Privacy Policy

1 Who We Are

ReviewFilter Global ("ReviewFilter", "we", "us", or "our") is a Software-as-a-Service platform that helps businesses manage their online reputation by capturing private customer feedback and facilitating authentic public reviews.

The platform is operated by Kabantiok Zidyep David, based in Minna, Niger State, Nigeria.

This Privacy Policy explains how we collect, use, store, and protect information when you use our website at reviewfilterglobal.com and our platform services (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy.

2 What Data We Collect

2.1 Data from Business Owners (our direct customers)

When you create a ReviewFilter account, we collect:

• Account information: your email address and password (stored as a bcrypt hash — never in plain text)
• Business information: your business name, location label, emoji/logo, and review platform links (Google, Yelp, Trustpilot URLs)
• Billing information: handled entirely by LemonSqueezy as Merchant of Record. We do not store credit card numbers or payment details on our servers
• Usage data: SMS invites sent, complaints received, plan tier, and SMS usage counts

2.2 Data from Customers (end users of our clients)

When a customer of one of our business clients receives and responds to a review invite, we may collect:

• Phone number: provided by the business owner who initiates the SMS invite
• Star rating: the rating the customer taps on the review page (1–5 stars)
• Name: optional — only if the customer voluntarily enters it in the private feedback form
• Complaint text: only if the customer voluntarily submits private feedback (1–3 star path)
• Invite interaction data: whether the SMS link was opened, when it was opened, and what action was taken

2.3 Automatically Collected Data

When you visit our website, we automatically collect:

• Page visited and timestamp
• Browser user agent string (to determine device type — mobile vs desktop)
• IP address (processed by our hosting provider — we do not log or store raw IP addresses directly)

3 How We Use Your Data

We use the data we collect for the following purposes:

3.1 To provide and operate the Service

• Creating and managing your business account
• Sending review invite SMS messages on your behalf to your customers
• Displaying private customer feedback in your dashboard
• Tracking SMS usage against your plan limits
• Processing subscription payments via LemonSqueezy

3.2 To communicate with you

• Sending email alerts when a new private complaint is received
• Sending weekly digest summary emails (Growth and Agency plans)
• Sending account-related emails (signup confirmation, password reset)
• Responding to support requests you submit

3.3 To improve the Service

• Analysing aggregated, anonymised usage patterns to improve platform features
• Monitoring platform health and uptime

3.4 Legal bases for processing (GDPR)

For users in the European Economic Area and UK, our legal bases for processing your data are:

• Contract performance: processing necessary to deliver the services you signed up for
• Legitimate interest: platform security, fraud prevention, and service improvement
• Legal obligation: complying with applicable laws and regulations
• Consent: for optional communications such as marketing emails, where applicable

4 How We Store and Protect Your Data

4.1 Infrastructure

All data is stored on Supabase, which runs on AWS (Amazon Web Services) infrastructure. Supabase is SOC 2 Type II certified and GDPR compliant. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.

4.2 Access controls

We use Supabase Row-Level Security (RLS) policies on every database table. This means each business owner can only ever read and write their own data at the database level — not in application code. Cross-tenant data access is architecturally impossible.

4.3 Authentication

Passwords are hashed using bcrypt before storage. We use JWT (JSON Web Token) authentication with short expiry times. Password reset links are single-use and expire after 1 hour.

4.4 API security

Our Twilio SMS credentials and other third-party API keys are stored only as encrypted environment variables in Supabase Edge Functions. They are never exposed in frontend code, browser storage, or version control.

4.5 Invite tokens

Each review invite SMS contains a cryptographically random UUID token. Tokens are single-use. Invalid or expired tokens display an error message — no business or customer data is exposed through invalid token requests.

5 SMS Communications

5.1 How SMS is used

ReviewFilter sends SMS messages on behalf of our business clients to their customers. These messages contain a link to a review rating page. SMS delivery is handled by Twilio Inc., a third-party SMS provider.

5.2 Consent requirement

Our platform requires business owners to confirm — via a mandatory checkbox before every SMS send — that the customer has provided explicit consent to receive an SMS from the business. ReviewFilter acts as the infrastructure provider only. The business owner bears legal responsibility for ensuring valid consent from their customers under applicable laws including:

• TCPA (Telephone Consumer Protection Act) — United States
• CASL (Canada's Anti-Spam Legislation) — Canada
• PECR (Privacy and Electronic Communications Regulations) — United Kingdom
• NCC regulations — Nigeria

5.3 Opt-out

All SMS messages sent via ReviewFilter include the instruction "Reply STOP to unsubscribe." This is automatically appended by Twilio and complies with regulatory requirements in the US, Canada, and UK. Opt-out requests are honoured immediately by Twilio and no further messages are sent to that number.

5.4 Phone number storage

Customer phone numbers are stored in our database linked to the business account that initiated the invite. They are used only to deliver the review invite SMS and to track invite status. They are never shared with third parties for marketing purposes.

