Flash Sale — up to 47% off for a limited time.See pricing
Review Spector

Privacy Policy

Last updated: 9th April 2026

This Privacy Policy explains how Review Spector ("we", "us", "our") collects, uses, and protects personal data when you use our SaaS Platform. We are a company incorporated in Northern Ireland. We act as a data processor for the review data and customer contact data you upload and instruct us to process (including sending review invitations). You remain the data controller. We comply with the UK GDPR, Data Protection Act 2018, and PECR.

1. Information We Collect

  • Account and contact data: Name, email, business details, and billing information you provide when registering (via Clerk).
  • Authentication data: Data processed by Clerk for secure login.
  • Google authentication data: Your Google OAuth short-lived access token (processed temporarily during connection and refresh flows; stored encrypted in transit and at rest) and refresh token (stored encrypted for ongoing authorised access to your Google Business Profile).
  • Review data: Customer reviews retrieved via the Google API (including reviewer names, text, ratings, and timestamps where publicly available or authorised). This may contain personal data of your customers/reviewers.
    • Review invite data: Customer names, email addresses, and/or phone numbers you upload to send review invitations. We also store your consent confirmation (checkbox + source dropdown) and opt-out records.
  • Processed data: AI-generated sentiment scores, themes, alerts, and reply suggestions.
  • Reply data: Any replies you post via the Platform (if supported).
  • Payment data: Processed securely by Stripe (we do not store full card details).
  • Usage and technical data: IP address, browser type, and usage patterns (via cookies and analytics).
  • Communication data: Records of email alerts and support correspondence.

We do not knowingly collect sensitive personal data unless it appears incidentally in review text (which we process only as instructed). Google authentication data is handled in line with Google's OAuth policies and limited to what is necessary for the Service.

2. How We Use Your Data and Lawful Bases

We process data to:

  • Provide the Service, including authentication (Clerk), payments (Stripe), secure token management for Google API access, review analysis, alerts, and AI reply suggestions (contract performance).
  • Analyse reviews and generate suggestions using our Ollama cloud model (legitimate interests: improving your review management).
  • Send service-related email alerts (contract performance).
  • Improve the Platform and prevent abuse (legitimate interests).
  • Comply with legal obligations (for example tax, accounting, or Google API requirements).
  • Send review invitations via email/SMS on your instructions (contract performance / legitimate interests as processor).

Where we act as processor for reviewer personal data in reviews (or your replies), we follow your documented instructions as controller. Google authentication data is used solely to maintain authorised API access as you instruct.

3. Sharing and Data Processors

We share data only as necessary and with contracts meeting UK GDPR standards, including:

  • With Google (to authenticate, retrieve reviews, and post approved replies; you control this via your Google account settings).
  • With Clerk (authentication provider).
  • With Stripe (payment processing).
  • With our Ollama cloud model provider (sub-processor, located outside the UK/EEA; review text/prompts are sent temporarily for AI analysis/sentiment/reply generation and deleted immediately after processing; no storage, logging, or training on your data occurs). We ensure these transfers are protected by standard contractual clauses and use data minimization techniques to protect your privacy.
  • With email service providers (for alerts) and secure UK/EEA hosting providers.
  • With professional advisers or regulators if legally required.
  • With messaging/SMS providers (e.g. Resend or equivalent) solely to deliver emails and SMS you instruct us to send.

We do not sell your data. We may share anonymised, aggregated insights for Platform improvement.

4. International Transfers

All primary processing occurs in the UK/EEA or with equivalent protection. For transfers to our Ollama cloud model provider (outside the UK/EEA), we rely on the UK International Data Transfer Addendum (IDTA) / UK Addendum to EU SCCs combined with a Transfer Risk Assessment (TRA) confirming the destination country's protections are not materially lower than UK standards (per recent ICO guidance and Data (Use and Access) Act 2025). We ensure technical measures (e.g. encryption in transit, prompt minimisation, no long-term storage) reduce risks. Clerk and Stripe use UK Extension to EU-US DPF or adequacy decisions/SCCs. Any other transfers use appropriate safeguards under UK GDPR Article 46.

5. Security

We encrypt refresh tokens (and any transient short-lived access tokens during processing) using industry-standard methods (AES-256) at rest and in transit (TLS 1.3+). Encryption keys are managed securely and never shared with third parties except as authorised for API operations. However, no system is 100% secure.

While we implement reasonable technical and organisational measures to protect your data (including encryption, access controls, and regular security reviews), no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security against unauthorised access, hacks, data breaches, or other cyber threats. In the event of a personal data breach, we will notify affected users and the ICO where required under UK GDPR (within 72 hours where feasible). Our liability for any such incidents is limited to the extent permitted by law; we exclude liability for indirect, consequential, or punitive damages to the maximum extent allowable.

6. Data Retention

  • Google authentication data (short-lived access tokens): Processed temporarily and not stored long-term; deleted immediately after use in refresh flows.
  • Refresh tokens and account data: Until you revoke/delete or your subscription ends (plus up to 30 days, aligned with Google content storage limits).
  • Review and processed data (including reply suggestions): For the duration of your subscription or as long as needed for the Service, then deleted or anonymised (unless you instruct otherwise).
  • Payment records (Stripe): As required for accounting and tax purposes.
  • Usage logs: Up to 12 months for security.
  • Review invite contact data and consent records: For the duration of your subscription or until you delete them, plus up to 6 years for legal compliance.

We delete data upon your written request (subject to legal retention requirements or Google policies).

7. Your Rights (UK GDPR)

As a data subject (or on behalf of your reviewers), you have the right to:

  • Access, correct, or delete your data (including requesting revocation or deletion of stored refresh tokens).
  • Object to or restrict processing.
  • Data portability.
  • Withdraw consent where applicable.
  • Complain to the Information Commissioner's Office (ICO).

To exercise these rights or request a copy of the data we process as your processor, email support@reviewspector.com. We respond within one month (free of charge unless a request is manifestly unfounded).

8. Review Invite Communications (Email & SMS)

When you use our review invite feature, we act purely as a data processor, sending emails or SMS messages on your behalf and under your instructions using the contact details and consent records you provide.

You, as the data controller, are solely responsible for ensuring you have obtained valid, explicit, freely given, specific, informed and unambiguous prior consent from each recipient in accordance with UK GDPR and PECR before uploading their details or sending invites.

Every message sent through the Platform includes your business name (as sender) and an easy unsubscribe/opt-out link. If a recipient opts out, we immediately and permanently suppress their contact details from future sends. Opt-outs are irreversible in our system.

Contact data uploaded for review invites is used solely for sending those invitations and is not used for any other purpose, shared with third parties (except our messaging sub-processors under contract), or retained longer than necessary.

We may suspend the review invite feature for your account if we have reason to believe consents are invalid.

9. Cookies and Tracking

We use essential cookies for authentication (Clerk) and analytics (anonymised). You can manage preferences via your browser or our cookie banner. Non-essential cookies require consent.

10. Children's Data

Our Service is not intended for anyone under 18. We do not knowingly process children's data.

11. Changes to This Policy

We may update this Policy and will notify you of material changes via email or in-app notice. Continued use after changes constitutes acceptance.

12. Contact Us

You can reach us at support@reviewspector.com.

If you have a complaint about how we handle your data, please contact support@reviewspector.com. We will acknowledge your complaint within 30 days.