Privacy Policy
Last updated: July 13, 2026
This Privacy Policy explains how Review Reacher ("we", "us") processes personal data when you use our website and platform.
Who is the controller?
For account data (the information you give us when you sign up and use Review Reacher), we are the data controller. For customer contact data you upload to send review requests, you are the controller and we are the processor acting on your behalf — see our Data Processing Addendum.
What we collect
- Account data: name, email, password hash, business details, brand settings.
- Billing data: Stripe customer ID, subscription status, invoices (payment card details are held by Stripe, never by us).
- Customer data (as processor): customer name, email, phone, tags, visit dates, message history — controlled by you.
- Review data: Google review URLs, star ratings, review content, private feedback submitted through our capture pages.
- Usage data: IP address, browser type, pages viewed, actions in the app, error logs.
How we use it
- Provide, secure, and improve the Service.
- Send review requests and follow-ups on your instruction to your customers.
- Bill you and handle refunds and disputes.
- Send transactional and service emails (e.g. password reset, receipts).
- Comply with legal obligations and enforce our Terms.
Legal bases (UK/EU)
Contract (to provide the Service), legitimate interests (to secure and improve the Service, prevent fraud), legal obligation (tax, accounting), and consent where required (e.g. optional cookies).
AI processing
We use third-party large language models to draft message and review response copy. Prompts may include your business name, customer first name, and review content. We do not authorise these providers to train models on your data.
Subprocessors
We rely on trusted subprocessors to deliver the Service. Current list:
- Supabase (managed via Lovable Cloud) — database, authentication, storage — EU region.
- Stripe — payments and subscription billing.
- Resend (or successor) — transactional email delivery.
- Lovable AI Gateway (Google Gemini, OpenAI) — AI message and reply drafts.
- Cloudflare — application hosting and content delivery.
International transfers
Some subprocessors are located outside the UK/EEA. Where required, we rely on the UK Addendum and EU Standard Contractual Clauses to protect transferred data.
Retention
Account data: retained while your account is active and for up to 30 days after closure, then deleted unless we must keep it for legal reasons (billing records: 7 years). Customer data you upload: deleted within 30 days of you deleting the record or closing your account. Backups: rotate out within 35 days.
Your rights
Under UK/EU GDPR you may request access, correction, deletion, restriction, portability, and object to certain processing. To exercise these rights, or if you are one of our customers' customers, email privacy@reviewloop.app. You may also complain to the UK ICO or your local supervisory authority.
Cookies
We use strictly necessary cookies for authentication and security. We do not use third-party advertising cookies. Analytics, if enabled, is privacy-friendly and does not identify individuals.
Security
Data is encrypted in transit (TLS) and at rest. Access is limited to the smallest number of personnel who need it. We use row-level security to isolate each business's data.
Children
The Service is not intended for children under 16 and we do not knowingly collect their data.
Changes
We will notify material changes by email or in-app.
Contact
Questions? privacy@reviewloop.app.