6 Sharing Your Data

We do not sell your data. We share data only with the following third-party service providers, strictly to operate the Service:

• Supabase — database, authentication, and edge function hosting. Data processed under their DPA (Data Processing Agreement).
• Twilio Inc. — SMS delivery. Phone numbers are shared with Twilio only to send the review invite. Twilio's privacy policy applies to their handling of this data.
• LemonSqueezy — payment processing as Merchant of Record. They handle billing data under their own privacy policy. We do not store payment card details.
• Resend / Email provider — transactional email delivery (complaint alerts, weekly digests, account emails). Only your email address and the content of the notification are shared.
• Vercel / Netlify — website hosting. Standard server access logs may be retained by the hosting provider per their policies.

We may also disclose your information if required to do so by law, court order, or government authority, or to protect the rights, property, or safety of ReviewFilter Global, our users, or the public.

7 Cookies and Tracking

7.1 Cookies we use

We use only the minimum cookies necessary to operate the Service:

• Authentication cookies: Supabase sets a session cookie to keep you logged into your dashboard. This is a strictly necessary cookie — the Service cannot function without it.
• No advertising cookies: We do not use Google Analytics, Facebook Pixel, or any advertising or tracking cookies.
• No third-party tracking: We do not load any third-party tracking scripts on our pages.

7.2 Visitor analytics

We collect basic page visit data (page URL, timestamp, device type from user agent string) and store it in our own database for internal analytics only. This data is not shared with any third party and is used only to understand how our platform is being used.

8 Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Rights for all users

• Right to access: You can request a copy of all personal data we hold about you.
• Right to correction: You can update your business name, email, and other profile data directly in your dashboard settings at any time.
• Right to deletion: You can request that we delete your account and all associated data. We will process deletion requests within 7 business days.
• Right to data portability: You can request an export of your data in a machine-readable format (JSON or CSV).
• Right to withdraw consent: You can cancel your subscription and stop using the Service at any time.

8.2 Additional rights for EU/UK users (GDPR/UK GDPR)

• Right to object: You can object to processing based on legitimate interests.
• Right to restriction: You can request we restrict processing of your data in certain circumstances.
• Right to lodge a complaint: You have the right to lodge a complaint with your national data protection authority (e.g., ICO in the UK, or your local EU supervisory authority).

8.3 Rights for California users (CCPA)

California residents have the right to know what personal information is collected, to request deletion, and to opt out of the sale of personal information. We do not sell personal information, so the opt-out right does not apply. To exercise your rights, contact us at the address below.

8.4 Rights for Nigerian users (NDPR)

Under the Nigeria Data Protection Regulation (NDPR), you have the right to access, correct, and request deletion of your personal data. You may lodge complaints with the National Information Technology Development Agency (NITDA).

9 Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data: retained while your account is active. Deleted within 30 days of an account deletion request.
• Invite records: retained for 24 months from the date of the invite, then automatically purged.
• Private complaint data: retained while your account is active. You can delete individual complaints from your dashboard at any time.
• Billing records: retained for 7 years to comply with financial regulations. Managed by LemonSqueezy as Merchant of Record.
• Site visit logs: retained for 12 months then automatically purged.

When you request account deletion, we will permanently delete all your data from our live database within 7 business days. Encrypted backups are purged within 30 days.

10 Children's Privacy

ReviewFilter Global is a business-to-business (B2B) service designed for use by business owners and professionals. Our Service is not directed at or intended for use by children under the age of 18.

We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@reviewfilterglobal.com and we will delete it promptly.

11 International Data Transfers

ReviewFilter Global is operated from Nigeria. Your data is stored on Supabase infrastructure hosted on AWS servers. Depending on the region you select when we configure your project, data may be stored in the United States, European Union, or other jurisdictions.

Where we transfer personal data from the EEA or UK to countries that do not have an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for transfer. Supabase provides SCCs as part of their Data Processing Agreement.

For Nigerian users, data processing and storage complies with the Nigeria Data Protection Regulation (NDPR) 2019 and its implementing framework.

12 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to all registered business account holders
• Display a notice in the dashboard for 30 days after the change

Your continued use of the Service after any changes constitutes your acceptance of the updated policy. If you do not agree with the updated policy, you may cancel your account and request deletion of your data.

13 SMS Data & Consent Requirements

ReviewFilter Global provides SMS-based review invitation tools. The following rules govern how customer phone numbers may be used on this platform:

• Phone numbers submitted to this platform must belong to individuals who have a direct, pre-existing relationship with your business
• By uploading or entering any phone number, you confirm that the individual has consented to receiving SMS communications from your business
• ReviewFilter Global does not sell, share, or transfer customer phone numbers to any third party for marketing purposes
• Phone numbers are used solely to deliver the review invitation SMS you initiate — they are not used for any other purpose
• Users of this platform are prohibited from using it to send spam, bulk unsolicited messages, or any communication unrelated to a genuine review request
• Opt-out requests received by your customers must be honoured immediately — continued contact after an opt-out via this platform is a violation of these terms

14 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related requests within 30 days. For urgent data breach notifications, we will respond within 72 hours.