Privacy Policy
Last Updated: 23 January 2026
1. Introduction
Ryan Weber Ltd ("we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use FiveStar Support ("the Service").
Data Controller:
- Company Name: Ryan Weber Ltd
- Registered Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
- Company Number: 16585489
- Email: tech@ryan-weber.com
- Website: https://fivestar.support
This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
2. Information We Collect
2.1. Information You Provide Directly
Account Information:
- Full name and email address
- Password (hashed using Argon2 key derivation function)
- Profile information (optional)
Business Information:
- Client/app names and descriptions
- Customer information you choose to store (names, email addresses)
- Feedback submissions, bug reports, and feature requests
- Comments and responses you create
- Customer votes and prioritisation data
Payment Information:
- Payment card details (processed directly by Stripe; we do not store full card numbers)
- Billing address and transaction history
Communications:
- Email messages you send to us
- Support correspondence and enquiries
2.2. Information Collected Automatically
Technical Data:
- IP address
- Browser type and version
- Device information and operating system
- Pages visited and time spent on the Service
- Referring website
- Date and time of access
Cookies and Similar Technologies:
We use cookies and similar technologies to provide, secure, and improve our Service. See Section 5 for details.
3. How We Use Your Information
We use your personal data for the following purposes:
3.1. Service Provision
| Purpose | What We Do | Lawful Basis |
|---|---|---|
| Account management | Create, authenticate, and manage your user account | Contract |
| Service delivery | Store and display your feedback submissions and customer data | Contract |
| Feature delivery | Enable voting, commenting, and notification features | Contract |
| Customer communications | Send notifications about responses to your feedback | Contract |
3.2. Payment Processing
| Purpose | What We Do | Lawful Basis |
|---|---|---|
| Subscription billing | Process recurring and one-time payments via Stripe | Contract |
| Invoice delivery | Send invoices and receipts for your records | Contract + Legal obligation |
| Payment verification | Verify payment status and prevent fraudulent transactions | Legitimate interests |
3.3. Communications
| Purpose | What We Do | Lawful Basis |
|---|---|---|
| Service notifications | Send updates about service changes, security alerts, and maintenance | Legitimate interests |
| Support responses | Respond to your enquiries and technical support requests | Contract + Legitimate interests |
| Marketing emails | Send product updates, tips, and promotional content (with your opt-in consent) | Consent |
| Transactional emails | Send welcome emails, password reset links, and account reminders | Contract + Legitimate interests |
3.4. Security and Legal Compliance
| Purpose | What We Do | Lawful Basis |
|---|---|---|
| Fraud prevention | Detect and prevent fraudulent activity and abuse | Legitimate interests |
| Security monitoring | Monitor for security threats and unauthorised access | Legitimate interests |
| Legal compliance | Comply with legal obligations, including tax and accounting requirements | Legal obligation |
| Terms enforcement | Enforce our Terms and Conditions | Legitimate interests |
3.5. Service Improvement
| Purpose | What We Do | Lawful Basis |
|---|---|---|
| Analytics | Analyse usage patterns to understand how people use our Service | Legitimate interests |
| Feature development | Develop new features and improve existing ones based on usage data | Legitimate interests |
| Performance monitoring | Monitor Service performance and identify technical issues | Legitimate interests |
4. Legal Bases for Processing
Under the UK GDPR, we rely on the following legal bases:
| Processing Activity | Legal Basis | Why This Basis Applies |
|---|---|---|
| Providing the Service | Contract (Article 6(1)(b)) | Necessary to fulfil our contract with you |
| Payment processing | Contract (Article 6(1)(b)) | Necessary to process your subscription |
| Marketing emails | Consent (Article 6(1)(a)) | You opt-in to receive marketing; you can withdraw anytime |
| Service notifications | Legitimate interests (Article 6(1)(f)) | You expect us to communicate about the Service you use |
| Fraud prevention | Legitimate interests (Article 6(1)(f)) | We have a legitimate interest in preventing fraud |
| Security monitoring | Legitimate interests (Article 6(1)(f)) | We have a legitimate interest in securing our systems |
| Accounting records | Legal obligation (Article 6(1)(c)) | We are legally required to keep financial records |
For Legitimate Interests: We have documented a Legitimate Interests Assessment (LIA). We balance our legitimate business interests against your privacy rights and only process data where the impact on you is proportionate.
