Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide when you register for an Account, use the Service, or communicate with us:

1.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain technical information:

• Usage Data: Pages visited, features used, actions taken (e.g., creating boards, voting, posting), timestamps, and session duration.
• Device Information: Browser type and version, operating system, device type, screen resolution, and language preferences.
• Network Information: IP address, approximate geographic location (city/region level), and referring URL.
• Cookies and Similar Technologies: Session cookies for authentication, preference cookies for theme and layout settings, and analytics cookies for understanding usage patterns. See Section 9 for our Cookie Policy.

1.3 Information from Third-Party Sources

We may receive information from third-party sources when you use integrations:

• Google Business Profile: Business reviews, reviewer names, ratings, review text, and business location data.
• Review Platforms (Trustpilot, Yelp, Facebook, TripAdvisor): Customer reviews, ratings, and business profile information.
• Google OAuth: Name, email address, and profile photo when you sign in with Google.
• Stripe: Subscription status, payment confirmation, and billing events (we do not receive or store full payment card numbers).

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: Operating feedback boards, roadmaps, changelogs, review intelligence, analytics, automation, and all other platform features.
• AI-Powered Features: Processing your data through artificial intelligence models for sentiment analysis, duplicate detection, auto-categorization, review response draft generation, competitive intelligence analysis, action plan generation, and KPI insights. AI processing is performed using our configured LLM providers and is used solely to deliver Service functionality.
• Authentication and Security: Verifying your identity, managing sessions, preventing fraud, and maintaining the security of your Account.
• Billing and Payments: Processing subscription payments, managing billing cycles, applying discounts, and handling overage charges through Stripe.
• Communications: Sending transactional emails (account verification, password resets, billing receipts), service notifications (changelog updates, review alerts, KPI milestones), and product communications (onboarding, trial reminders).
• Improvement and Analytics: Analyzing usage patterns to improve the Service, fix bugs, develop new features, and optimize performance.
• Legal Compliance: Complying with applicable laws, regulations, legal processes, and government requests.
• Audit and Data Integrity: Maintaining audit logs, version history, and archive records to ensure data integrity and accountability.

3. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service under your subscription agreement (Article 6(1)(b) GDPR).
• Legitimate Interests: Processing for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring security (Article 6(1)(f) GDPR).
• Consent: Processing based on your explicit consent, such as opting in to marketing communications or SMS notifications (Article 6(1)(a) GDPR). You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations (Article 6(1)(c) GDPR).

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following limited circumstances:

• Service Providers: We share data with trusted third-party service providers who assist us in operating the Service, including:
  • Stripe (payment processing)
  • Email delivery services (transactional and notification emails)
  • Cloud hosting and infrastructure providers
  • AI/LLM providers (for processing AI features — data is sent only as needed for specific AI operations and is not used to train third-party models)
• Third-Party Integrations (at your direction): When you connect Third-Party Services (Google Business Profile, Trustpilot, Yelp, Facebook, TripAdvisor), data is exchanged between the Service and those platforms as necessary to provide the integration functionality you have enabled.
• Within Your Workspace: Data within your Workspace is accessible to other members of your Workspace based on their roles and permissions.
• Public Client Portals: If you create public feedback submission portals, feedback submitted through those portals is visible to your Workspace members.
• Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

5. SMS/Text Messaging Privacy (A2P 10DLC Compliance)

6. Data Retention

We retain your personal information for as long as your Account is active or as needed to provide the Service. Our data retention practices comply with all applicable local, state, and federal laws. Specific retention periods include:

• Active Account Data: Retained for the duration of your subscription plus 90 days after account closure to allow for data export and reactivation.
• Archived Data: Items you delete through the Service are archived (not permanently destroyed) to maintain audit trail integrity and allow for recovery. Archived data is retained for 12 months after archival, after which it may be permanently purged.
• Audit Logs: Security and compliance audit logs are retained for a minimum of 24 months.
• Version History: Version history records for boards, settings, and configurations are retained for the duration of the subscription.
• Payment Records: Billing and payment records are retained for 7 years to comply with tax and financial reporting obligations.
• Email Logs: Records of emails sent through the Service are retained for 12 months.
• Analytics Data: Aggregated, anonymized analytics data may be retained indefinitely for Service improvement purposes.

