Last updated: 1 June 2026

Privacy Policy

This policy explains what personal data HearBack collects, why we collect it, and what rights you have over it. We are committed to handling your data lawfully and transparently under UK GDPR and the Data Protection Act 2018.

1. Who we are

HearBack is operated by Layerblocks Ltd, registered in England and Wales. Our registered office is at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

Layerblocks Ltd is the data controller for personal data processed through the HearBack platform. If you have any questions about how we handle your data, contact us at [email protected].

2. Data we collect

Account and business data

Name, email address, and password (hashed — we never store your plain-text password)
Business name, short link slug, and Google review URL
Logo and branding assets you upload
Billing information (processed by Stripe — we hold only a Stripe customer ID, not your card details)

Usage and analytics data

QR code scan counts, link visits, rating selections, and review clicks — aggregated per day per link
Device type (mobile or desktop) inferred from user agent at scan time
Customer feedback messages and ratings submitted through your review funnel (associated with your business, not individually identified)

Technical data

IP addresses and user-agent strings processed transiently by Cloudflare for security and routing — we do not log these ourselves
Authentication tokens stored in your browser (httpOnly cookies or localStorage)

2.5. End-customer SMS data

Where our business customers use HearBack to send review-request SMS messages, they upload the end-customer's first name and mobile phone number to the platform. These messages are sent from an SMS sender or number registered to the business under its own brand. The business is the data controller for that end-customer relationship; HearBack acts as a data processor on the business's behalf for the limited purpose of delivering the review-request SMS message.

We use ClickSend as our SMS delivery sub-processor. ClickSend receives the end-customer's mobile number and the message content for the sole purpose of message delivery, subject to ClickSend's own data processing terms.

End-customer mobile numbers are retained for as long as the business customer's account remains active and are deleted within 30 days of account closure. Opt-out requests received by SMS (replies of STOP) are recorded and honoured immediately and indefinitely.

End-customer mobile numbers are never used for marketing, never shared with third parties for their own purposes, and never resold.

2.6. End-customer QuickBooks data

Where our business customers connect their Intuit QuickBooks Online account to HearBack, we access end-customer data held in QuickBooks on the business customer's behalf. This may include:

End-customer name, email address, and mobile phone number
Invoice and transaction events (such as invoice creation, payment status, dates, and amounts)
Company and contact records stored in the QuickBooks account

The business customer is the data controller for the end-customer relationships represented in their QuickBooks account. HearBack acts as a data processor on the business customer's behalf, for the limited purpose of triggering and delivering review requests based on QuickBooks activity.

We use Intuit Inc. as the source of this data via the official QuickBooks Online API. We do not write to, modify, or delete data in the QuickBooks account unless the business customer explicitly enables a feature that does so. OAuth access tokens issued by Intuit are stored encrypted at rest and are revoked on disconnection.

End-customer data sourced from QuickBooks is retained only for as long as needed to deliver review requests and analytics, and is deleted within 30 days of the business customer disconnecting the QuickBooks integration or closing their HearBack account, whichever occurs first. Disconnection may be initiated from within HearBack or from the Intuit account management dashboard; both result in immediate cessation of access.

End-customer data sourced from QuickBooks is never used for marketing, never shared with third parties for their own purposes, and never resold.

3. How we use your data

Purpose	Legal basis
Providing and maintaining the service	Contract (Art. 6(1)(b) UK GDPR)
Sending transactional emails (password reset, feedback notifications)	Contract
Sending account security and service SMS (one-time passcodes, account notifications)	Contract
Sending onboarding and product update emails	Legitimate interests
Processing payments and managing subscriptions	Contract
Fraud prevention and platform security	Legitimate interests
Complying with legal obligations	Legal obligation (Art. 6(1)(c))
Improving the platform through aggregated usage analytics	Legitimate interests

4. Third parties we share data with

We use the following trusted sub-processors to deliver the service. Each is bound by a Data Processing Agreement (DPA):

Cloudflare — infrastructure, CDN, and DDoS protection. Processes request metadata transiently.
Stripe — payment processing. Holds your billing and card data under PCI-DSS.
AWS SES — transactional and product email delivery. Receives recipient email addresses and rendered email content.
Google — we link to Google review pages using place IDs you provide. No customer data is sent to Google by us.
ClickSend — SMS message delivery. Receives mobile numbers and message content for both HearBack account messages and, where the business customer has elected to use SMS review requests, end-customer review-request messages. Bound by ClickSend's data processing terms.
Intuit — QuickBooks Online integration. Where the business customer has connected their QuickBooks account, we access customer contact details, invoice events, and company profile information from Intuit on the business customer's behalf via the QuickBooks Online API. We do not send HearBack data to Intuit. Bound by Intuit's data processing terms.

We do not sell, rent, or trade your personal data with any third party for their own marketing purposes.

5. Data retention

We retain your account and business data for as long as your account is active. If you close your account, we delete your personal data within 30 days, except where we are required to retain it longer by law (for example, billing records for tax purposes, which we keep for 7 years).

Aggregated, anonymised analytics (scan counts, conversion rates) may be retained indefinitely as they contain no personal data.

6. International transfers

Our infrastructure runs primarily within the European Economic Area (EEA) via Cloudflare. Some of our sub-processors are located outside the UK and EEA:

Stripe and Intuit process data in the United States.
ClickSend is an Australia-based provider and may process data in Australia.

Neither the United States (outside specific certified frameworks) nor Australia is covered by a UK adequacy decision, so where data is transferred to these providers we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) with the relevant supplementary measures.

7. Cookies and local storage

We use the following browser storage mechanisms:

Authentication token — stored in localStorage to keep you logged in. Cleared on sign-out.
Tour progress — keys stored in localStorage to remember your onboarding progress. No personal data.
Sidebar preference — a single localStorage key to remember your UI layout preference.

We do not use third-party tracking or advertising cookies. We do not embed tracking pixels.

8. SMS / text messaging

When you create a HearBack account, you may receive SMS text messages from us for security and service purposes, including one-time passcodes (2FA) and account or service notifications. These messages are sent from HearBack's own registered number and are used solely for account security and service notifications — this number is never used to send messages on behalf of business customers (review-request SMS is covered in section 2.5). By providing your mobile number and opting in, you consent to receive these messages.

Message frequency varies based on your account activity.
Message and data rates may apply.
Reply STOP at any time to opt out; reply HELP for assistance.
We do not sell, rent, or share your mobile number or SMS opt-in consent with any third parties or affiliates for marketing or promotional purposes.

9. Your rights under UK GDPR

You have the following rights over your personal data:

Access — request a copy of the personal data we hold about you
Rectification — ask us to correct inaccurate or incomplete data
Erasure — ask us to delete your data ("right to be forgotten"), subject to legal retention obligations
Restriction — ask us to limit how we use your data in certain circumstances
Portability — receive your data in a structured, machine-readable format
Objection — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, email us at [email protected]. We will respond within one month as required by UK GDPR.

10. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

ico.org.uk/make-a-complaint · Telephone: 0303 123 1113

We would appreciate the opportunity to address your concern before you contact the ICO — please reach out to us first at [email protected].

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email before the changes take effect. The "last updated" date at the top of this page reflects the most recent revision.

12. Contact

Layerblocks Ltd, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom · [email protected]