Privacy Policy

1. Who We Are

1.1 RepSave is a UK-registered trading name, operated as part of the Synelo product portfolio. We provide automated review request and reputation management software to UK-based local businesses on a subscription basis.

1.2 Our registered address is 71-75 Shelton Street, Covent Garden, London WC2H 9JQ. We are registered with the Information Commissioner's Office (ICO) under reference number ZC141512. If you have any questions about this Privacy Policy or about how we handle your personal data, you can contact us at hello@repsave.co.uk.

1.3 This Privacy Policy explains what personal data we collect, for what purposes, on what legal basis, with whom we share it, how long we retain it, and what rights you have under the "UK GDPR" (the UK General Data Protection Regulation) and the Data Protection Act 2018.

2. Our Dual Role as Controller and Processor

2.1 Depending on whose personal data is involved, RepSave operates in two distinct capacities under data protection law:

2.2 Data Controller: RepSave acts as a "data controller" in relation to: (a) the personal data of visitors to the repsave.co.uk website, including data collected via analytics tools and contact forms; and (b) the personal data of Subscribers — that is, business owners and their representatives who hold a RepSave account. As a data controller, RepSave determines the purposes and means of processing this data and is directly responsible for compliance with UK GDPR in relation to it.

2.3 Data Processor: RepSave acts as a "data processor" in relation to the personal data of "End Customers" — the individual customers of Subscriber businesses whose contact details are provided to RepSave for the sole purpose of delivering review request emails. In this capacity, RepSave processes End Customer data strictly on the documented instructions of the Subscriber, who is the data controller for their End Customers' data.

2.4 Subscribers must ensure they have an appropriate lawful basis under UK GDPR before sharing any End Customer personal data with RepSave, and must be satisfied that they have a legitimate basis for contacting their End Customers by email in connection with their service experience.

3. Data We Collect — Website Visitors

3.1 When you visit repsave.co.uk, we may collect the following data about you depending on your cookie consent choices:

3.2 No third-party cookies or tracking scripts are loaded by mere page load on repsave.co.uk. All non-essential tools are activated only after you give explicit consent via the cookie banner or preference modal.

3.3 Analytics data (Analytics category — consent required): If you enable analytics cookies, we collect via Google Analytics 4 (Measurement ID: G-48SY8Q7LQJ): your IP address (anonymised by GA4 before storage), browser type and version, operating system, the pages you visit, time spent on each page, referral source, and approximate geographic location at country and city level. Legal basis: Consent (UK GDPR Article 6(1)(a)). You may withdraw consent at any time as described in our Cookie Policy.

3.4 Marketing data (Marketing category — consent required): If you enable marketing cookies, the Meta Pixel (Pixel ID: 968512179305344) is loaded on repsave.co.uk. The Pixel records pages you visit and transmits this data to Meta to enable measurement of advertising effectiveness and, where applicable, to allow us to reach relevant audiences through Meta platforms. Legal basis: Consent (UK GDPR Article 6(1)(a)). Meta may combine this data with information they hold about you from your use of their own services, subject to Meta's privacy policy.

3.5 Performance data: Performance measurement tools are not yet active on repsave.co.uk. When introduced, this policy will be updated with full details before any such data is collected.

3.6 Contact and enquiry data (collected when you get in touch): If you contact us via any contact form on the website or by sending us an email directly, we collect your name, email address, the content of your message, and the topic of your enquiry. This processing is based on our legitimate interests in responding to enquiries and providing pre-sales support. We will not use this data for marketing purposes without your agreement.

4. Data We Collect — Subscribers

4.1 When you subscribe to RepSave and create an account, we collect and process the following categories of personal data about you as a Subscriber:

4.2 Account and onboarding data: Your full name, the name of your business, your business email address, and information provided on the onboarding form including your business type, the booking or appointment management system you use, and the URL of your nominated review platform (e.g. your Google Business Profile link). This data is processed on the legal basis of performance of a contract — it is necessary for us to set up and deliver your Subscription.

4.3 Payment and billing data: Your payment and billing information is collected and processed directly by Stripe, our payment processor. RepSave does not store, handle, or have access to your full card number, CVV, sort code, account number, or other sensitive payment credentials. We retain records of your Subscription tier, billing frequency, payment dates, and transaction references for account management and financial record-keeping purposes.

4.4 Platform usage data: We collect data about how you use the RepSave Platform, including the volume of Triggers submitted, the number of review request emails sent from your account, feedback outcome data associated with your account, and the contents of your analytics Reports. This data is processed on the basis of performance of a contract and is used to deliver the Service, generate your Reports, and improve the reliability of the Platform.

4.5 Support communications: Emails, messages, and other communications you send to RepSave in connection with your account, including support requests, queries, and complaints. These are retained for the purposes of resolving your enquiry, maintaining a record of the resolution, and improving our support processes, on the basis of legitimate interests.

5. Data We Process — End Customers

5.1 When a Subscriber submits End Customer data to the RepSave Platform via a Webhook Trigger or manual input, RepSave processes that data as a data processor acting on the Subscriber's instructions. The categories of End Customer personal data processed by RepSave are:

• Email address: Used to deliver the review request email to the End Customer. This is the only data field that is strictly required for the Service to function.
• First name: Where provided by the Subscriber, used to personalise the greeting within the review request email. This is optional but improves engagement rates.
• Feedback responses: The End Customer's response to the initial review request — indicating whether their experience was positive or negative — is used by RepSave to route the End Customer either to the Subscriber's public review platform (positive outcome) or to the Subscriber's private internal feedback form (negative outcome).
• Verbatim private feedback (Pro plan only): On the Pro subscription plan, the content of the private feedback form submitted by End Customers who indicate a negative experience is retained within the Subscriber's account for the duration of their active Subscription, enabling the Subscriber to review and act upon individual pieces of feedback.

5.2 RepSave does not use End Customer personal data for any purpose other than delivering the Service as instructed by the relevant Subscriber. End Customer data is not shared with any other Subscriber, used for RepSave's own marketing, sold to any third party, or aggregated into any publicly accessible dataset.

5.3 Subscribers are solely responsible for ensuring that their End Customers have voluntarily provided their contact details in a context that makes it appropriate to contact them with a review request, and that a lawful basis under UK GDPR exists for that contact.

6. How We Use Personal Data

6.1 We use the personal data we collect for the following purposes:

• Delivering the automated review request email service to End Customers on behalf of Subscribers.
• Routing End Customer feedback responses — directing positive respondents to the Subscriber's public review platform and negative respondents to the private feedback form.
• Generating weekly and monthly analytics Reports for Subscribers covering delivery volumes, response rates, and feedback outcomes.
• Processing Subscription payments, managing billing cycles, and handling failed payment notifications through Stripe.
• Setting up and configuring Subscriber accounts following sign-up and onboarding.
• Responding to Subscriber support enquiries, complaints, and account-related queries.
• Improving the reliability, performance, and functionality of the Service through analysis of aggregated, anonymised usage patterns.
• Complying with our legal and regulatory obligations, including those under UK GDPR, PECR, and applicable financial regulations.
• Preventing fraud, misuse of the Platform, and unauthorised access to Subscriber accounts.

7. Data Sharing and Third-Party Processors

7.1 We share personal data only with the following carefully selected third-party processors, each of whom operates under an appropriate data processing agreement and provides sufficient guarantees of compliance with UK GDPR:

• Supabase — database hosting and storage infrastructure. Subscriber account data and End Customer data is stored in Supabase databases hosted in the EU (eu-west-1 region). Supabase provides row-level security and encryption at rest.
• SendGrid (Twilio) — transactional email delivery. Review request emails are transmitted via SendGrid's email delivery infrastructure and sent from the address noreply@sharefeedback.net on behalf of the Subscriber's business. SendGrid processes email address and message content data solely for the purpose of delivery.
• Stripe — payment processing and Subscription management. Stripe processes Subscriber payment credentials and billing data in accordance with PCI-DSS standards and Stripe's own privacy policy.
• Tally — onboarding form collection. Subscriber onboarding responses are collected via Tally forms and transmitted to RepSave's database.
• Google Analytics (GA4) — website analytics (Analytics consent category). Loaded only with the explicit consent of website visitors. Visitors who do not enable analytics will not have any GA4 data collected. Data may be transferred to Google's servers in the United States under Standard Contractual Clauses.
• Meta (Facebook) — advertising measurement via the Meta Pixel (Marketing consent category). The Meta Pixel is only loaded after you have given explicit marketing consent. Meta acts as an independent controller in respect of data they receive through the Pixel. Data is transferred to Meta's servers in the United States under Standard Contractual Clauses.
• Contentsquare — performance analytics (not yet active on repsave.co.uk). When introduced, this will be disclosed in full before any data collection begins.
• Cloudflare — website hosting, content delivery network (CDN), and security. Cloudflare processes web traffic data as part of providing hosting and DDoS protection services for repsave.co.uk.

