TestimintTestimint

Privacy Policy

Your privacy is important to us. This policy explains how we handle your data.

Effective Date: January 12, 2026

SIZORAX LTD, a company registered in England and Wales (company number 16955799), trading as Testimint ("we," "us," or "our"), operates the Testimint platform (the "Service"), a software-as-a-service application that enables businesses to collect, manage, and display customer testimonials. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This Privacy Policy complies with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and other applicable UK and EU data protection legislation. Where we process personal data of individuals in the European Economic Area (EEA), we also comply with the EU GDPR (Regulation 2016/679).

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Data Controller and Processor

1.1 When We Act as Data Controller

For the following categories of personal data, Testimint acts as the "Data Controller" (as defined under UK GDPR), meaning we determine the purposes and means of processing:

  • Account registration and authentication data
  • Billing and payment information
  • Usage analytics and service improvement data
  • Communications and support inquiries

1.2 When We Act as Data Processor

For testimonial data (content submitted by testimonial authors through your projects),you are the Data Controller and we are the Data Processor. This means:

  • You determine why and how testimonial data is collected and used
  • You are responsible for providing privacy notices to testimonial authors
  • You are responsible for obtaining appropriate consent or legal basis
  • We process testimonial data only on your instructions and as necessary to provide the Service
  • Our processing is governed by our Data Processing Agreement (available upon request)

IMPORTANT: If you use our Service to collect testimonials, you have obligations as a Data Controller under UK GDPR. You must ensure you have a lawful basis for collecting testimonial data and that testimonial authors are informed about how their data will be processed.

1.3 Contact Details

If you have any questions about our role as Controller or Processor, please contact us using the details in Section 14 of this Privacy Policy.

2. Legal Basis for Processing (UK GDPR Article 6)

Under UK GDPR, we must have a valid legal basis to process your personal data. We rely on the following legal bases:

2.1 Contract Performance (Article 6(1)(b))

We process data necessary to perform our contract with you, including:

  • Creating and managing your account
  • Providing access to Service features
  • Processing payments and managing subscriptions
  • Providing customer support

2.2 Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate business interests, where these are not overridden by your rights:

  • Improving and developing our Service
  • Analysing usage patterns and Service performance
  • Preventing fraud and ensuring security
  • Sending service-related communications

You have the right to object to processing based on legitimate interests.

2.3 Consent (Article 6(1)(a))

Where required, we obtain your explicit consent for:

  • AI processing of testimonial content (when you enable AI features)
  • Non-essential cookies and analytics
  • Marketing communications (where applicable)

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

2.4 Legal Obligation (Article 6(1)(c))

We may process data to comply with legal obligations, such as:

  • Tax and accounting requirements
  • Responding to lawful requests from public authorities
  • Complying with court orders

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address
  • Password (stored in encrypted form)
  • Name (optional)
  • Profile information you choose to provide

3.2 Workspace and Project Data

When you use our Service, we collect:

  • Workspace names and settings
  • Project configurations and branding preferences
  • Integration settings (Slack webhooks, custom webhooks)

3.3 Testimonial Data (Processed on Your Behalf)

When testimonials are submitted through your projects, we process the following information provided by testimonial authors on your behalf as Data Processor:

  • Author name, job title, and company name
  • Author email address (when provided)
  • Author profile photos or avatars
  • Testimonial text content
  • Ratings and star reviews
  • Media files including images, videos, and audio recordings
  • Consent records (timestamp and, where applicable, IP address)
  • Tags and categorisation data

3.4 Media Content

When testimonials include media files, we collect and store:

  • Images: Photographs, screenshots, and other image files uploaded by testimonial authors
  • Videos: Video recordings, including any audio tracks contained within
  • Audio: Voice recordings and audio testimonials
  • Metadata: File names, file types, file sizes, upload timestamps, and technical metadata embedded in files

WARNING: Media files may contain personal data including images of individuals, voices, and embedded metadata (such as location data in photos). As the Data Controller for testimonials, you are responsible for ensuring appropriate consent has been obtained for the collection and publication of such media content.

