Privacy Policy

This Privacy Policy explains how Revuora (“Revuora”, “we”, “us”, or “our”) collects, uses, stores and protects personal data when you use our website, application, integrations, review request tools, analytics, billing features and related services.

Revuora provides automated review collection software for businesses. The service helps businesses send review requests, route satisfied customers to public review platforms, capture private feedback, import customer/job data, connect integrations, and view review analytics.

We are committed to protecting personal data and handling it in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018 and applicable privacy laws.

1. Who we are

Service name: Revuora
Website: https://revuora.ai
Data protection contact: [Insert privacy email address]
Business/legal entity: [Insert company name]
Company address: [Insert registered/business address]
Company number: [Insert company number if applicable]

For privacy requests, please contact:
Email: [Insert privacy email address]

2. Our role: controller and processor

Depending on the data and the circumstances, Revuora may act as either a data controller or a data processor.

Where we act as a controller

We act as a controller for personal data relating to our own users, accounts, billing, security, website analytics, administration and direct communications. This includes account data, login data, subscription data, support requests and security logs.

Where we act as a processor

Where a business user uploads or imports their own customer/job data into Revuora, we normally act as a processor on behalf of that business. The business is responsible for ensuring it has a lawful basis to provide customer data to Revuora and to send review requests to its customers.

For example, if a business imports customer names, email addresses, phone numbers, job details and completed job dates into Revuora, we process that information only to provide the review collection service to that business.

We process customer contact details and review activity only to send review requests, route feedback, provide analytics, and operate the service.

3. Personal data we collect

Account data

This may include email address, name, password hash, user role, account status, sign-up date, sign-in timestamps, password reset activity and authentication/session information.

We do not store plain-text passwords.

Business data

This may include business name, business contact email, Google review link, website URL, business logo or branding settings if provided, webhook secret or integration identifiers, subscription plan, trial status, business settings, review request settings and follow-up settings.

Customer and job data

Where a business user imports or creates customer/job records, this may include customer name, customer email address, customer phone number, service type, job completion date, external job ID, source of import, job status and review campaign status.

Review activity data

This may include review request emails sent, email delivery status, rating link clicks, rating selected, Google review link clicks, private feedback submitted, follow-up and final reminder status, timestamps of review-related activity, review campaign events, analytics and conversion data.

Integrations data

If you connect integrations, we may process integration-related data, including Google OAuth tokens, Google Sheets connection details, spreadsheet IDs, worksheet/tab names, Google Sheets sync data, column mappings, Google Business Profile connection details, Google Business Profile location data, Google review data retrieved via Google Business Profile APIs, Zapier/webhook payloads, webhook import logs, integration sync status and errors.

Google OAuth tokens are used only to provide the Google integration features you choose to enable.

Billing data

If you subscribe to a paid plan, we may process billing-related data, including Stripe customer ID, Stripe subscription ID, plan name, subscription status, trial status, invoice/payment status, billing period dates and cancellation status.

We do not store card numbers, CVC codes or full payment card details. Payment details are handled by Stripe.

Logs and diagnostics

We may process technical and diagnostic data, including system logs, admin audit logs, webhook logs, import logs, sync logs, email sending logs, error logs, IP address where necessary for security, browser/device information where necessary for security or troubleshooting, and timestamps of key system actions.

We use logs to operate, secure, debug and improve the service.

Cookies and session data

We may use cookies and similar technologies for authentication sessions, security, CSRF protection where used, remembering preferences, maintaining logged-in sessions and basic website or application functionality.

Where required by law, we will request consent before using non-essential cookies.

4. How we collect personal data

We collect personal data when you create an account, sign in, add business details, import customers or jobs, upload a CSV, connect Google Sheets, connect Google Business Profile, connect Zapier or webhooks, send review request emails, customers click rating links, customers submit private feedback, you subscribe through Stripe, you contact us for support, and system logs are generated while operating the service.

We may also receive personal data from third-party processors and integrations you choose to connect, including Supabase, Stripe, Google, Resend, Zapier and Vercel.

5. Why we use personal data

To provide the service

This includes creating and managing user accounts, authenticating users, creating and managing businesses, importing customer/job data, sending review request emails, routing high ratings to Google review links, capturing low-rating private feedback, scheduling follow-ups and reminders, displaying analytics, and supporting multi-business and agency features.

To manage integrations

This includes connecting to Google Sheets, syncing Google Sheets data, connecting to Google Business Profile, syncing read-only Google review data, receiving Zapier/webhook payloads, processing CSV imports, and troubleshooting integration errors.

To manage billing

This includes creating Stripe checkout sessions, managing subscriptions, tracking plan limits, processing invoice/payment status, providing access to the Stripe customer portal, and applying trial and subscription status.

