Data Processing

Wafeed processes the following categories of data:

• Business account data: name, email, business profile, branding settings.
• Customer feedback submissions: star ratings, reason tags, optional comments, and source metadata.
• Hashed IP addresses for spam protection (raw IPs are not stored).
• Notification email addresses for sending low-rating alerts.
• Session and authentication tokens for logged-in users.
• Email delivery logs for audit and troubleshooting.

For a full description of data collected, see our Privacy Policy.

All application data is stored in our primary database hosted via Supabase. Data is transmitted over HTTPS and encrypted at rest by the database provider.

Data centres are located in regions configured by Supabase and Vercel. The specific region may vary based on project configuration.

We use the following service providers who may process data on our behalf:

Each provider maintains their own data protection commitments. We will update this list as subprocessors change.

We implement the following technical and organisational measures:

• HTTPS: All data in transit is encrypted using TLS.
• Authentication: Supabase Auth manages passwords as secure hashes. Plaintext passwords are never stored.
• Row Level Security (RLS): Database policies ensure each business can only access their own data.
• Role-based access control: Admin, user, and super-admin roles with separate permission levels.
• Server-side secret handling: API keys and credentials are stored as environment variables and never exposed to the client.
• IP hashing: Customer IPs are hashed with a secret salt for spam detection. Raw IPs are not stored.
• Honeypot fields: Feedback forms include invisible honeypot fields to detect automated bot submissions.
• Audit logging: Admin actions are recorded in an audit log.

See also our Security page.

If you wish to request deletion of your account and associated data, please contact us via the contact page. We will aim to process deletion requests within a reasonable timeframe, subject to any legal or operational constraints.

Note that some data (such as aggregated statistics or anonymised records) may be retained after account deletion.

Business users on Team and Business plans can export their feedback submissions as a CSV file directly from the dashboard. This allows you to retain a copy of your data at any time.

If you require a data export but are on the Free or Starter plan, please contact us and we will assist where possible.

Businesses that require a formal Data Processing Agreement (DPA) for compliance purposes — for example, under GDPR or similar regulations — should contact us. We do not have a standard DPA template available at this time, but we can discuss your requirements.