3.5 Analytics and Usage Data

We automatically collect:

  • Widget view and click events
  • Public page view events
  • Form submission events
  • Browser user agent strings
  • Referring URLs
  • Page URLs where widgets are embedded
  • Timestamps of all events

3.6 Payment Information

Payment processing is handled by Stripe, Inc. We do not directly collect or store credit card numbers. We receive and store:

  • Stripe customer IDs
  • Subscription IDs and status
  • Plan information and billing periods

4. How We Use Your Information

We use the collected information for the following purposes:

4.1 Service Provision

  • To create and manage your account
  • To enable testimonial collection and display
  • To generate widgets and public testimonial pages
  • To provide analytics and reporting
  • To process billing and subscriptions

4.2 AI-Powered Features

IMPORTANT: When you enable AI features, testimonial content (including text and transcribed audio/video) is sent to OpenAI, a third-party artificial intelligence service provider, for processing. This processing includes:

  • Transcription: Audio and video testimonials are transcribed using OpenAI's Whisper model
  • Summarization: Testimonial text is analyzed to generate concise summaries
  • Sentiment Analysis: Content is analyzed to determine positive, neutral, or negative sentiment
  • Topic Extraction: Key themes and topics are extracted from testimonial content

By enabling AI features, you acknowledge and consent to testimonial data being transmitted to and processed by OpenAI in accordance with OpenAI's Privacy Policy. OpenAI may process this data on servers located outside your jurisdiction. You should ensure you have appropriate consents from testimonial authors before enabling AI features on their content.

4.3 Communication

  • To send service-related notifications
  • To respond to support inquiries
  • To send integration notifications (e.g., Slack alerts for new testimonials)

4.4 Service Improvement

  • To analyse usage patterns and improve the Service
  • To debug issues and maintain security
  • To develop new features

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers (Sub-processors)

We share data with the following categories of service providers who process data on our behalf:

  • OpenAI: For AI-powered transcription, summarisation, sentiment analysis, and topic extraction (when AI features are enabled)
  • Stripe: For payment processing and subscription management
  • Cloud Infrastructure Providers: For database hosting, backend infrastructure, and content delivery

A current list of our sub-processors is available upon request. We will notify you of any intended changes to sub-processors, giving you the opportunity to object.

5.2 Integrations You Configure

When you configure integrations, data may be shared with third parties you designate:

  • Slack: Testimonial notifications sent to your configured Slack channels
  • Custom Webhooks: Testimonial data sent to endpoints you specify

5.3 Public Display

When you publish testimonials through widgets or public pages, the following information becomes publicly accessible:

  • Testimonial text content
  • Author names, titles, and company names
  • Author avatars
  • Ratings
  • Media files (images, videos, audio)
  • AI-generated summaries and sentiment (if enabled)

Once made public, this data may be indexed by search engines and cached by third parties. As the Data Controller, you are responsible for the decision to make testimonials public.

5.4 Legal Requirements

We may disclose information if required to do so by law or in response to valid legal requests by public authorities (e.g., a court or government agency). We will notify you of such requests where legally permitted.

6. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Privacy Policy:

  • Account Data: Retained for the duration of your account plus 2 years for legitimate business purposes
  • Testimonial Data: Retained until you delete it or close your account
  • Analytics Data: Retained for up to 24 months for reporting purposes
  • Payment Records: Retained for 7 years to comply with tax and accounting obligations
  • Soft-Deleted Data: May be retained for up to 30 days before permanent deletion
  • Backup Data: May persist in backups for up to 90 days after deletion
  • Consent Records: Retained for 7 years as evidence of lawful processing

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of passwords using industry-standard hashing algorithms
  • Access controls and authentication requirements
  • Regular security reviews and updates
  • Secure API key storage using cryptographic hashing

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Your Rights and Choices

8.1 Access and Portability

You can access your account data and export your testimonials at any time through the Service dashboard.

8.2 Correction

You can update your account information and testimonial data through the Service dashboard.

8.3 Deletion

You can delete individual testimonials, projects, or your entire account. Note that some data may persist in backups for a limited period.

8.4 AI Processing Opt-Out

You can choose not to enable AI features for your testimonials. AI analysis is optional and only performed when you explicitly request it.