7.2 We do not sell personal data to any third party under any circumstances. We do not share personal data with advertisers, marketing networks, data brokers, or any party whose purpose is unrelated to delivering the Service.

8. International Data Transfers

8.1 Most personal data processed by RepSave is stored and processed within the UK or the European Economic Area (EEA). Where data is transferred outside the UK or EEA, we ensure that appropriate safeguards are in place as required by UK GDPR:

• Supabase: Database hosted in the EU (eu-west-1 region). No international transfer outside the UK/EEA applicable to this processor.
• SendGrid (Twilio): Email data may be processed on servers located in the United States. This transfer is covered by Standard Contractual Clauses (SCCs) approved by the UK ICO, providing equivalent protection to UK GDPR standards.
• Stripe: Payment data is processed by Stripe under SCCs with the UK ICO's approval, ensuring that UK data subject rights are protected regardless of the processing location.
• Google Analytics 4: Analytics data is transmitted to and processed by Google on servers that may be located in the United States. This transfer is governed by SCCs between RepSave and Google. GA4 also anonymises IP addresses before storage, further minimising personal data exposure.
• Meta (Facebook): Pixel data is transferred to Meta's servers in the United States. This transfer is covered by Standard Contractual Clauses approved by the UK ICO.
• Cloudflare: Traffic routed through Cloudflare's global network may pass through servers in multiple countries. Cloudflare processes this data under SCCs and is certified under applicable data transfer frameworks.

8.2 You may request further information about the specific safeguards in place for any international transfer by contacting us at hello@repsave.co.uk.

9. Retention Periods

9.1 We retain personal data only for as long as is necessary for the purposes set out in this Privacy Policy, or as required by law. The following retention periods apply:

• Website visitor GA4 analytics data: A maximum of 14 months from the date of collection, after which it is automatically deleted or aggregated by Google Analytics.
• Contact form and email enquiry data: Up to 12 months from the date on which the enquiry was received, unless the enquiry results in a Subscription in which case account data retention terms apply.
• Subscriber account data: Retained for the full duration of the active Subscription, and for a period of 3 months following the end of the final paid Billing Period after cancellation. After the expiry of this 3-month retention period, all Subscriber account data is permanently and irreversibly deleted. This deletion cannot be reversed.
• End Customer email addresses and first names: Retained only for the duration of the active review request cycle — a maximum of 30 days from the date on which the review request email was sent. After this period, End Customer contact details are automatically deleted from the Platform.
• End Customer verbatim private feedback (Pro plan): Retained for the duration of the Subscriber's active account only. Deleted as part of the Subscriber account deletion process following the 3-month post-cancellation retention period.
• Automated database backups: RepSave maintains rolling 30-day automated backups of Platform data. Backups are overwritten on a rolling basis and are not separately retained beyond this 30-day window.
• Stripe billing records: Retained by Stripe in accordance with their own data retention policy and applicable financial and tax regulations. RepSave retains transaction references and Subscription history for its own accounting purposes.

10. Your Rights Under UK GDPR

10.1 As a data subject whose personal data is processed by RepSave in its capacity as a data controller, you have the following rights under the UK GDPR and the Data Protection Act 2018:

• Right of access: You have the right to request a copy of the personal data we hold about you, together with information about how we process it. This is commonly known as a Subject Access Request (SAR).
• Right to rectification: You have the right to request that we correct any personal data we hold about you that is inaccurate or incomplete without undue delay.
• Right to erasure: You have the right to request that we delete personal data we hold about you in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected, or where you withdraw consent and no other lawful basis applies.
• Right to data portability: Where processing is based on consent or performance of a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
• Right to object: You have the right to object to processing of your personal data where that processing is based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is necessary for the establishment, exercise, or defence of legal claims.
• Right to restriction of processing: You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, where you contest the accuracy of the data, or where you have objected to processing pending our response.
• Right not to be subject to automated decision-making: You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you. RepSave does not make any such automated decisions in relation to Subscribers.

