← Back to Home

Privacy Policy

Last updated: April 2026

ReviewSync is operated by Nicholas Arrowood (sole proprietor, pending LLC formation).

1. Information We Collect

We collect information you provide directly to us, such as when you create an account, connect business locations, or contact us for support. We organize the data we process into the following categories:

  • Account data — email address, display name, hashed password (if using email/password sign-in), and authentication provider identifiers (if using OAuth).
  • Business data — location names, addresses, Google Place IDs, and platform slugs or profile URLs you connect.
  • Review data — reviews synced from connected platforms, including reviewer display name, rating, review text, timestamp, and the owner response (if one is present on the source platform).
  • Payment data — billing name, billing address, and the last four digits of your card. ReviewSync never stores full card numbers; our payment processing provider handles card data directly.
  • Usage data — feature usage events (only if analytics consent is granted — see Section 5) and error logs (only if error-reporting consent is granted).
  • Device data — IP address, user agent, and session identifiers, which are necessary for security and session maintenance.

2. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the service.
  • Generate AI-powered response drafts for your reviews.
  • Send account, billing, and security notifications.
  • Detect and prevent fraud, abuse, and security incidents.
  • With your consent, improve the product via analytics.
  • Comply with legal obligations.

3. Legal Bases for Processing (GDPR)

For users in the European Economic Area, United Kingdom, or Switzerland, we process personal data under the following legal bases:

  • Contract — to provide the service you signed up for and fulfill our obligations to you.
  • Legitimate interest — for security, fraud prevention, and core service operations that do not require consent.
  • Consent — for non-essential analytics, error monitoring, and marketing communications. You may withdraw consent at any time.
  • Legal obligation — to comply with applicable law, including tax and accounting requirements.

4. Data Sharing and Sub-Processors

We do not sell or rent your personal information. We share data only with sub-processors that support our service delivery, and only to the extent necessary for them to perform their function.

Categories of Sub-Processors

  • Database and authentication provider — Stores account, location, and review data (US).
  • Cloud hosting and edge compute provider — Serves the web application (Global CDN, primary region US).
  • Payment processing provider — Handles subscriptions and billing (US, PCI-DSS Level 1 certified).
  • AI response generation provider — Generates draft review replies (US).
  • Review aggregation services — Collect publicly posted reviews from supported platforms on your behalf (EU/Global).
  • Transactional email provider — Delivers account and notification emails (US).
  • Rate limiting and serverless key-value provider — Protects the service from abuse (Global, primarily US).
  • Geocoding and business-discovery provider — Resolves business addresses and place identifiers (US).
  • Product analytics provider (post-consent only) — Measures feature usage if you opt in (US or EU, depending on region).
  • Error monitoring provider (post-consent only) — Captures application errors for debugging if you opt in (US).
  • Site analytics provider (post-consent only) — Measures site traffic if you opt in (US).

Each sub-processor is bound by a Data Processing Agreement (DPA) where required. A named list of current sub-processors is available on request by emailing privacy@reviewsync.ai. We review this list periodically and will update this policy on material changes.

5. Cookies and Similar Technologies

Categories we use

  • Strictly necessary (always on) — session cookies for authentication, CSRF protection, and consent state. Retention: session or up to 1 year for consent persistence.
  • Analytics (opt-in) — our product and site analytics providers, for understanding product usage and traffic. Retention: up to 24 months.
  • Error monitoring (opt-in) — our error monitoring provider, for capturing crash diagnostics. Retention: 90 days for event data.
  • We do NOT use advertising or cross-site tracking cookies.

Providers

  • Authentication provider (session cookie).
  • ReviewSync first-party (consent state, stored in localStorage as reviewsync.consent.v1).
  • Product analytics provider.
  • Site analytics provider.
  • Error monitoring provider.

How to change your preferences

You can revisit your cookie preferences at any time via the "Cookie Preferences" link in the site footer. Rejecting analytics and error-monitoring cookies will not impact your ability to use the service.

