Last updated: 20 March 2026

Privacy Policy

This policy explains what personal data HearBack collects, why we collect it, and what rights you have over it. We are committed to handling your data lawfully and transparently under UK GDPR and the Data Protection Act 2018.

1. Who we are

HearBack is operated by Layerblocks Ltd, registered in England and Wales. Our registered office is at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

Layerblocks Ltd is the data controller for personal data processed through the HearBack platform. If you have any questions about how we handle your data, contact us at [email protected].

2. Data we collect

Account and business data

  • Name, email address, and password (hashed — we never store your plain-text password)
  • Business name, short link slug, and Google review URL
  • Logo and branding assets you upload
  • Billing information (processed by Stripe — we hold only a Stripe customer ID, not your card details)

Usage and analytics data

  • QR code scan counts, link visits, rating selections, and review clicks — aggregated per day per link
  • Device type (mobile or desktop) inferred from user agent at scan time
  • Customer feedback messages and ratings submitted through your review funnel (associated with your business, not individually identified)

Technical data

  • IP addresses and user-agent strings processed transiently by Cloudflare for security and routing — we do not log these ourselves
  • Authentication tokens stored in your browser (httpOnly cookies or localStorage)

3. How we use your data

PurposeLegal basis
Providing and maintaining the serviceContract (Art. 6(1)(b) UK GDPR)
Sending transactional emails (password reset, feedback notifications)Contract
Sending onboarding and product update emailsLegitimate interests
Processing payments and managing subscriptionsContract
Fraud prevention and platform securityLegitimate interests
Complying with legal obligationsLegal obligation (Art. 6(1)(c))
Improving the platform through aggregated usage analyticsLegitimate interests

4. Third parties we share data with

We use the following trusted sub-processors to deliver the service. Each is bound by a Data Processing Agreement (DPA):

  • Cloudflare — infrastructure, CDN, and DDoS protection. Processes request metadata transiently.
  • Stripe — payment processing. Holds your billing and card data under PCI-DSS.
  • Resend — transactional and drip email delivery. Receives recipient email addresses and rendered email HTML.
  • Google — we link to Google review pages using place IDs you provide. No customer data is sent to Google by us.

We do not sell, rent, or trade your personal data with any third party for their own marketing purposes.

5. Data retention

We retain your account and business data for as long as your account is active. If you close your account, we delete your personal data within 30 days, except where we are required to retain it longer by law (for example, billing records for tax purposes, which we keep for 7 years).

Aggregated, anonymised analytics (scan counts, conversion rates) may be retained indefinitely as they contain no personal data.

6. International transfers

Our infrastructure runs primarily within the European Economic Area (EEA) via Cloudflare. Where data is processed outside the UK or EEA (for example, by Stripe or Resend in the US), we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs).

7. Cookies and local storage

We use the following browser storage mechanisms:

  • Authentication token — stored in localStorage to keep you logged in. Cleared on sign-out.
  • Tour progress — keys stored in localStorage to remember your onboarding progress. No personal data.
  • Sidebar preference — a single localStorage key to remember your UI layout preference.

We do not use third-party tracking or advertising cookies. We do not embed tracking pixels.

8. Your rights under UK GDPR

You have the following rights over your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — ask us to delete your data (“right to be forgotten”), subject to legal retention obligations
  • Restriction — ask us to limit how we use your data in certain circumstances
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, email us at [email protected]. We will respond within one month as required by UK GDPR.

9. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

ico.org.uk/make-a-complaint
Telephone: 0303 123 1113

We would appreciate the opportunity to address your concern before you contact the ICO — please reach out to us first at [email protected].

10. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email before the changes take effect. The “last updated” date at the top of this page reflects the most recent revision.

11. Contact

Layerblocks Ltd
71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
[email protected]