Back to Roast

Privacy Policy

Last updated 6 July 2026

1. Who we are

Roast (available at roastnow.com) is a feedback collection service operated by Precode Limited, a company registered in England and Wales (company number 09189974) with its registered office at Vantage Point, New England Street, Brighton, BN1 4GW ("Precode", "we", "us"). Precode is the data controller for personal data relating to Roast account holders and visitors to our website. For feedback submitted through a customer's widget, our customer is usually the data controller and we act as a processor on their behalf, but this policy explains how the data is handled either way. You can reach us at hello@precode.co.

2. Data we collect

We collect:

  • Account data: your name, email address and authentication details.
  • Feedback data:submissions sent through Roast widgets, including text, the submitter's name, email and optional job title or company, and (where the submitter chooses to record one) video, audio, camera or screen recordings.
  • Bounty and payout data: where a reviewer claims a cash reward for critical feedback, we collect their email address and payout status. Identity verification and bank details are collected directly by Stripe, not by us.
  • Team data: email addresses of teammates you invite to your workspace.
  • Billing data: subscription and payment details, processed by Stripe. We never see or store full card numbers.
  • Usage and technical data: aggregate page analytics, and error and diagnostic data if something goes wrong (see sections 6 and 9).

3. Recordings and consent

The Roast widget can capture camera, microphone and screen recordings, but only when the person leaving feedback actively chooses to record and their browser grants permission. Every submission requires the submitter to tick an explicit consent box confirming they agree to the feedback being recorded and stored. Testimonials are only published with a separate, optional consent to public display; critical feedback ("roasts") is never made public by default. Recordings are stored in our own Supabase storage infrastructure hosted in Germany.

4. How we use data and our lawful bases

We use personal data to provide and improve the Service, authenticate users, process payments and payouts, send transactional emails (such as team invites, notifications and payout claim links), respond to support requests, and comply with legal obligations. Our lawful bases under UK GDPR and EU GDPR are:

  • Contract: providing the Service to account holders and processing bounty payouts.
  • Consent: recording feedback submissions and publishing testimonials publicly.
  • Legitimate interests: securing the Service, preventing fraud and abuse, monitoring errors and improving the product.
  • Legal obligation: tax, accounting and anti-fraud requirements, including those handled through Stripe.

5. AI processing

We use OpenAI as a processor to make feedback useful: video and audio submissions are transcribed with OpenAI's Whisper model, and submission content is analysed by OpenAI GPT models to produce summaries, sentiment and suggested responses. Submission content (including transcripts, and any personal data the submitter includes in it) is sent to OpenAI for this purpose under OpenAI's API terms, which do not permit OpenAI to train its models on this data. We do not use your data to train AI models ourselves.

6. Who we share data with

We share data with a small set of service providers (processors) under appropriate contractual safeguards. We do not sell personal data. Our processors are:

  • Supabase (self-hosted): database, authentication and file storage, running on Hetzner infrastructure in Germany.
  • Vercel: application hosting and delivery.
  • OpenAI: transcription and AI analysis of feedback submissions (see section 5).
  • Stripe: subscription billing, and identity verification (KYC) and payouts for bounty reviewers via Stripe Connect.
  • Resend: transactional email delivery (invites, notifications, payout claim links).
  • Sentry: error monitoring in production, which may capture technical data and limited session context when an error occurs.

We may also disclose data where required by law, or to our professional advisers where necessary.

7. Public Wall of Love

If a submitter consents to public display, their testimonial may appear on a public Wall of Love page together with the name, job title and company they provided. Consent can be withdrawn at any time: contact the business you left the testimonial for, or email us at hello@precode.co and we will remove it.

8. International transfers

Our primary data storage is in Germany (EU). Some processors, including OpenAI, Stripe, Resend, Vercel and Sentry, may process data in the United States or other countries outside the UK and EEA. Where that happens, transfers are protected by appropriate safeguards such as the UK International Data Transfer Addendum, EU Standard Contractual Clauses or an adequacy decision (including the EU-US and UK-US Data Privacy Frameworks where the provider is certified).

9. Cookies and local storage

Roast uses essential cookies only: secure authentication cookies set by our Supabase-based login system to keep you signed in. We also use browser local storage for functional preferences (your theme choice, resuming interrupted video uploads, and remembering when a widget was recently shown so it is not shown again too soon). Our web analytics (self-hosted Plausible) is cookieless and does not track individuals across sites. Because we set no advertising or third-party tracking cookies, no cookie banner is required.

10. Retention

We keep personal data for as long as your account is active or as needed to provide the Service. If you delete your account, your account data and associated content are deleted; we retain only what we must for legal, tax or accounting purposes (for example payment and payout records held via Stripe). Feedback submissions and recordings are retained until the workspace owner deletes them or their account.

11. Your rights

Under UK GDPR and EU GDPR you have the right to access, correct, delete or port your data, to object to or restrict certain processing, and to withdraw consent at any time (including consent to display a testimonial). You can delete your account, and all data held in it, at any time from your account settings. For anything else, contact us at hello@precode.co and we will respond within one month. You may also lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EU supervisory authority.

12. Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, row-level security on our database and secret-protected internal endpoints. No method of transmission or storage is entirely secure, so we cannot guarantee absolute security, but we will notify you and the relevant authority of any breach where the law requires it.

13. Children

Roast is a business tool and is not directed at children. You must be at least 18 to hold an account. We do not knowingly collect personal data from children.

14. Changes to this policy

We may update this policy from time to time. If we make material changes we will notify account holders by email or in the app before the changes take effect. The date at the top shows when this policy was last revised.

15. Contact

For privacy questions or requests, contact Precode at hello@precode.co.