue) Badge, you may choose to upload a photo of it. This reveals health information, so it is "special category" data — we only process it with your explicit consent and solely to prepare that appeal.
  • IP address: Logged for security, rate-limiting, and fraud prevention.
  • Payment information: Billing details handled by Stripe. We store only a tokenised reference — never your card number.
  • Communications: Appeal letters we send on your behalf, and any responses received from councils or operators.
  • Usage data: Pages visited and session information to improve the service.

2. How we use your data

  • Generating personalised appeal letters from your ticket details.
  • Submitting those letters to the relevant authority on your behalf.
  • Sending you email updates about your appeals and account.
  • Processing subscription payments and success fees via Stripe.
  • Detecting fraud and enforcing our rate limits.
  • Improving our service using aggregated, anonymised data.
  • Complying with legal and regulatory obligations.

We do not sell your data. We do not use it for advertising.

3. Our lawful basis for processing

Under UK GDPR we must have a lawful basis for each thing we do with your data. Ours are:

  • Performing our contract with you (Art 6(1)(b)): the core service — creating your account, generating appeal letters from your ticket details and vehicle registration, and submitting them to councils and operators on your behalf. Without this data we cannot provide the service.
  • Legitimate interests (Art 6(1)(f)): keeping the service secure and reliable — fraud prevention and rate-limiting (IP address), error diagnostics, and product analytics to improve the service. We weigh these against your rights and minimise the data used; for example, we strip emails and vehicle registrations out of error reports. You can object to this at any time.
  • Consent (Art 6(1)(a)): optional things you choose to opt into, such as non-essential marketing emails and uploading a disabled (Blue) Badge. You can withdraw consent at any time.
  • Legal obligation (Art 6(1)(c)): keeping payment and tax records for as long as the law requires.

Special category data. A disabled (Blue) Badge reveals health information, which UK GDPR treats as "special category" data needing extra protection. We process it only on the basis of your explicit consent (Art 9(2)(a)), solely to prepare the specific appeal you provide it for. You can withdraw consent at any time and ask us to delete the data from Beat It's systems; withdrawal does not undo processing already carried out (for example, a badge already submitted with an appeal) or data we must keep to meet a legal obligation.

4. Third-party processors (subprocessors)

We use the following subprocessors to deliver the service. Each one receives only the data it needs to perform its function. Where data is transferred outside the UK/EEA, Standard Contractual Clauses (SCCs) apply.

Stripe — Ireland / USA 🇮🇪 🇺🇸

Data received: billing details, card number (handled directly by Stripe — we never see it), email, billing address.

Purpose: payment processing for subscriptions and success fees. PCI-DSS Level 1 compliant.

stripe.com/privacy ↗

Supabase — EU 🇪🇺

Data received: account data (email, hashed password), appeal records, ticket details, uploaded photos.

Purpose: database and authentication. Hosted in the EU. GDPR compliant.

supabase.com/privacy ↗

SendGrid (Twilio) — USA 🇺🇸

Data received: your email address, appeal letter content sent to councils on your behalf, and inbound replies received from councils.

Purpose: transactional email delivery and inbound parse for council replies. SCCs apply.

twilio.com/legal/privacy ↗

Anthropic — USA 🇺🇸

Data received: appeal context — ticket details, your answers to clarifying questions, and any narrative you provide — sent to the Claude API to generate appeal letters.

Purpose: AI-generated appeal letters. API data is not used to train models per Anthropic's data usage policy. SCCs apply.

anthropic.com/legal/privacy ↗

OpenAI — USA 🇺🇸

Data received: ticket details and clarifying answers for some AI features.

Purpose: supplementary AI processing. OpenAI does not use API data to train models per their data usage policy. SCCs apply.

openai.com/policies/privacy-policy ↗

Cloudflare — USA / global 🇺🇸 🌍

Data received: anonymous abuse-prevention signals via Turnstile CAPTCHA (no cookies, no personal identifiers).

Purpose: bot and abuse prevention on signup and appeal submission. SCCs apply.

cloudflare.com/privacypolicy ↗

Sentry — USA 🇺🇸

Data received: error stack traces, browser/device info, and IP address (which may identify you).

Purpose: error reporting and diagnostics so we can fix bugs. SCCs apply.

sentry.io/privacy ↗

PostHog — USA / EU 🇺🇸 🇪🇺

Data received: product events (pages viewed, actions taken) and anonymous identifiers.

Purpose: product analytics to understand how the service is used. SCCs apply where data is processed in the USA.

posthog.com/privacy ↗

Vercel — USA 🇺🇸

Data received: request metadata (IP, user agent) for the web frontend and edge network.

Purpose: hosting and content delivery. SCCs apply.

vercel.com/legal/privacy-policy ↗

5. International data transfers

Several of our subprocessors (Stripe, SendGrid, Anthropic, OpenAI, Cloudflare, Sentry, PostHog, Vercel) process data outside the UK and EEA, primarily in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Addendum, which provide equivalent protections to UK and EU data protection law.

6. Data retention

  • Active accounts: Data retained while your account is open.
  • Deleted accounts: Personal data purged within 30 days of deletion request. Anonymised appeal outcome data may be retained for service improvement.
  • Payment records: Retained for 7 years for tax and accounting compliance.

7. Your rights (UK GDPR)

Under UK GDPR, you have the right to:

  • Access — request a copy of your personal data.
  • Deletion — ask us to delete your account and all associated data.
  • Portability — receive your data in a machine-readable format (JSON export available in account settings).
  • Rectification — correct inaccurate data we hold.
  • Objection — object to how we process your data.
  • Restriction — limit how we use your data while a dispute is resolved.

Email privacy@usebeatit.com to exercise any right. We will respond within 30 days.

You may also lodge a complaint with the ICO ↗.

8. CCPA — California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect and how it is used.
  • The right to delete your personal information.
  • The right to opt out of the sale of your personal information. We do not sell personal information.
  • The right to non-discrimination for exercising your CCPA rights.

To exercise CCPA rights, email privacy@usebeatit.com.

9. Cookies & local storage

We use only essential cookies, to keep you signed in. Cloudflare Turnstile protects signup and appeal submission from bots without setting cookies or identifying you. We set no advertising cookies, and no third-party cookies that track you across other websites.

Our product analytics (PostHog) stores a first-party identifier in your browser's local storage rather than in cookies, so we can understand how the service is used. It stays first-party and is never used for cross-site advertising. We rely on legitimate interests for this (see section 3); to opt out, switch on your browser's "Do Not Track" setting, or contact us using the details in section 7.

10. Changes

We will notify you by email of any material changes. The latest version is always at usebeatit.com/privacy.

Contact

Privacy questions: privacy@usebeatit.com

Get the Beat It app

Download on theApp StoreGET IT ONGoogle Play