Riverbank CMS
Sign in

Riverbank CMS Privacy Policy

Effective date: 16 February 2026

This Privacy Policy explains how Riverbank Digital Limited (“we”, “us”, “our”) collects and uses personal data when you use Riverbank CMS (the “Service”), including sites built on the platform.

This is a working policy for a small platform. If anything here doesn’t match how you use Riverbank CMS in practice, tell us and we’ll fix it.

1. Who we are

Company: Riverbank Digital Limited (Company number: 16774915)
Registered office: 71 Oaklands Park, Buckfastleigh, England, TQ11 0BP
Email: info@riverbankdigital.co.uk

We are the “controller” of personal data we process for our own business purposes (for example, managing customer accounts and running the platform).

When we host and process data for a site owner’s website (for example, booking enquiries made on a client’s site), we usually act as a processor on behalf of the site owner, who is the controller.

2. Who this policy covers

This policy covers personal data relating to:

  1. Platform customers – people who purchase and manage a Riverbank CMS site (the “site owner”, “customer”, or “account holder”).
  2. End customers – visitors who browse a site, make a booking/enquiry, or create a login on a site built with Riverbank CMS (for example via email “magic link”).
  3. Visitors to our own websites – visitors to our marketing/site pages and platform pages.

If you are an end customer of a business using Riverbank CMS, the site owner’s privacy policy will also apply to you.

3. What personal data we collect

A) Platform customer account data

  • Name (if provided)
  • Email address
  • Account and billing details (plan, invoices, payment status)
  • Support messages and related correspondence

B) End customer data on sites built with Riverbank CMS

Depending on the site configuration, this may include:

  • Email address (including for “magic link” login)
  • Booking or enquiry details (e.g. dates, notes, service selection)
  • Basic account data (e.g. login timestamps)
  • Technical data (IP address, device/browser information) for security and fraud prevention

C) Payment-related data (Stripe)

If payments are enabled on a site, payments are processed by Stripe. We and the site owner may receive payment-related metadata such as:

  • Stripe customer or transaction IDs
  • Payment status (paid, refunded, disputed)
  • Receipt/invoice references

We do not store or process full card details ourselves.

D) Analytics and cookies

We use a first-party analytics system on client sites. This uses cookies and similar technologies to understand how a site is used (for example page views and basic usage patterns). The data collected may include:

  • Page and event information (e.g. page views, button clicks)
  • Approximate location inferred from IP (typically at city/region level)
  • Device and browser details
  • A pseudonymous identifier stored in a cookie

E) Logs and security data (Axiom)

We use Axiom for logging and observability. Logs may include:

  • IP address
  • User agent and device details
  • Timestamps
  • Requested URLs and response codes
  • Error and performance data
  • Limited identifiers needed to trace issues (for example, an internal request ID)

We aim not to include unnecessary personal content in logs.

4. How we use personal data (and our lawful bases)

We only use personal data where we have a lawful basis under UK data protection law. In plain terms:

A) To provide the Service (contract)

  • Set up and administer platform accounts
  • Provide website hosting and platform features
  • Provide login via “magic link”
  • Send service emails (e.g. account notices, security notices)
  • Provide support

B) To run, secure, and improve the Service (legitimate interests)

  • Monitor performance and reliability
  • Detect and prevent abuse, fraud, and security incidents
  • Maintain audit trails for important actions
  • Improve features and fix bugs
  • Produce aggregated reporting (for example overall usage trends)

Where we rely on legitimate interests, we balance these interests against your rights and expectations.

C) To meet legal obligations (legal obligation)

  • Tax and accounting record-keeping (where applicable)
  • Responding to lawful requests from regulators or law enforcement

D) Analytics cookies (consent)

Where cookies are not strictly necessary (for example, analytics cookies), we aim to collect and store them only with consent, and allow people to change their preferences.

5. Who we share personal data with

We share personal data with service providers only where needed to operate Riverbank CMS. This can include:

  • Stripe (payments): to enable and operate payment processing on connected accounts
  • Hosting/infrastructure providers: to host the Service and deliver content
  • Database/auth providers (including magic-link delivery): to run accounts and store site data
  • Axiom (logging/observability): to monitor and troubleshoot the Service
  • Email service providers: to send essential service emails (e.g. login links and support emails)

We do not sell personal data.

We may also share data:

  • with the site owner (for example, booking/enquiry data belongs to the site owner’s business);
  • if required by law, or to protect rights, safety, and security.

6. International transfers

Some of our providers may process data outside the UK. Where this happens, we use providers that offer appropriate safeguards (for example, contractual protections and recognised transfer mechanisms) to protect personal data.

7. How long we keep personal data

We keep personal data only for as long as necessary for the purposes described above:

  • Platform account data: for as long as your account is active, and for a reasonable period afterwards (for example, to handle billing questions or disputes).
  • Site data (bookings/enquiries): as directed by the site owner, and as needed to provide the Service.
  • Logs (Axiom): retained for 180 days for security, troubleshooting, and reliability monitoring.
  • Invoices/accounting records: retained for the period required by law (often up to 6 years in the UK).

If you want specific retention numbers for each category, email us and we’ll confirm what’s currently configured.

8. Security

We take reasonable technical and organisational measures to protect personal data, including:

  • access controls and least-privilege access
  • encryption in transit (HTTPS/TLS)
  • monitoring and logging for security events
  • regular platform maintenance and updates

No system is perfectly secure, but we aim to handle data carefully and proportionately to the risk.

9. Your rights

Depending on your relationship with the Service and applicable law, you may have rights to:

  • access the personal data we hold about you
  • correct inaccurate data
  • request deletion (where we don’t have a valid reason to keep it)
  • restrict or object to processing in certain circumstances
  • request a copy of your data in a portable format (where applicable)
  • withdraw consent (where we rely on consent)

To exercise your rights, contact info@riverbankdigital.co.uk.

If you are an end customer on a client site

In many cases, the site owner (the business you’re booking with) is the controller of your data. If your request relates to bookings, services, refunds, or the site’s own marketing, you should contact the site owner first. We will assist site owners with requests where we act as their processor.

Complaints

If you’re unhappy with how we handle personal data, please contact us first. You also have the right to complain to the UK Information Commissioner’s Office (ICO).

10. Cookies and similar technologies

What we use

Riverbank CMS sites may use:

  • Essential cookies needed for core functionality (for example, keeping you logged in via magic link, security protections, and remembering session settings).
  • Analytics cookies to understand site usage and improve performance.

Choices

Where non-essential cookies are used (for example analytics cookies), sites built on Riverbank CMS display a banner that lets visitors accept or reject non-essential cookies.

Essential cookies required for core functionality (for example magic-link login and security protections) are always enabled, because the site can’t function correctly without them.

Browsers also let you delete or block cookies, but some parts of a site may not work properly if essential cookies are blocked.

11. Children

Riverbank CMS is not intended to be used by children without appropriate oversight. If you believe a child has provided personal data through a site using Riverbank CMS, contact the site owner or contact us at info@riverbankdigital.co.uk.

12. Changes to this policy

We may update this policy from time to time. If changes are material, we’ll take reasonable steps to notify platform customers (for example, via email or dashboard notice). The updated policy will apply from its effective date.

13. Contact

For privacy questions or requests, contact:

Riverbank Digital Limited
71 Oaklands Park, Buckfastleigh, England, TQ11 0BP
info@riverbankdigital.co.uk