To provide support and diagnostics

This includes responding to support requests, investigating bugs, fixing failed imports, diagnosing email or webhook issues, reviewing admin audit logs, and monitoring system performance.

To protect the service

This includes detecting abuse, preventing unauthorised access, protecting accounts, enforcing plan limits, securing webhook endpoints, maintaining audit logs, and investigating suspicious activity.

To comply with legal obligations

This includes keeping billing records, responding to lawful requests, complying with tax, accounting and legal requirements, and maintaining records required for compliance.

To communicate with users

This may include service emails, security alerts, billing notifications, product updates, support replies and important account notices.

Marketing emails will only be sent where permitted by law. Users can unsubscribe from marketing communications.

6. Lawful bases for processing

Contract

We rely on contract where processing is necessary to provide the Revuora service to users, including account creation, login, dashboard access, review request functionality, integrations, subscription management and customer support.

Legitimate interests

We rely on legitimate interests where processing is necessary for our business and service operation, provided those interests are not overridden by individual rights. This may include improving and securing the service, sending service-related communications, logging errors and diagnostics, preventing abuse, maintaining audit logs, analysing service performance, supporting customer success, and handling review request analytics.

Legal obligation

We rely on legal obligation where we need to retain or process data to comply with legal, tax, accounting, regulatory or statutory obligations.

Consent

We rely on consent where required, including where users choose to connect optional Google integrations or where consent is required for non-essential cookies or marketing communications.

Users can disconnect Google integrations at any time through the app settings, where available.

7. Customer data uploaded by business users

Business users may upload, import or sync customer/job data into Revuora. This may include customer names, email addresses, phone numbers, service details, job completion dates and review activity.

Business users are responsible for ensuring they have a valid lawful basis to collect customer data, upload or import that data into Revuora, send review request emails, process customer feedback and connect third-party systems to Revuora.

Revuora processes this data only to provide the service to the business user, including review request sending, feedback capture, automation, integrations and analytics.

Business users should ensure their own privacy policy explains how they use customer data and how Revuora may process data on their behalf.

8. Google integrations

If you choose to connect Google Sheets or Google Business Profile, we may process Google integration data needed to operate those features.

This may include Google OAuth access tokens and refresh tokens, connected Google account information, spreadsheet IDs, spreadsheet names, worksheet names, column mappings, imported row data, Google Business Profile account/location data, and read-only Google review data.

We use Google data only to provide the features you request, such as importing rows from Google Sheets or syncing Google Business Profile review metrics.

You can disconnect Google integrations through the app where available. Disconnecting an integration may stop future syncs but may not automatically delete data already imported into Revuora unless deletion is requested or performed through the app.

9. Zapier and webhook integrations

If you connect Zapier or another external system to Revuora using a webhook, that system may send customer/job data to Revuora.

Webhook payloads may include customer name, customer email, customer phone, service type, completed job date, external job ID and source system data.

Webhook secrets are used to authenticate inbound webhook requests. You should keep webhook secrets confidential and regenerate them if you suspect they have been exposed.

10. Stripe billing

We use Stripe to process payments and manage subscriptions.

We may store Stripe-related identifiers and subscription information, such as Stripe customer ID, Stripe subscription ID, plan name, subscription status, invoice status, trial dates, billing period dates and cancellation status.

We do not store card numbers, CVC codes or full payment card details. Stripe handles payment card processing directly.

Stripe may process your personal data in accordance with its own privacy policy.

11. Who we share personal data with

We do not sell personal data to third parties.

We only share personal data where necessary to operate, secure, support and provide the Revuora service.

Our third-party processors may include Supabase for authentication and database storage, Stripe for checkout, subscription billing, invoices and payment status processing, Resend for sending review request emails, Google for optional Google Sheets and Google Business Profile integrations, and Vercel for hosting, application deployment, serverless functions and technical logs.

We may also share data where required by law, regulation, legal process, court order or to protect our rights, users, service or others.

12. International transfers

Some of our processors may process or store data outside the United Kingdom or European Economic Area.

Where personal data is transferred internationally, we rely on appropriate safeguards where required, such as adequacy regulations, standard contractual clauses, contractual safeguards and processor data protection terms.

By using Revuora, you understand that personal data may be processed by trusted service providers in jurisdictions outside the UK or EEA where necessary to provide the service.

13. Data retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law.

Account data is retained while your account is active. If your account is closed, deleted or inactive, we may retain limited account records for a reasonable period to handle support, security, fraud prevention, legal or billing matters. Suggested retention period: up to 6 years after account closure where required for legal, tax, accounting or dispute purposes.

Business data is retained while the related account or business workspace is active. If a business is deleted, we will delete or anonymise associated data unless retention is required for legal, billing, security or compliance purposes.

Customer and job data is retained while needed to provide the review collection service. Business users may delete or request deletion of customer/job data subject to legal, technical and backup limitations. Suggested default retention: active account period plus up to 24 months, unless the user chooses a different retention setting or deletion is requested.

Review activity data may be retained to provide analytics, campaign history, feedback records and auditability. Suggested default retention: active account period plus up to 24 months, unless deletion is requested or legal retention applies.

Logs and diagnostics may be retained for security, troubleshooting and accountability. Suggested retention: operational logs up to 12 months, security/admin audit logs up to 24 months, and billing/security incident logs up to 6 years where necessary.

Billing and invoice-related records may be retained for up to 6 years or longer where required by tax, accounting or legal obligations.

Deleted data may remain in encrypted backups for a limited period before being permanently overwritten or deleted according to our backup cycle.

14. Data deletion

Users can request deletion of their account, business data, customer data or imported data by contacting us at:

Email: [Insert privacy email address]

Where deletion is requested, we will assess and process the request in accordance with applicable law.

Deletion may not be immediate where we need to retain data for legal, tax, accounting or fraud prevention reasons, where data is contained in backups awaiting normal deletion cycles, where data is needed to resolve disputes, or where retention is necessary to protect legal rights.

Where full deletion is not possible, we may anonymise or restrict processing where appropriate.

15. Your rights

Depending on the circumstances and applicable law, individuals may have the right to be informed, access, correct, delete, restrict, port, object and withdraw consent.

To exercise your rights, contact:
Email: [Insert privacy email address]

We may need to verify your identity before responding. We aim to respond within one month, unless a longer period is permitted by law.

If you are a customer of a business using Revuora, we may direct your request to that business where they are the controller of your personal data.

16. Security

We use technical and organisational measures designed to protect personal data, including encrypted connections, password hashing, authentication controls, role-based access controls, Supabase Row Level Security, admin route protection, audit logs, webhook secrets, token encryption where implemented, restricted administrative access, secure third-party processors, monitoring and diagnostics, and access logging.

No system can be guaranteed completely secure. Users are responsible for keeping login credentials, webhook secrets and connected third-party accounts secure.

17. Admin access and audit logs

Authorised Revuora administrators may access limited user, business, billing, integration and diagnostic data where necessary to provide support, investigate errors, resolve billing issues, troubleshoot integrations, protect the service, prevent abuse and comply with legal obligations.

Admin actions may be logged in admin audit logs, including the admin user, action taken, affected account/business and timestamp.

We do not permit unrestricted access to personal data. Administrative access should be limited to what is necessary for operational and support purposes.

18. Cookies

We may use cookies or similar technologies to keep users logged in, protect sessions, remember preferences, secure forms, prevent fraud or abuse, and operate the website and application.

If we use non-essential analytics or marketing cookies, we will request consent where required.

You can control cookies through your browser settings. Blocking certain cookies may affect the functionality of the service.

19. Marketing communications

We may send users service-related communications, such as account, billing, security, integration and product update emails.

We may send marketing emails where permitted by law or where consent has been given. You can unsubscribe from marketing emails using the unsubscribe link or by contacting us.

We do not send marketing emails to imported customer/job contacts unless specifically supported by the service and lawfully configured by the business user.

20. Children’s data

Revuora is intended for business users and is not intended for children or anyone under the age of 18.

We do not knowingly collect personal data from children under 18. If you believe a child has provided personal data to us, please contact us and we will take appropriate action.

21. Automated decision-making

Revuora does not make legally significant automated decisions about individuals.

The service may automatically route review activity based on rating clicks. For example, higher ratings may be routed to a Google review link and lower ratings may be routed to a private feedback form. This is part of the review collection workflow and does not produce legal or similarly significant effects.

22. Data accuracy

Users are responsible for ensuring that customer/job data they upload, import or sync into Revuora is accurate and up to date.

Users can update or delete customer and business data through the application where available or by contacting us.

23. Data breaches

If we become aware of a personal data breach that is likely to result in a risk to individuals, we will assess the breach and take appropriate steps in accordance with applicable data protection law.

Where required, we will notify affected users, relevant controllers or the Information Commissioner’s Office.

24. Complaints

If you have concerns about how we handle personal data, please contact us first so we can try to resolve the issue.

Privacy contact: [Insert privacy email address]

You also have the right to complain to the UK Information Commissioner’s Office.

ICO website: https://ico.org.uk

25. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes, we may notify users by email, in-app notice or website notice.

The latest version will always be available on our website.

26. Contact us

For privacy questions, data requests or deletion requests, contact:

Revuora
Email: [Insert privacy email address]
Address: [Insert business address]
Website: https://revuora.ai