8.5 UK and European Users (UK GDPR and EU GDPR)

If you are located in the United Kingdom or European Economic Area, you have the following rights under the UK GDPR (as retained in UK law) and EU GDPR:

  • Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data
  • Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data
  • Right to Erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances (the "right to be forgotten")
  • Right to Restrict Processing (Article 18): You have the right to request restriction of processing in certain circumstances
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format
  • Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent (Article 7): Where processing is based on consent, you have the right to withdraw that consent at any time
  • Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that significantly affect you

To exercise any of these rights, please contact us using the details in Section 14. We will respond to your request within one month, which may be extended by a further two months for complex requests.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you are in the UK, or your local supervisory authority if you are in the EEA.

8.6 California Users (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information is collected
  • Know whether your personal information is sold or disclosed and to whom
  • Opt-out of the sale of personal information (we do not sell personal information)
  • Request deletion of your personal information
  • Not be discriminated against for exercising your privacy rights

9. Cookies and Tracking

9.1 Essential Cookies

We use essential cookies and similar technologies that are strictly necessary for:

  • Authentication and session management
  • Security and fraud prevention
  • Remembering your preferences

These cookies do not require consent under UK cookie regulations (PECR).

9.2 Analytics Cookies

With your consent, we may use analytics cookies to monitor Service performance and usage patterns. You can manage your cookie preferences through your browser settings or our cookie consent mechanism.

9.3 Widget Cookies

Our embedded widgets may set cookies on third-party sites where they are embedded to track views and interactions for analytics purposes. If you embed our widgets on your website, you are responsible for ensuring compliance with UK PECR and obtaining appropriate cookie consent from your website visitors.

10. International Data Transfers

10.1 Transfers Outside the UK

Your data may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers (including OpenAI, Stripe, and cloud infrastructure providers) may operate data centers.

10.2 Transfer Safeguards

When we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place as required by UK GDPR Chapter V, including:

  • Adequacy Decisions: Transfers to countries that the UK Government or European Commission has determined provide adequate data protection
  • Standard Contractual Clauses (SCCs): We use UK International Data Transfer Agreement (IDTA) and/or EU SCCs, as appropriate, with our service providers
  • Supplementary Measures: Where necessary, we implement additional technical and organisational measures to ensure the transferred data remains protected

You may request a copy of the relevant transfer mechanisms by contacting us using the details in Section 14.

10.3 OpenAI Transfers

When you enable AI features, testimonial data is transferred to OpenAI in the United States. This transfer is governed by Standard Contractual Clauses. By enabling AI features, you acknowledge this transfer and confirm you have appropriate authority and consent to permit such transfers for testimonial data you control.

11. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately.

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach (where required by Article 33 of UK GDPR)
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (as required by Article 34 of UK GDPR)
  • Document all breaches, including the facts, effects, and remedial actions taken

Where you are the Data Controller for testimonial data, we will notify you promptly of any breach affecting such data so that you can fulfil your own notification obligations.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. For material changes, we will also notify you by email or through the Service. Your continued use of the Service after such changes constitutes your acceptance of the new Privacy Policy.

14. Contact Us and Supervisory Authority

14.1 Contact Details

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about our privacy practices, please contact us:

  • Company: SIZORAX LTD (trading as Testimint)
  • Company Number: 16955799 (registered in England and Wales)
  • Through our Contact Page

14.2 Supervisory Authority

If you are located in the United Kingdom and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If you are located in the European Economic Area, you may also contact your local data protection supervisory authority.

15. Testimonial Author Rights

If you are a testimonial author (i.e., someone who has submitted a testimonial through our Service), please note:

  • The business that collected your testimonial is the Data Controller for your testimonial data
  • You should have been provided with information about data processing at the time of submission
  • To exercise your rights (access, correction, deletion, etc.), please contact the business that collected your testimonial directly
  • If you cannot identify the business or need assistance, contact us and we will help you locate the responsible party
  • We will assist the Data Controller in responding to your rights requests as required by UK GDPR

16. Data Processing Agreement

If you use our Service to collect testimonials, you may require a Data Processing Agreement (DPA) to comply with your obligations under UK GDPR Article 28. Our DPA is available upon request and covers:

  • Subject matter, duration, nature, and purpose of processing
  • Types of personal data and categories of data subjects
  • Our obligations and your rights as Controller
  • Security measures we implement
  • Sub-processor arrangements
  • Data breach notification procedures
  • Assistance with data subject rights requests
  • Audit rights and compliance verification

To request our DPA, please contact us through the details provided in Section 14.

Privacy Policy | Testimint