Privacy Policy

Last updated: January 1, 2025 Effective date: January 1, 2025 Version: 1.0

Plain English summary: ReviewFilter Global collects only the minimum data needed to run the service. We never sell your data. Private customer complaints are never posted publicly. You can delete your account and data at any time.

Who We Are
What Data We Collect
How We Use Your Data
How We Store and Protect Your Data
SMS Communications
Sharing Your Data
Cookies and Tracking
Your Rights
Data Retention
Children's Privacy
International Data Transfers
Changes to This Policy
Contact Us

1 Who We Are

ReviewFilter Global ("ReviewFilter", "we", "us", or "our") is a Software-as-a-Service platform that helps businesses manage their online reputation by capturing private customer feedback and facilitating authentic public reviews.

The platform is operated by Kabantiok Zidyep David, based in Minna, Niger State, Nigeria.

This Privacy Policy explains how we collect, use, store, and protect information when you use our website at reviewfilterglobal.com and our platform services (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy.

2 What Data We Collect

2.1 Data from Business Owners (our direct customers)

When you create a ReviewFilter account, we collect:

Account information: your email address and password (stored as a bcrypt hash — never in plain text)
Business information: your business name, location label, emoji/logo, and review platform links (Google, Yelp, Trustpilot URLs)
Billing information: handled entirely by LemonSqueezy as Merchant of Record. We do not store credit card numbers or payment details on our servers
Usage data: SMS invites sent, complaints received, plan tier, and SMS usage counts

2.2 Data from Customers (end users of our clients)

When a customer of one of our business clients receives and responds to a review invite, we may collect:

Phone number: provided by the business owner who initiates the SMS invite
Star rating: the rating the customer taps on the review page (1–5 stars)
Name: optional — only if the customer voluntarily enters it in the private feedback form
Complaint text: only if the customer voluntarily submits private feedback (1–3 star path)
Invite interaction data: whether the SMS link was opened, when it was opened, and what action was taken

Data Minimisation: We collect only the minimum data required to deliver the service. We do not collect home addresses, financial information, government IDs, or any sensitive personal data from end customers.

2.3 Automatically Collected Data

When you visit our website, we automatically collect:

Page visited and timestamp
Browser user agent string (to determine device type — mobile vs desktop)
IP address (processed by our hosting provider — we do not log or store raw IP addresses directly)

3 How We Use Your Data

We use the data we collect for the following purposes:

3.1 To provide and operate the Service

Creating and managing your business account
Sending review invite SMS messages on your behalf to your customers
Displaying private customer feedback in your dashboard
Tracking SMS usage against your plan limits
Processing subscription payments via LemonSqueezy

3.2 To communicate with you

Sending email alerts when a new private complaint is received
Sending weekly digest summary emails (Growth and Agency plans)
Sending account-related emails (signup confirmation, password reset)
Responding to support requests you submit

3.3 To improve the Service

Analysing aggregated, anonymised usage patterns to improve platform features
Monitoring platform health and uptime

3.4 Legal bases for processing (GDPR)

For users in the European Economic Area and UK, our legal bases for processing your data are:

Contract performance: processing necessary to deliver the services you signed up for
Legitimate interest: platform security, fraud prevention, and service improvement
Legal obligation: complying with applicable laws and regulations
Consent: for optional communications such as marketing emails, where applicable

We never sell your data. We do not sell, rent, or trade your personal data or your customers' data to any third party for marketing, advertising, or any other commercial purpose.

4 How We Store and Protect Your Data

4.1 Infrastructure

All data is stored on Supabase, which runs on AWS (Amazon Web Services) infrastructure. Supabase is SOC 2 Type II certified and GDPR compliant. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.

4.2 Access controls

We use Supabase Row-Level Security (RLS) policies on every database table. This means each business owner can only ever read and write their own data at the database level — not in application code. Cross-tenant data access is architecturally impossible.

4.3 Authentication

Passwords are hashed using bcrypt before storage. We use JWT (JSON Web Token) authentication with short expiry times. Password reset links are single-use and expire after 1 hour.

4.4 API security

Our Twilio SMS credentials and other third-party API keys are stored only as encrypted environment variables in Supabase Edge Functions. They are never exposed in frontend code, browser storage, or version control.

4.5 Invite tokens

Each review invite SMS contains a cryptographically random UUID token. Tokens are single-use. Invalid or expired tokens display an error message — no business or customer data is exposed through invalid token requests.

Breach notification: In the unlikely event of a data breach that affects your personal data, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

5 SMS Communications

5.1 How SMS is used

ReviewFilter sends SMS messages on behalf of our business clients to their customers. These messages contain a link to a review rating page. SMS delivery is handled by Twilio Inc., a third-party SMS provider.

5.2 Consent requirement

Our platform requires business owners to confirm — via a mandatory checkbox before every SMS send — that the customer has provided explicit consent to receive an SMS from the business. ReviewFilter acts as the infrastructure provider only. The business owner bears legal responsibility for ensuring valid consent from their customers under applicable laws including:

TCPA (Telephone Consumer Protection Act) — United States
CASL (Canada's Anti-Spam Legislation) — Canada
PECR (Privacy and Electronic Communications Regulations) — United Kingdom
NCC regulations — Nigeria

5.3 Opt-out

All SMS messages sent via ReviewFilter include the instruction "Reply STOP to unsubscribe." This is automatically appended by Twilio and complies with regulatory requirements in the US, Canada, and UK. Opt-out requests are honoured immediately by Twilio and no further messages are sent to that number.

