Privacy Policy

Last updated: February 26, 2026

Data Controller

FiveBack is the data controller for personal data collected through fiveback.co. For any privacy-related inquiries, contact us at hello@fiveback.co.

What We Collect

We collect the following categories of personal data:

  • Account data: email address and hashed password (never stored in plain text)
  • Business data: business name, category, address, and Google Business Profile information
  • Review data: reviewer names, ratings, and review text synced from Google
  • OAuth tokens: encrypted Google access and refresh tokens to manage your reviews
  • Usage data: pages visited, features used, and interaction patterns (no third-party tracking)
  • Billing data: processed by LemonSqueezy; we store subscription status and customer ID only

Legal Basis for Processing

We process your data under the following legal bases:

  • Contract performance: processing necessary to provide the FiveBack service you subscribed to
  • Legitimate interest: service improvement, security, and fraud prevention
  • Consent: where explicitly given, such as marketing communications

How We Use Your Data

Your data is used exclusively to provide the FiveBack service: syncing reviews from Google, generating AI response suggestions, posting approved responses, and sending you email notifications about new reviews. We do not use your data for advertising, profiling, or automated decision-making. We do not sell, rent, or trade your personal data to third parties.

AI Processing

Review text and reviewer display names are sent to Anthropic's Claude API to generate response suggestions. This data is processed per Anthropic's API terms and is not used to train their models. No additional personally identifiable information is shared with the AI provider. You can review Anthropic's privacy practices at anthropic.com/privacy.

Third-Party Services

We use the following third-party services to operate FiveBack. Each processes data according to their own privacy policies:

  • Supabase (database and authentication) — supabase.com/privacy
  • Google Business Profile API (review management) — policies.google.com/privacy
  • Anthropic Claude API (AI response generation) — anthropic.com/privacy
  • LemonSqueezy (payment processing) — lemonsqueezy.com/privacy
  • Resend (email delivery) — resend.com/legal/privacy-policy
  • Vercel (hosting) — vercel.com/legal/privacy-policy

Data Storage and Security

Your data is stored in Supabase's cloud infrastructure with row-level security policies ensuring users can only access their own data. Google OAuth tokens are stored encrypted. All data is transmitted over HTTPS/TLS. We implement industry-standard security measures but cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you via email within 72 hours.

Data Retention

We retain your data for as long as your account is active. Upon account deletion or request, we delete all personal data within 30 days. Anonymized, aggregated data may be retained for analytics purposes. Billing records are retained as required by tax law (typically 7 years).

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of all personal data we hold about you
  • Correction: request correction of inaccurate data
  • Deletion: request deletion of your data (subject to legal retention requirements)
  • Portability: request your data in a machine-readable format
  • Objection: object to processing based on legitimate interest
  • Restriction: request restriction of processing in certain circumstances

To exercise any of these rights, email hello@fiveback.co. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. When transferring data internationally, we rely on standard contractual clauses and other legally approved transfer mechanisms to protect your data.

Cookies

We use essential cookies for authentication and session management only. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required because we only use strictly necessary cookies.

Children's Privacy

FiveBack is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email. The “last updated” date at the top indicates the most recent revision.

Contact

Privacy questions, data requests, or complaints: hello@fiveback.co