Privacy Policy

Last updated: 5 June 2026

1. Who we are

SiteSay ("we", "us", "our") is a feedback collection platform operated by Cory Meikle trading as SiteSay, a sole trader.

We are registered with the Information Commissioner's Office (ICO) under registration number ZC168448 . For any privacy-related queries, contact us at [email protected].

2. What this policy covers

This policy explains how we collect, use, store, and share personal data when you use SiteSay — including our website, application, and the feedback widget embedded on third-party websites (collectively, the "Service"). It applies to:

  • Account holders — individuals who register and manage projects on SiteSay.
  • End users — visitors to websites where the SiteSay widget is embedded, whose feedback we process on behalf of the account holder.

Where we process end-user data, the account holder is the data controller and we act as a data processor under Article 28 UK GDPR. Our Terms of Service constitute the data processing agreement between us.

3. Data we collect

3a. Account holders

  • Identity data: name, email address.
  • Authentication data: hashed password, or Google OAuth token reference.
  • Billing data: subscription plan, billing status. Payment card details are handled directly by Stripe and never stored by us.
  • Usage data: projects created, reports received, feature usage.
  • Technical data: IP address, browser type, device information, log data.

3b. End users (via the embedded widget)

When a visitor submits feedback through the widget, we collect:

  • Feedback content: free-text message, report type (bug, idea, or other).
  • Contact data (optional): email address, if the visitor chooses to provide it.
  • Screenshots: images of the page captured by the visitor, if they use the screenshot feature.
  • Technical metadata: page URL, browser user agent, screen resolution, viewport dimensions, browser language.
  • Console errors: JavaScript errors logged in the browser at the time of submission.

This data is collected on behalf of the account holder who operates the website. We encourage account holders to inform their own visitors about this processing in their own privacy notices.

4. Legal basis for processing

We rely on the following lawful bases under UK GDPR:

  • Contract (Article 6(1)(b)): to create and manage your account, deliver the Service, and process your subscription.
  • Legitimate interests (Article 6(1)(f)): to prevent fraud, improve our Service, send service-related communications, and maintain security. We have conducted a legitimate interests assessment and are satisfied our interests are not overridden by your rights.
  • Consent (Article 6(1)(a)): for any optional marketing communications. You may withdraw consent at any time.
  • Legal obligation (Article 6(1)(c)): where we are required to retain data for tax, financial, or regulatory purposes.

5. How we use your data

  • Providing, maintaining, and improving the Service.
  • Processing subscription payments via Stripe.
  • Sending transactional emails (account creation, billing receipts, password resets).
  • Detecting and preventing abuse, fraud, or security incidents.
  • Complying with legal obligations.
  • Responding to support requests.

We do not sell your personal data to third parties, and we do not use end-user feedback data for our own marketing purposes.

6. Cookies and tracking

We use session cookies that are strictly necessary to keep you logged in. We do not currently use third-party advertising or analytics cookies. The embedded widget does not set cookies on the host website.

7. Sharing your data

We share data only with trusted third parties who assist us in operating the Service:

  • Stripe, Inc. — payment processing. Stripe acts as an independent data controller for billing data. See Stripe's Privacy Policy.
  • Google LLC — optional OAuth sign-in. If you sign in with Google, Google processes your authentication data under its own privacy policy.
  • Infrastructure providers — cloud hosting and database services. These providers process data on our behalf under data processing agreements.

We may also disclose data where required to do so by law, court order, or to protect the rights, property, or safety of SiteSay, our users, or others.

8. International transfers

Some of our third-party service providers are based outside the UK or European Economic Area (EEA). Where we transfer personal data internationally, we ensure appropriate safeguards are in place — such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses — in accordance with UK GDPR Chapter V.

9. Data retention

  • Account data: retained for the duration of your account and for up to 12 months after closure, unless a longer period is required by law.
  • Feedback reports: retained for as long as your account is active. Deleting a project removes associated reports.
  • Billing records: retained for 7 years to meet HMRC requirements.
  • Server logs: retained for up to 90 days for security and debugging purposes.

10. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of the data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure — ask us to delete your data in certain circumstances.
  • Right to restrict processing — ask us to limit how we use your data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests.
  • Rights related to automated decision-making — we do not make solely automated decisions that produce legal or similarly significant effects.

To exercise any of these rights, email us at [email protected]. We will respond within one calendar month. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, loss, or destruction. These include encrypted data transmission (TLS), hashed password storage, and access controls. No method of transmission over the internet is completely secure; we cannot guarantee absolute security but will notify you and the ICO of any breach where required by law.

12. Children

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to this policy

We may update this policy from time to time. We will notify registered account holders of material changes by email or by a prominent notice in the application. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the revised policy.

14. Contact

For any questions about this policy or your personal data, please contact:
Cory Meikle trading as SiteSay
Email: [email protected]