Legal

Privacy Policy

Last updated: 20 March 2026

1. Who We Are

ReviewReply is operated by CodeHawks Limited, a company registered in England and Wales (Company No. 16095971). We provide an AI-powered service that generates responses to Google Business Profile reviews on behalf of business subscribers.

Contact: hello@reviewreplies.io

CodeHawks Limited is the data controller for subscriber data and processes Google review content as a data processor on behalf of business subscribers. This policy is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect About You (Subscribers)

Account information

  • Business name and location name (collected at signup)
  • Email address for your account and service notifications

Legal basis: Contract (necessary to create and maintain your account).

Google Business Profile OAuth tokens

When you connect your Google Business Profile, we request OAuth 2.0 access via Google's API. We store your access token and refresh token (encrypted at rest) to enable us to fetch new reviews and post approved responses on your behalf. We request the minimum necessary Google API scopes.

You may revoke this access at any time via your Google Account permissions page. Revoking access will stop the service from fetching reviews or posting responses.

Legal basis: Contract.

Payment information

Payments are processed by Stripe, Inc. We never see, store, or process your card number. Stripe stores all payment data under PCI-DSS compliant systems. We receive a Stripe customer ID, subscription status, and your billing email.

Legal basis: Contract (fulfilling your subscription).

3. Google Review Content (Third-Party Data)

Google reviews are written by your customers (reviewers). Review content, reviewer names, star ratings, and timestamps belong to those individuals. ReviewReply processes this content solely to generate response drafts on your behalf; we do not claim ownership of review content and do not use it for any purpose beyond providing the service you subscribed to.

Review data we process includes:

  • Review text and star rating
  • Reviewer's display name (as provided to Google)
  • Review timestamp
  • AI-generated draft responses (created by ReviewReply)
  • Final posted responses (as approved by you)

Legal basis for processing review content:Legitimate interests. We process review data on behalf of business subscribers to provide the core service. The legitimate interest is the subscriber's interest in managing their online reputation and responding to customer feedback. We have assessed that this processing does not override the rights and freedoms of reviewers, as the review content has already been made publicly available on Google.

Our use of data obtained via Google APIs complies with the Google API Services User Data Policy including the Limited Use requirements. We do not sell Google user data, use it for advertising, or share it with third parties except as required to operate the service (OpenAI for response generation — see Section 5).

4. How We Use Your Data

  • Providing the service: Fetching new reviews from your Google Business Profile, generating AI draft responses, sending approval emails, and posting approved responses.
  • Account management: Creating and maintaining your account, managing your subscription, sending billing receipts.
  • Transactional communications: Review approval emails, subscription receipts, service notifications. We do not send marketing emails without your explicit opt-in.
  • Security and abuse prevention: Detecting and preventing misuse of the platform.
  • Service improvement: Aggregated, anonymised usage data may inform service improvements. We do not use individual review content to train AI models.

5. International Data Transfers

The following third-party processors are involved in delivering the service. Where data is transferred outside the UK, appropriate safeguards (UK IDTAs or adequacy decisions) are in place:

  • Stripe, Inc.(USA) — Subscription billing and payment processing.
  • Twilio / SendGrid(USA) — Transactional email delivery, including review approval emails and subscription receipts.
  • Vercel, Inc.(USA) — Web application hosting and serverless functions.
  • Railway(USA) — Database hosting. Account data, OAuth tokens (encrypted), and review response history are stored in a Railway-hosted database.
  • OpenAI, LLC(USA) — AI response generation. Review text is sent to OpenAI to generate draft responses. OpenAI processes this under our API agreement and does not use API inputs to train its models.

We do not sell your data or any data we process on your behalf to any third party.

6. Cookies and Tracking

We use a session cookie to maintain your logged-in state on the dashboard. This cookie is strictly necessary and does not track you across other websites. We do not use advertising cookies or third-party tracking pixels. This website complies with the Privacy and Electronic Communications Regulations (PECR).

7. Data Retention

  • Account data: Retained for the duration of your subscription plus 90 days after cancellation.
  • Google OAuth tokens: Deleted immediately upon account cancellation or when you revoke access via Google.
  • Review content and response history: Retained for 12 months, then deleted.
  • Payment records: Retained for 7 years as required by UK tax law.
  • Server logs: Retained for 30 days.

8. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may ask us to correct inaccurate or incomplete personal data.
  • Right to erasure (“right to be forgotten”): You may ask us to delete your personal data. Note that OAuth tokens are deleted immediately on request; other data may be retained to comply with legal obligations.
  • Right to restriction of processing: You may ask us to restrict processing in certain circumstances.
  • Right to data portability: Where processing is based on contract and is automated, you may request your data in a structured, machine-readable format.
  • Right to object: You may object to processing based on legitimate interests. We will cease unless we have compelling legitimate grounds.
  • Right to lodge a complaint with the ICO: If you believe we have not handled your data lawfully, you may contact the Information Commissioner's Office at ico.org.uk or call 0303 123 1113.

To exercise your rights, email hello@reviewreplies.io. We will respond within one calendar month.

9. Security

OAuth tokens are stored encrypted at rest. All data is transmitted over HTTPS/TLS. Access to production systems is restricted to authorised personnel. We apply the principle of least privilege and conduct regular security reviews.

10. Changes to This Policy

We will notify subscribers by email of any material changes at least 14 days before they take effect. The current version is always available at reviewreplies.io/privacy.

11. Contact Us

For any questions about this Privacy Policy or your personal data:

CodeHawks Limited
Company No. 16095971
Email: hello@reviewreplies.io