Privacy Policy
Last updated: 1 May 2026 · Effective: 1 May 2026
1. Introduction and Identity of the Data Controller
This Privacy Policy sets out how ClientAutomate Ltd ("we", "us", "our") collects, uses, stores and protects personal data in connection with the provision of our software-as-a-service platform available at clientautomate.co.uk (the "Service").
ClientAutomate Ltd is the Data Controller for the purposes of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. We are in the process of registering with the Information Commissioner's Office ("ICO") as required under UK data protection law. Our ICO registration number will be published on this page upon completion of registration.
Any questions regarding this Policy or our data processing activities should be directed to: privacy@clientautomate.co.uk
2. Scope of This Policy
This Policy applies to all individuals who access or use our Service, including business owners, authorised users, and visitors to our website. It does not apply to third-party websites or services linked from our platform, which are governed by their own privacy policies.
3. Personal Data We Collect
We collect and process the following categories of personal data:
Account and Identity Data
Email address, password (stored in hashed form), and account registration date. Collected when you create an account.
Google Business Profile Data
OAuth2 access tokens, refresh tokens, Google account identifiers, and business location identifiers. Collected when you connect your Google Business Profile to the Service.
Review and Response Data
Google reviews associated with your business, including reviewer names, ratings, review text, and review dates. AI-generated response drafts created by the Service. This data is fetched directly from Google's Business Profile API on your behalf.
Billing and Subscription Data
Subscription plan, billing status, trial expiry date, and Stripe customer identifier. Full payment card details are processed exclusively by Stripe and are never stored on our systems.
Technical and Usage Data
IP address, browser type, device information, pages visited, and timestamps of actions taken within the Service. Collected automatically via server logs and session management.
4. Legal Basis for Processing
We process your personal data on the following legal bases under UK GDPR Article 6:
- Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including fetching reviews, generating AI responses, and managing your account.
- Legitimate Interests (Art. 6(1)(f)): Processing necessary for fraud prevention, service security, product improvement, and the sending of service-related communications.
- Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, including financial record-keeping obligations.
- Consent (Art. 6(1)(a)): Where we rely on your consent, for example for optional marketing communications. You may withdraw consent at any time.
5. How We Use Your Personal Data
We use your personal data for the following purposes:
- To create and manage your account and subscription
- To connect to your Google Business Profile and retrieve your reviews on your behalf
- To generate AI-powered response drafts using your review content
- To publish approved responses to Google on your behalf
- To send weekly summary reports and service notifications by email
- To process payments and manage billing through Stripe
- To provide customer support
- To detect and prevent fraudulent or unauthorised use of the Service
- To comply with legal and regulatory obligations
6. Third-Party Data Processors
We engage the following third-party processors who may process your personal data on our behalf. Each processor is bound by appropriate data processing agreements and provides adequate safeguards for your data:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and user authentication | EU / USA |
| Vercel | Application hosting and deployment | USA |
| Stripe | Payment processing and subscription management | USA |
| Anthropic | AI generation of review responses via Claude API | USA |
| Google LLC | Google Business Profile API — review retrieval and response publishing | USA |
| Resend | Transactional email delivery | USA |
Where data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions, as required under UK GDPR Chapter V.
7. Data Retention
We retain your personal data only for as long as necessary for the purposes for which it was collected:
- Account data: Retained for the duration of your subscription and deleted within 30 days of account closure upon request.
- Review and response data: Retained for the duration of your subscription to provide the Service.
- Billing records: Retained for 7 years in accordance with HMRC financial record-keeping requirements.
- Google OAuth tokens: Deleted immediately upon disconnection of your Google Business Profile or account closure.
8. Your Rights Under UK GDPR
As a data subject, you have the following rights. To exercise any of these rights, please contact us at privacy@clientautomate.co.uk. We will respond within one calendar month as required by law.
- Right of Access (Art. 15): To receive a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): To correct inaccurate or incomplete personal data.
- Right to Erasure (Art. 17): To request deletion of your personal data, subject to legal retention obligations.
- Right to Restriction of Processing (Art. 18): To restrict how we process your data in certain circumstances.
- Right to Data Portability (Art. 20): To receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): To object to processing based on legitimate interests.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by telephone on 0303 123 1113.
9. Cookies and Tracking Technologies
We use essential session cookies to maintain your authenticated session and to ensure the secure operation of the Service. These cookies are strictly necessary and do not require your consent under UK PECR.
We do not currently use advertising, tracking, or profiling cookies. Should we introduce non-essential cookies in the future, we will update this Policy and implement appropriate consent mechanisms.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:
- All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
- Passwords are stored using industry-standard hashing algorithms via Supabase Auth
- API keys and secrets are stored exclusively as environment variables, never in source code
- Access to production databases is restricted to authorised personnel only
- Google OAuth tokens are stored encrypted and scoped to minimum necessary permissions
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Where changes are material, we will notify you by email at least 14 days before the changes take effect. Continued use of the Service following notification constitutes acceptance of the revised Policy.
12. Contact
All data protection enquiries should be addressed to: