We provide software and services that help local businesses request and manage customer reviews and related communications (the “Services”). For data we collect about our own prospects, site visitors, and account users, we act as a controller. For data our clients upload or connect about their customers, we act as a processor/service provider (EU/UK GDPR; California CPRA). We use client customer data only to deliver the Services under our contract and the client’s written instructions. We do not sell personal information.
1) Information We Collect
Client & User Data (controller): name, business contact info, login credentials, billing details, usage logs, device/IP data, support communications, cookies/analytics. End-Customer Data (processor): identifiers supplied by the client (name, email, phone, visit/transaction metadata, internal IDs), outreach status (delivered/opened/clicked/replied), public review links/ratings the client connects, and opt-out status. Integrations: OAuth tokens and metadata necessary to operate connected services (e.g., Google Business Profile, email/SMS providers, CRMs, payment processors). We do not access third-party content beyond what is required to provide the integration. Cookies: necessary cookies for authentication/security and optional analytics to understand feature adoption. Manage via your browser and our banner (where applicable).
2) How We Use Information
Controller data: provide and secure the Services, authenticate users, billing, customer support, service notices, product improvement, fraud/abuse prevention, and legal compliance. Processor data: send review requests/follow-ups as configured by the client, manage STOP/UNSUBSCRIBE, provide dashboards and analytics, and ensure deliverability and spam prevention. We do not use one client’s customer data to market to another client or to build cross-client profiles.
Legal bases (EU/UK): performance of a contract, legitimate interests (security/analytics), and consent where required (e.g., certain cookies/marketing).
3) Messaging Compliance (SMS/Email)
Clients must obtain appropriate consent from end customers before sending messages and must honor STOP/UNSUBSCRIBE immediately. We support compliance with TCPA/CTIA (US), CAN-SPAM (email), and similar laws. Prohibited uses include harassing messages, illegal content, or messaging minors without verifiable parental consent.
4) Sharing & Disclosures
We share information with vetted sub-processors/service providers (hosting, cloud infrastructure, email/SMS gateways, analytics, payments, error monitoring) bound by confidentiality and data-processing terms; with authorities if required by law; and in connection with a merger, acquisition, or asset sale. We do not sell or “share” personal information for cross-context behavioral advertising.
5) Data Retention
Client & user data: retained for the account lifetime and typically up to 24 months after closure for recordkeeping, legal, and security purposes (unless deletion is requested sooner, where lawful). End-customer data: retained according to client settings/instructions; by default during the subscription and up to 12 months after termination, then deleted or anonymized.
6) Security
We use administrative, technical, and physical safeguards appropriate to the data’s sensitivity, including TLS in transit, encryption at rest for key data stores, role-based access controls, least-privilege practices, audit logging, and vendor risk reviews. No method is 100% secure; if we learn of a breach affecting personal information, we will notify affected clients without undue delay.
7) International Transfers
Data may be processed in the United States and other countries. For EU/UK/Swiss personal data, we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.
8) Your Rights & Choices
Clients/users: depending on your region, you may request access, correction, deletion, portability, or restriction/objection. Opt out of marketing emails via the unsubscribe link.
End customers: we process your information on behalf of a business (our client). Please contact that business directly to exercise your privacy rights; we will assist them in responding.
California (CPRA): no sale/share; service-provider role for client customer data; rights to know, correct, and delete.
EU/UK GDPR: rights of access, rectification, erasure, restriction, portability, and objection; you may withdraw consent where applicable.
9) Children’s Privacy
The Services are not directed to children under 13 (or the age defined by local law). Clients may not upload children’s data without complying with applicable parental-consent laws.
10) Prohibited Data
Do not upload sensitive categories (government IDs, payment card data outside PCI processors, medical/biometric data, precise geolocation, etc.) unless expressly agreed in writing and you have lawful basis and notice.
11) Google & Third-Party Policies
If you connect Google accounts or Google Business Profiles, we use Google data only to provide enabled features, consistent with the Google API Services User Data Policy (Limited Use). Disconnect anytime in Settings. Other connected tools are governed by their own policies.
12) Changes
We will update this Policy as needed and post the new effective date. Material changes will be notified (e.g., email or in-app).