5.4 Phone number storage

Customer phone numbers are stored in our database linked to the business account that initiated the invite. They are used only to deliver the review invite SMS and to track invite status. They are never shared with third parties for marketing purposes.

6 Sharing Your Data

We do not sell your data. We share data only with the following third-party service providers, strictly to operate the Service:

Supabase — database, authentication, and edge function hosting. Data processed under their DPA (Data Processing Agreement).
Twilio Inc. — SMS delivery. Phone numbers are shared with Twilio only to send the review invite. Twilio's privacy policy applies to their handling of this data.
LemonSqueezy — payment processing as Merchant of Record. They handle billing data under their own privacy policy. We do not store payment card details.
Resend / Email provider — transactional email delivery (complaint alerts, weekly digests, account emails). Only your email address and the content of the notification are shared.
Vercel / Netlify — website hosting. Standard server access logs may be retained by the hosting provider per their policies.

We may also disclose your information if required to do so by law, court order, or government authority, or to protect the rights, property, or safety of ReviewFilter Global, our users, or the public.

7 Cookies and Tracking

7.1 Cookies we use

We use only the minimum cookies necessary to operate the Service:

Authentication cookies: Supabase sets a session cookie to keep you logged into your dashboard. This is a strictly necessary cookie — the Service cannot function without it.
No advertising cookies: We do not use Google Analytics, Facebook Pixel, or any advertising or tracking cookies.
No third-party tracking: We do not load any third-party tracking scripts on our pages.

7.2 Visitor analytics

We collect basic page visit data (page URL, timestamp, device type from user agent string) and store it in our own database for internal analytics only. This data is not shared with any third party and is used only to understand how our platform is being used.

8 Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Rights for all users

Right to access: You can request a copy of all personal data we hold about you.
Right to correction: You can update your business name, email, and other profile data directly in your dashboard settings at any time.
Right to deletion: You can request that we delete your account and all associated data. We will process deletion requests within 7 business days.
Right to data portability: You can request an export of your data in a machine-readable format (JSON or CSV).
Right to withdraw consent: You can cancel your subscription and stop using the Service at any time.

8.2 Additional rights for EU/UK users (GDPR/UK GDPR)

Right to object: You can object to processing based on legitimate interests.
Right to restriction: You can request we restrict processing of your data in certain circumstances.
Right to lodge a complaint: You have the right to lodge a complaint with your national data protection authority (e.g., ICO in the UK, or your local EU supervisory authority).

8.3 Rights for California users (CCPA)

California residents have the right to know what personal information is collected, to request deletion, and to opt out of the sale of personal information. We do not sell personal information, so the opt-out right does not apply. To exercise your rights, contact us at the address below.

8.4 Rights for Nigerian users (NDPR)

Under the Nigeria Data Protection Regulation (NDPR), you have the right to access, correct, and request deletion of your personal data. You may lodge complaints with the National Information Technology Development Agency (NITDA).

To exercise any of your rights, email us at privacy@reviewfilterglobal.com with the subject "Data Rights Request." We will respond within 30 days.

9 Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

Account data: retained while your account is active. Deleted within 30 days of an account deletion request.
Invite records: retained for 24 months from the date of the invite, then automatically purged.
Private complaint data: retained while your account is active. You can delete individual complaints from your dashboard at any time.
Billing records: retained for 7 years to comply with financial regulations. Managed by LemonSqueezy as Merchant of Record.
Site visit logs: retained for 12 months then automatically purged.

When you request account deletion, we will permanently delete all your data from our live database within 7 business days. Encrypted backups are purged within 30 days.

10 Children's Privacy

ReviewFilter Global is a business-to-business (B2B) service designed for use by business owners and professionals. Our Service is not directed at or intended for use by children under the age of 18.

We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@reviewfilterglobal.com and we will delete it promptly.

11 International Data Transfers

ReviewFilter Global is operated from Nigeria. Your data is stored on Supabase infrastructure hosted on AWS servers. Depending on the region you select when we configure your project, data may be stored in the United States, European Union, or other jurisdictions.

Where we transfer personal data from the EEA or UK to countries that do not have an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for transfer. Supabase provides SCCs as part of their Data Processing Agreement.

For Nigerian users, data processing and storage complies with the Nigeria Data Protection Regulation (NDPR) 2019 and its implementing framework.

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Send an email notification to all registered business account holders
Display a notice in the dashboard for 30 days after the change

Your continued use of the Service after any changes constitutes your acceptance of the updated policy. If you do not agree with the updated policy, you may cancel your account and request deletion of your data.

13 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

ReviewFilter Global

Operated by: Kabantiok Zidyep David

Address: Minna, Niger State, Nigeria

General enquiries: hello@reviewfilterglobal.com

Privacy requests: privacy@reviewfilterglobal.com

Website: reviewfilterglobal.com

We aim to respond to all privacy-related requests within 30 days. For urgent data breach notifications, we will respond within 72 hours.