GDPR Compliance

The General Data Protection Regulation (GDPR) is a European Union law that governs how organizations collect, use, and store personal data of EU residents. It came into effect on May 25, 2018 and applies to any organization that processes personal data of EU residents, regardless of where the organization is based.

ReviewReply acts as a data controller for the personal data of our users (e.g., your name, email address, billing information).

For review data that contains personal information about your customers (e.g., reviewer names and text), ReviewReply acts as a data processor on your behalf. As the business owner, you are the data controller for that data.

We process personal data under the following legal bases:

• Contract performance - processing necessary to provide the ReviewReply service you subscribed to
• Legitimate interests - analytics to improve the service, fraud prevention, security monitoring
• Legal obligation - retaining billing records as required by tax law
• Consent - marketing emails (you can withdraw consent at any time)

If you are an EU resident, you have the following rights regarding your personal data:

• Right to access - Request a copy of all personal data we hold about you
• Right to rectification - Request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten") - Request deletion of your personal data, subject to legal obligations
• Right to restriction - Request that we limit how we process your data
• Right to portability - Receive your data in a structured, machine-readable format
• Right to object - Object to processing based on legitimate interests or for direct marketing
• Rights related to automated decision-making - Be informed about automated processing that significantly affects you

To exercise any of these rights, email privacy@reviewreply.com. We will respond within 30 days.

ReviewReply is based in the United States. When you use our service, your data may be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to legitimize these transfers.

Our key sub-processors and their data transfer mechanisms:

• Vercel (hosting) - SCCs
• Anthropic (AI processing) - SCCs
• Stripe (payments) - SCCs + Privacy Shield successor framework
• Resend (email) - SCCs

We retain personal data only as long as necessary for the purposes described in our Privacy Policy:

• Account data: retained while your account is active, deleted within 30 days of account closure
• Billing records: 7 years (legal requirement)
• Security logs: 90 days
• Analytics data: 24 months

For GDPR-related inquiries or to submit a data subject request, contact our Data Protection Officer at:

privacy@reviewreply.com
Subject line: "GDPR Request"

You also have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe we have violated your GDPR rights.

If you use ReviewReply to process personal data of EU residents in your capacity as a data controller (e.g., your customers' review data), you may require a Data Processing Agreement (DPA). Please contact us at privacy@reviewreply.com to request our standard DPA.