5. Cookies and PECR Compliance
5.1. What Are Cookies?
Cookies are small text files stored on your device when you visit our website. They contain data that is sent between your browser and our server. Under the Privacy and Electronic Communications Regulations (PECR), we classify cookies as follows:
5.2. Cookie Types We Use
| Cookie Type | Purpose | Is Consent Required? | Duration |
|---|---|---|---|
| Strictly necessary | Authentication, security, keeping you signed in | No (exempt under PECR) | Session + up to 30 days |
| Functionality | Remember your preferences (language, display settings) | No (exempt under PECR) | Up to 1 year |
| Analytics | Understand how visitors use our Service (page views, features used) | Yes | Up to 26 months |
| Marketing | Track marketing campaign effectiveness | Yes | Up to 1 year |
5.3. How We Obtain Consent
Before we set non-essential cookies (analytics and marketing), we will:
- Display a cookie banner with clear information
- Provide options to accept or reject non-essential cookies
- Store your preference for future visits
- Allow you to change preferences at any time
5.4. Managing Your Cookie Preferences
You can manage cookies through:
- Our cookie banner: Click "Manage preferences" when the banner appears
- Browser settings: Block or delete cookies through your browser (note: this may affect Service functionality)
6. Data Sharing and Disclosure
We do not sell your personal data. We share your data only in specific circumstances.
6.1. Data Processors (Service Providers)
We engage the following third-party companies to process data on our behalf. Each processor is contractually bound to protect your data and may only use it for the specified purpose.
| Service Type | Provider | Country | Purpose |
|---|---|---|---|
| Hosting | Vercel Inc. | United States | Cloud hosting and content delivery |
| Database | Supabase/PostgreSQL | United Kingdom | Data storage and management |
| Payments | Stripe | United States | Payment processing |
| Email Delivery | Resend/SendGrid | United States | Transactional and marketing emails |
| Analytics | [To be confirmed] | [To be confirmed] | Usage analytics |
| Authentication | NextAuth.js | N/A (self-hosted) | Session management |
International Transfers: For processors located outside the UK (e.g., United States), we use appropriate safeguards including:
- UK International Data Transfer Agreement (IDTA)
- UK Addendum to EU Standard Contractual Clauses (SCCs)
- Technical measures such as encryption
6.2. Legal Requirements
We will disclose your information if required to do so by law, including:
- Court orders, warrants, or subpoenas
- Law enforcement requests
- Regulatory enquiries
We will challenge any requests we believe are unlawful or overly broad.
6.3. Business Transfers
If Ryan Weber Ltd is acquired by or merged with another company, your information will be transferred to the new owner. You will be notified in advance of any such transfer.
6.4. Your Customers' Data (Controller-Processor Relationship)
When you collect customer feedback through our Service:
- You are the data controller for your customers' personal data
- We are a data processor acting on your instructions
- You are responsible for obtaining consents and providing privacy notices to your customers
- We only process customer data as instructed by you
7. Data Retention
We retain personal data only for as long as necessary for the purposes outlined in this policy.
| Data Category | Retention Period | Reason |
|---|---|---|
| Active account data | While account is active | Necessary to provide the Service |
| Recently deleted accounts | 30 days | To allow for account recovery |
| User profile and settings | 30 days after deletion | To allow for account recovery |
| Payment records | 7 years | UK tax law requirement |
| Invoices and receipts | 7 years | UK tax law requirement |
| Email communications | 2 years | Support and dispute resolution |
| Support correspondence | 2 years | Support and dispute resolution |
| Analytics data | 26 months | Service improvement |
| Server access logs | 90 days | Security monitoring |
| Marketing preferences | Until you unsubscribe or we refresh consent | To honour your marketing choices |
| Backup data | Up to 30 days | Disaster recovery |
After the retention period expires, we will securely delete or anonymise your data.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data. To exercise any of these rights, contact us at tech@ryan-weber.com with "Data Protection Request" in the subject line.
8.1. Right to Access (Subject Access Request)
You can request a copy of all personal data we hold about you. We will provide this within one month of receipt of your request.