6. Data Retention

We retain data only as long as necessary for the purposes outlined in this policy:

  • Account data — retained while your account is active, and for up to 30 days after account deletion to support recovery, then purged.
  • Business and location data — same as account data.
  • Review data — retained while the associated location is connected; purged within 90 days of location deletion unless legally required.
  • Payment and invoice data — retained for 7 years to comply with US tax and accounting requirements.
  • Transactional email logs — retained for 90 days.
  • Product analytics events — retained for up to 12 months unless you opt out earlier.
  • Site analytics events — retained for up to 14 months.
  • Error logs — retained for 90 days.
  • Rate-limit counters — retained for the length of the rate window (typically 15 minutes).
  • Backups — encrypted backups rotate on a 30-day cycle.

You may request early deletion of any data category (except where we have a legal obligation to retain) by emailing support@reviewsync.ai.

7. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. Access to production systems is restricted to the operator. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Secrets are stored in our hosting provider's encrypted environment variable store and our database provider's secure vault — never in source control.

8. Your Rights — United States (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, grants you the following rights:

  • Right to Notice — You have the right to know, at or before the point of collection, what personal information we collect and why. This policy serves that notice.
  • Right to Access / Know — You may request a copy of the specific personal information we've collected about you in the past 12 months. Email support@reviewsync.ai with subject "CCPA Access Request" and we will respond within 45 days.
  • Right to Delete — You may request deletion of personal information we hold about you, subject to legal retention requirements. Email support@reviewsync.ai with subject "CCPA Deletion Request".
  • Right to Opt-Out of Sale or Sharing — We do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of, but you may confirm this status by emailing support@reviewsync.ai.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any CCPA right. You will receive the same service and pricing whether or not you exercise your rights.

You may also designate an authorized agent to submit requests on your behalf; we will require written proof of authorization.

9. Your Rights — Europe (GDPR / UK GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR and UK GDPR:

  • Right of Access (Article 15) — Request a copy of the personal data we process about you. Email support@reviewsync.ai with subject "GDPR Access Request"; we respond within 30 days.
  • Right to Rectification (Article 16) — Request correction of inaccurate or incomplete personal data. Email support@reviewsync.ai with subject "GDPR Rectification Request" and specify the correction.
  • Right to Erasure / "Right to be Forgotten" (Article 17) — Request deletion of your personal data where processing is no longer necessary. Email support@reviewsync.ai with subject "GDPR Erasure Request".
  • Right to Data Portability (Article 20) — Request an export of your personal data in a structured, machine-readable format. Email support@reviewsync.ai with subject "GDPR Portability Request". We currently fulfill these manually; typical turnaround is 30 days.
  • Right to Object (Article 21) — Object to processing based on legitimate interests (including profiling) or for direct marketing. Email support@reviewsync.ai with subject "GDPR Objection".
  • Right to Restrict Processing (Article 18) — Request that we temporarily halt processing of your data while a dispute is investigated. Email support@reviewsync.ai with subject "GDPR Restriction Request".

You also have the right to lodge a complaint with your local data protection authority. We will not charge a fee to exercise these rights unless a request is manifestly unfounded or excessive.

10. International Data Transfers

ReviewSync is operated from the United States. Data processed by our sub-processors may be transferred to the US or other jurisdictions where they operate. For transfers out of the EEA/UK, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards where our sub-processors have them in place.

11. Children's Privacy

ReviewSync is a B2B service intended for business owners and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have, contact support@reviewsync.ai for deletion.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

13. Contact Us

If you have questions about this privacy policy or our data practices, please contact us at support@reviewsync.ai. For privacy-specific inquiries, use the subject line prefix listed in each rights section above to help us route your request.

Disclaimer: This policy is provided in good faith for a solo-operated SaaS product pre-launch. It does not constitute legal advice. Users should consult their own counsel about how it applies to them.