10.2 To exercise any of these rights, please email hello@repsave.co.uk with the subject line "Data Rights Request". Your email should clearly identify the right you wish to exercise and provide sufficient information to identify your account. We will acknowledge your request within 5 working days and provide a substantive response within 30 calendar days. Where a request is complex or we receive multiple requests from the same individual, this period may be extended by a further 2 months — we will inform you of any such extension within the initial 30-day period. We may request proof of identity before processing any data rights request.

11. End Customer Rights

11.1 End Customers — the customers of Subscriber businesses who receive review request emails from RepSave — have specific rights in relation to the data processed about them.

11.2 Review request emails are sent from the address noreply@sharefeedback.net on behalf of the relevant Subscriber business. End Customers who do not wish to receive further review request emails from a particular Subscriber's account can opt out at any time by replying to any review request email with the word STOP in the body of the email. Alternatively, End Customers may contact RepSave directly at hello@repsave.co.uk to request that they not receive further communications.

11.3 Opt-out requests are permanently recorded and actioned immediately upon receipt. Once an opt-out is recorded, no further review request emails will be sent to that End Customer's email address from that Subscriber's account.

11.4 End Customers who wish to submit a data rights request — including a Subject Access Request, a request for erasure, or any other request relating to personal data processed by RepSave — may do so by emailing hello@repsave.co.uk. RepSave will liaise with the relevant Subscriber as the data controller for End Customer data to ensure the request is fulfilled appropriately and within the required timeframe.

12. Cookies

12.1 RepSave uses cookies and similar technologies on repsave.co.uk, but only with your explicit consent. No analytics, marketing, or performance cookies are placed on your device simply by loading repsave.co.uk. When you first visit the site, a consent banner is displayed at the bottom of the page. You can click "Accept All" to enable all active cookie categories, or "Manage Preferences" to open the preference modal and enable or disable individual categories. You can also update your preferences at any time using the preference centre on our Cookie Policy page.

12.2 Your consent choices are stored in localStorage under the key repsave_consent as a JSON object recording your individual category preferences. Full details of the cookies we use, their purpose, duration, and how to manage your consent, are set out in our Cookie Policy.

13. Security

13.1 We take the security of personal data seriously and implement a range of technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

• TLS 1.2 or higher encryption for all data transmitted between your browser or integration and the RepSave Platform.
• Encrypted storage of personal data at rest within the Supabase database infrastructure.
• Row-level security policies applied to all Supabase data tables, ensuring that Subscriber data is logically isolated and cannot be accessed by other Subscriber accounts.
• Strict access controls limiting staff access to personal data on a need-to-know basis, with access logs maintained for review.
• Regular security updates applied to Platform dependencies, libraries, and infrastructure components.
• Webhook URL confidentiality requirements preventing unauthorised use of Subscriber-specific integration endpoints.

13.2 No security measure can guarantee absolute protection against all threats. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay, as required by UK GDPR Article 34.

14. Children

14.1 The RepSave Service is designed for business use only and is not intended for, or directed at, individuals under the age of 18. We do not knowingly collect personal data from children or individuals under 18. If you have reason to believe that we have inadvertently collected personal data from a child under the age of 18, please contact us immediately at hello@repsave.co.uk and we will take prompt steps to delete that data.

15. Changes to This Policy and How to Complain

15.1 We may update this Privacy Policy from time to time to reflect changes in our data processing practices, changes in applicable law, or improvements to the clarity and completeness of our disclosures. Material changes — those that significantly affect how we use your personal data or that affect your rights — will be notified to active Subscribers by email at least 30 days before taking effect. Minor clarifications, corrections, or formatting updates will be published on this page without prior notice.

15.2 The current version of this Privacy Policy will always be available at repsave.co.uk/privacy-policy.html. The "Last updated" date at the top of this page will reflect the date of the most recent substantive revision.

15.3 You have the right to lodge a complaint about our data processing activities with the Information Commissioner's Office (ICO). The ICO is the UK's independent supervisory authority for data protection. You can contact the ICO at ico.org.uk or by calling 0303 123 1113. Our ICO registration reference is ZC141512.

15.4 We encourage you to contact us directly in the first instance at hello@repsave.co.uk before submitting a complaint to the ICO. We will make every reasonable effort to address your concern promptly and to your satisfaction. This Privacy Policy was last updated on 23 May 2026.