AutoReview logoAutoReview
Log inStart free trial

Privacy Policy

Last updated: May 13, 2026

Introduction

At AutoReview, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Information We Collect

Information You Provide

We collect information you voluntarily provide when you:

  • Create an account or purchase our product
  • Contact us for support
  • Subscribe to our newsletter
  • Import customer data for review campaigns
  • Provide phone numbers for SMS review request campaigns

This may include your name, email address, phone number, payment information, and business details.

Information from Google Services

When you sign in with Google or connect Google services to your account, we access the following Google user data:

  • Basic profile information: Your name, email address, and profile picture from your Google account, used to create and authenticate your AutoReview account.
  • Email address: Used as your account identifier, for sending transactional communications (e.g., account verification, password resets), and for delivering review campaign notifications.

Automatically Collected Information

When you access our service, we may automatically collect certain information, including:

  • Device information (browser type, operating system)
  • IP address and general location
  • Usage data (pages visited, features used, time spent)
  • Cookies and similar tracking technologies

Legal Basis for Processing (Art. 6 GDPR)

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide our services to you, including account management, email campaign delivery, and customer support.
  • Consent (Art. 6(1)(a) GDPR): Analytics tracking and marketing cookies (PostHog, Meta Pixel) are only activated after you give explicit consent via our cookie banner. You may withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f) GDPR): Fraud prevention, service security, and essential system monitoring.
  • Legal obligation (Art. 6(1)(c) GDPR): Compliance with tax, accounting, and other legal requirements.

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and send related information
  • Send you technical notices, updates, and support messages
  • Respond to your comments, questions, and customer service requests
  • Monitor and analyze usage trends to improve user experience
  • Detect, prevent, and address technical issues and fraud

SMS Review Request Messages

If you enable the SMS add-on, AutoReview sends text messages to your customers on your behalf to request reviews. The following applies to SMS communications:

  • Phone numbers: Customer phone numbers are collected by you (the business owner) and uploaded to AutoReview via manual entry or CRM/webhook integration. Phone numbers are used solely to deliver review request messages and are never sold, shared with third parties, or used for marketing purposes unrelated to the review request.
  • Consent:You are responsible for obtaining explicit consent from your customers—typically verbally, at the point of service—before their phone number is added to AutoReview for SMS messaging. AutoReview acts solely as the platform transmitting messages on your behalf.
  • Message frequency: Customers receive a maximum of 2 SMS messages per service transaction. No recurring promotional messages are sent.
  • Opt-out: Customers can opt out at any time by replying STOP to any message. Once opted out, no further SMS messages will be sent to that number.
  • Message and data rates:Standard message and data rates may apply depending on the customer's mobile carrier and plan.
  • Help: Customers can reply HELP to any message for assistance.

All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

How We Use Google User Data

Google user data received through sign-in is used solely to authenticate your identity and create your account on AutoReview. Specifically:

  • Your Google email address is used as your account login identifier and to send you service-related communications.
  • Your Google name and profile photo are used to personalize your account profile within the application.

AutoReview's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for serving advertisements or for training artificial intelligence or machine learning models.

Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following situations:

  • Service Providers: We may share data with third-party vendors who perform services on our behalf (e.g., payment processing, email delivery, cloud hosting). These providers are contractually obligated to protect your data and may only use it for the purposes we specify.
  • Legal Requirements: We may disclose information if required by law or in response to valid legal requests.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred.

Google user data is never shared with third parties except as described above for service providers who are strictly necessary to operate the service (e.g., our authentication and hosting infrastructure).

Third-Party Data Processors

We use the following third-party services to operate AutoReview. Each processes data on our behalf under a Data Processing Agreement (DPA):

  • Supabase(EU region) — Authentication, database, and file storage.
  • Stripe (USA, EU SCCs) — Payment processing. See Stripe Privacy Policy.
  • Resend(USA, EU SCCs) — Transactional and campaign email delivery.
  • PostHog(EU region) — Analytics and session recording. Only active after cookie consent.
  • Meta / Facebook(USA, EU SCCs) — Conversion tracking via Meta Pixel. Only active after cookie consent.
  • Twilio(USA, EU SCCs) — SMS message delivery for review request campaigns. See Twilio Privacy Policy.
  • Upstash / QStash(EU region) — Background job queue for campaign processing.
  • Vercel(global CDN, USA HQ, EU SCCs) — Application hosting and deployment.

International Data Transfers

Some of our service providers are based outside the European Economic Area (EEA). Where personal data is transferred to countries without an adequate level of data protection (as determined by the European Commission), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or the provider's participation in recognised frameworks. You may request a copy of the relevant safeguards by contacting us.

Data Storage and Protection

We implement appropriate technical and organizational measures to protect your personal information, including Google user data. These measures include:

  • All data is transmitted over encrypted connections (TLS/SSL).
  • User data is stored in secure, access-controlled cloud databases.
  • Authentication tokens are managed by our secure authentication provider (Supabase) and are never exposed to client-side code.
  • Access to production systems and user data is restricted to authorized personnel only.
  • We conduct regular security reviews of our application and infrastructure.

However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

Data Retention and Deletion

We retain your personal information, including any Google user data, only for as long as necessary to provide our services to you and fulfill the purposes described in this policy.

  • Account data: Retained for the duration of your active account. When you delete your account, all associated personal data — including Google user data — is permanently deleted from our systems within 30 days.
  • Campaign and review data: Retained while your account is active. Deleted when you delete your account or upon request.
  • Usage and analytics data: Retained in anonymized form for up to 12 months for service improvement purposes.

To request deletion of your data, you can delete your account from your dashboard settings, or contact us at [email protected]. We will process deletion requests within 30 days.

Your Rights (Art. 15–21 GDPR)

Under the GDPR, you have the right to:

  • Access the personal information we hold about you (Art. 15)
  • Request correction of inaccurate data (Art. 16)
  • Request deletion of your personal information (Art. 17)
  • Restrict processing of your data (Art. 18)
  • Data portability — receive your data in a structured, machine-readable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at [email protected].

You also have the right to lodge a complaint with a data protection supervisory authority. If you are in Germany, you may contact the supervisory authority of the federal state where you reside, or the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

Cookies

We use cookies and similar technologies. They fall into the following categories:

  • Essential cookies: Required for authentication and core functionality (e.g., Supabase session cookies). These are set without consent as they are strictly necessary.
  • Analytics cookies: PostHog analytics cookies to understand usage patterns and improve the service. Only set after you give consent.
  • Marketing cookies: Meta / Facebook Pixel for conversion tracking. Only set after you give consent.

You can manage your cookie preferences at any time via the cookie banner or your browser settings. Disabling non-essential cookies will not affect core functionality.

Third-Party Links

Our service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of the service after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: [email protected]

Back to Home