8.2. Right to Rectification
You can request correction of inaccurate or incomplete data. We will respond within one month.
8.3. Right to Erasure (Right to be Forgotten)
You can request deletion of your personal data. This is not absolute; we may need to retain certain data for legal or contractual reasons. We will respond within one month.
8.4. Right to Restrict Processing
You can request that we limit how we use your data (e.g., keep it but only use it for certain purposes). We will respond within one month.
8.5. Right to Data Portability
You can receive your data in a structured, machine-readable format (e.g., CSV, JSON). We will provide this within one month.
8.6. Right to Object
You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds that override your rights.
8.7. Rights Related to Automated Decision-Making
You have the right not to be subject to solely automated decisions that produce legal or similarly significant effects. We do not use automated decision-making or profiling in this way.
8.8. Right to Withdraw Consent
Where we rely on your consent (e.g., marketing emails), you can withdraw it at any time. Withdrawal will not affect the lawfulness of processing before withdrawal.
8.9. Right to Lodge a Complaint
You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection.
- Website: https://ico.org.uk
- Phone: 0303 123 1113
- Email: casework@ico.org.uk
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
8.10. How to Make a DSAR (Data Subject Access Request)
To make a Data Subject Access Request:
- Email tech@ryan-weber.com with "Data Protection Request" in the subject line
- Specify which rights you wish to exercise
- Provide sufficient information to identify yourself (we may request ID verification)
- We will acknowledge your request within 5 working days
- We will provide a full response within one calendar month (this may be extended by a further two months for complex requests)
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data.
9.1. Security Measures
| Measure | Description |
|---|---|
| Encryption in transit | All data transmitted over HTTPS using TLS 1.3 |
| Encryption at rest | Database encryption using industry-standard encryption |
| Password security | Passwords hashed using Argon2 (memory-hard key derivation) |
| Access controls | Access to personal data is restricted to staff who need it |
| Authentication | Multi-factor authentication available for admin accounts |
| Regular audits | We periodically review our security practices |
| Incident response | We have procedures to detect, report, and investigate breaches |
9.2. Data Breach Notification
If we become aware of a personal data breach, we will:
- Assess the risk to individuals' rights and freedoms
- Notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware
- Notify you if the breach is likely to result in a high risk to your rights and freedoms, describing:
- What happened
- What data was involved
- What we are doing to address it
- What steps you can take to protect yourself
Despite our efforts, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
10. Children's Privacy
Our Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at tech@ryan-weber.com. We will delete such information promptly.
11. International Data Transfers
Your data is primarily stored and processed within the United Kingdom.
11.1. Transfers Outside the UK
Some of our service providers are located outside the UK (e.g., United States). When we transfer data internationally, we ensure appropriate safeguards are in place:
| Transfer Destination | Safeguard Used |
|---|---|
| United States (Vercel, Stripe, Resend) | UK International Data Transfer Agreement (IDTA) + UK Addendum to SCCs |
| European Economic Area | Adequacy regulations apply (UK recognises EEA as adequate) |
11.2. Your Rights Regarding International Transfers
You have the right to be informed about international transfers and to request a copy of the safeguards we use. Contact us for more information.
12. Changes to This Privacy Policy
We will review and update this Privacy Policy at least annually, and sooner when:
- We change how we collect or use personal data
- We add new service providers
- Laws or regulations change
When we make material changes, we will notify you by:
- Posting the updated policy on our website with a revised "Last Updated" date
- Sending you an email notification (where applicable)
Continued use of the Service after changes constitutes acceptance of the updated policy.
13. ICO Registration
We are registered with the Information Commissioner's Office (ICO) as required by the Data Protection Act 2018. Most organisations that process personal data must pay a data protection fee (often called "registering").
You can verify our registration status by searching the ICO public register using our company number: 16585489.
14. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
Ryan Weber Ltd
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
- Email: tech@ryan-weber.com
- Website: https://fivestar.support
- Company Number: 16585489
- For data protection enquiries: Include "Data Protection Request" in your email subject line
Response Times: We will acknowledge your request within 5 working days and provide a full response within one calendar month.
Version: 1.0
Effective Date: 23 January 2026