After the applicable retention period, data is permanently deleted using secure deletion methods. You may request earlier deletion of your data as described in Section 7.

7. Your Rights and Choices

7.1 Rights for All Users

• Access: You may access and review the personal information we hold about you through your Account settings or by contacting us.
• Correction: You may update or correct your personal information through your Account settings at any time.
• Data Export: You may export your data through the Service's built-in export features or via the API.
• Account Deletion: You may request deletion of your Account by contacting us at [email protected].
• Communication Preferences: You may manage your notification preferences, including opting out of non-essential emails and text messages, through your Account settings.

7.2 Additional Rights Under GDPR (EEA/UK/Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights:

• Right to Erasure: You may request that we delete your personal data, subject to legal retention requirements.
• Right to Restriction: You may request that we restrict processing of your personal data in certain circumstances.
• Right to Portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format.
• Right to Object: You may object to processing of your personal data based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority.

7.3 Additional Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share your information.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise any of these rights, contact us at [email protected]. We will respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA/CPRA).

8. Data Security

We implement comprehensive technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL protocols.
• Encryption at Rest: Sensitive data, including passwords and integration credentials, is encrypted at rest using industry-standard encryption algorithms. Passwords are hashed using bcrypt with a minimum of 12 rounds.
• Access Controls: Role-based access controls limit data access to authorized personnel. Multi-factor authentication (2FA/MFA) via TOTP is available for all accounts, with configurable password rotation policies for enhanced security.
• Audit Logging: Comprehensive audit logs track all significant actions within the platform for security monitoring and compliance.
• Secure Infrastructure: The Service is hosted on enterprise-grade cloud infrastructure with physical security, network security, and redundancy measures.
• Regular Assessments: We conduct regular security assessments and vulnerability testing.
• Incident Response: We maintain an incident response plan and will notify affected users and relevant authorities of any data breach in accordance with applicable law.

SOC 2 Type II, ISO/IEC 27001:2022, and HIPAA certification are actively in progress. While no method of transmission or storage is 100% secure, we strive to use commercially acceptable means to protect your personal information.

9. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service. We do not use cookies for cross-site behavioral advertising.

10. AI and Automated Processing

The Service uses artificial intelligence and machine learning technologies to provide certain features. We are transparent about how AI processes your data:

• Sentiment Analysis: AI analyzes the text content of feedback posts and reviews to determine sentiment (positive, negative, neutral). This processing is performed on demand and results are stored within your Workspace.
• Duplicate Detection: AI compares feedback posts to identify potential duplicates based on content similarity.
• Auto-Categorization: AI suggests categories and tags for feedback based on content analysis.
• Review Response Draft Generation: AI generates draft responses to customer reviews based on the review content and your configured tone preferences. These drafts require human review before use. Native reply posting is supported for Trustpilot and Facebook; for Google, Yelp, and TripAdvisor, drafts are provided for you to copy and post on each platform.
• Competitive Intelligence: AI analyzes publicly available information about competitors to identify feature changes and strategic insights.
• Action Plan Generation: AI generates recommended action plans based on feedback analysis and KPI data.

Data Handling for AI: When AI features are used, relevant data (e.g., feedback text, review content) is sent to our configured AI/LLM provider for processing. We do not allow AI providers to use your data for training their models. AI-generated outputs are stored within your Workspace and are subject to the same security and retention policies as other data.

Human Oversight: AI features are designed as decision-support tools. All AI-generated content (review response drafts, action plans, categorizations) can be reviewed, edited, or rejected by authorized users before any action is taken.

11. International Data Transfers

The Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure that your data is protected in accordance with applicable data protection laws.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us at [email protected].

13. Third-Party Links and Services

The Service may contain links to third-party websites and services that are not owned or controlled by us. This Privacy Policy applies only to the Service. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policies of any third-party services you access through the Service, including:

• Stripe Privacy Policy (payment processing)
• Google Privacy Policy (Google Business Profile, Google OAuth)
• Trustpilot Privacy Policy
• Yelp Privacy Policy
• Meta/Facebook Privacy Policy
• TripAdvisor Privacy Policy

14. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. We currently do not respond to DNT signals, as there is no industry-standard interpretation of DNT. However, we do not engage in cross-site tracking or sell your personal information to third parties.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated Policy on our website with a revised "Last Updated" date and, where appropriate, by email notification. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: