AutoReview logoAutoReview
Log in

Security at AutoReview

We take the security of your business and your customers seriously. Here is a plain-English overview of how we protect your data.

Our commitment

Your customer lists, reviews, and email content are some of your most valuable assets. Protecting them is a core part of how we build AutoReview — not an afterthought. We follow industry best practices for encryption, access control, and data minimization, and we only ever collect the data we actually need to send review requests on your behalf.

Encryption

  • In transit: All traffic to and from AutoReview is encrypted with TLS (HTTPS). This includes our app, our APIs, and every webhook and integration.
  • At rest: Your data is stored in managed, access-controlled databases with encryption at rest.

Access control

  • Each account's data is isolated. Row-level security ensures one business can never read or modify another business's contacts, reviews, or settings.
  • Internal access to production systems is limited to what is required to operate the service.
  • Payments are handled by Stripe — we never see or store your full card details.

Data minimization

We collect the minimum data needed to do the job. For review requests that means a customer's name and email (and, if you opt in, phone number for SMS). We don't buy, sell, or rent your data, and we don't use your customer lists for anything other than running your campaigns. See our Privacy Policy for the full detail.

How BCC Auto-Collect is secured

BCC Auto-Collect gives each project a unique, private email address (for example [email protected]). When you BCC that address on an invoice or receipt, we enroll that customer for a review request. Because this address triggers an action in your account, we protect it on multiple levels:

  • We verify the sender.Every email sent to your BCC address is checked against your account. We only act on messages that come from you — your account's email address, or an address on your business or website domain. Anything from an unrecognized sender is ignored and never enrolled, and our team is alerted to the mismatch.
  • We read headers, not your emails.We only look at the recipient (your customer's email and name) and the subject line. We do not read, store, or process the body of your emails or any attachments.
  • Your address is private and rotatable. Your BCC address is unique to your project. If you ever suspect it has been shared or misused, contact us and we will rotate it for you.
  • Plan and limit enforcement.Enrollment respects your plan's contact limits and your campaign settings, so the feature can't be used to send mail you didn't intend.

In short: only you can use your BCC address to enroll customers. If anyone else tries, nothing happens.

Reporting a vulnerability

If you believe you've found a security issue, please email us at [email protected] with the details. We investigate every report and will keep you updated on our progress. Please give us a reasonable chance to fix the issue before disclosing it publicly.

Questions

Have a security or privacy question? Reach out any time at [email protected].

Back to Home