TheyLuvIt

Privacy Policy

Effective date: April 8, 2026

1. Who We Are

TheyLuvIt is a testimonial collection and display platform operated by WebQ9. When this policy says "we", "us", or "our", it refers to WebQ9 as the data controller. Our service is available at theyluv.it.com.

2. Information We Collect

2.1 Account holders (customers)

When you create an account and use TheyLuvIt, we collect:

  • Email address and full name (required for account creation).
  • Profile avatar (optional, if provided).
  • Project details you create: project name, branding assets (logo, colors), welcome and thank-you messages, and display preferences.
  • Country code, used to display localised pricing.
  • Subscription and billing status — we store your Stripe customer ID and subscription state but never your credit card number, CVC, or full card details.

2.2 Testimonial submitters (end users)

When someone submits a testimonial through a collection form, we collect:

  • Name (required).
  • Testimonial text (required).
  • Email address, job title, and company name (optional, depending on form configuration).
  • Star rating (1–5, if the project owner has enabled ratings).
  • Photo or avatar (up to 5 MB — JPEG, PNG, GIF, or WebP).
  • Video testimonial (up to 100 MB — MP4 or WebM, if the project owner has enabled video).
  • IP address — used solely for rate limiting (5 submissions per IP per hour) and is not stored permanently.

2.3 Automatically collected data

  • Standard server logs (IP address, browser type, referring URL, pages visited, timestamps) collected by our hosting provider, Vercel.
  • Cookies required for authentication and language preference (see Section 5).

3. How We Use Your Information

  • Provide the service: Store and display testimonials, manage projects, render your wall of love.
  • Authentication: Verify your identity when you log in via email/password, magic link, or Google OAuth.
  • Notifications: Send you an email when a new testimonial is submitted to one of your projects. These emails are sent from noreply@theyluv.it.com via SendGrid.
  • Billing: Process subscription payments, manage plan upgrades and cancellations through Stripe.
  • Rate limiting: Prevent abuse of testimonial submission forms using temporary IP-based throttling.
  • Service communications: Inform you of important changes to the platform, security incidents, or policy updates.

We do not use your data for advertising, profiling, or automated decision-making.

4. Third-Party Services

We share data only with services necessary to operate TheyLuvIt. We do not sell, rent, or trade personal data.

ServicePurposeData shared
SupabaseDatabase, authentication, file storageAccount data, project data, testimonials, uploaded media
StripePayment processingEmail, name, country, subscription status
SendGridTransactional emailRecipient email, testimonial summary (author name, excerpt)
VercelHosting & CDNServer logs (IP, user agent, request URLs)

Each provider operates under their own privacy policy. We encourage you to review them: Supabase, Stripe, SendGrid, Vercel.

5. Cookies

We use a minimal set of cookies, all of which are functional — we do not use advertising or tracking cookies.

CookiePurposeDuration
sb-*-auth-tokenSupabase session authenticationSession / 7 days
NEXT_LOCALELanguage preference1 year
theyluvit_app_regRegistration status flag30 days

6. Data Storage & Security

  • All data is stored in Supabase-managed PostgreSQL databases with Row-Level Security (RLS) enabled, ensuring users can only access their own data.
  • Uploaded files (photos, videos) are stored in Supabase Storage with public read access for approved testimonials only.
  • All connections between your browser and our servers are encrypted using TLS (HTTPS).
  • Authentication cookies are set with httpOnly, secure, and sameSite=lax flags.
  • Payment data is handled entirely by Stripe's PCI-DSS compliant infrastructure — we never receive or store card details.

7. Data Retention

  • Account data: Retained for as long as your account is active. When you delete your account, we delete your profile, projects, testimonials, and associated files within 30 days.
  • Testimonial data: Retained until the project owner deletes them, or until the account is deleted.
  • Server logs: Retained by Vercel for up to 30 days per their retention policy.
  • Rate-limit data: IP addresses used for submission throttling are held in memory only and are not persisted to any database.

8. Your Rights

Regardless of where you are located, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and all associated data.
  • Export your data in a portable format.
  • Object to processing of your data for specific purposes.

For residents of the European Economic Area (EEA) and United Kingdom

Under the General Data Protection Regulation (GDPR), you have additional rights including the right to restrict processing, data portability, and the right to lodge a complaint with your local data protection authority. Our legal basis for processing personal data is: (a) contract performance (providing the service you signed up for), (b) legitimate interest (preventing abuse, improving the service), and (c) consent (where applicable, such as optional data fields).

For California residents

Under the California Consumer Privacy Act (CCPA), you have the right to know what personal information we collect, request its deletion, and opt out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us at privacy@webq9.com. We will respond within 30 days.

9. Children's Privacy

TheyLuvIt is not directed at children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child under 16, we will delete it promptly.

10. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. When data is transferred outside the EEA, we rely on standard contractual clauses and the service providers' compliance frameworks to ensure adequate protection.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by placing a notice on our website at least 14 days before the changes take effect. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your data: