Our Commitment to GDPR
ReviewFlowAI is committed to complying with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland. This page outlines our GDPR compliance measures and your rights as a data subject.
Data Controller
ReviewFlowAI, Inc. acts as the data controller for personal data collected through our platform. For businesses using our Service, we act as a data processor on your behalf when handling your customers' interaction data.
Legal Basis for Processing
We process personal data based on the following legal grounds: contractual necessity (to provide the Service you've subscribed to); legitimate interest (to improve our platform and communicate with you); consent (for marketing communications and non-essential cookies); legal obligation (for tax, accounting, and regulatory compliance).
Data Processing for AI Features
Our AI content generation processes business profile data to create personalized reviews and marketing content. This processing is performed under the legal basis of contractual necessity. Business profile data is processed in real-time and is not used to train our AI models. We do not make automated decisions that have legal or similarly significant effects on individuals without human oversight.
International Data Transfers
Our servers are located in the United States. For EEA users, we ensure adequate protection for international data transfers through Standard Contractual Clauses (SCCs) approved by the European Commission. We also implement supplementary technical measures including encryption and access controls.
Data Protection Measures
We implement comprehensive technical and organizational measures including: end-to-end encryption (TLS 1.3 in transit, AES-256 at rest); role-based access controls with multi-factor authentication; regular security audits and penetration testing; data minimization practices; employee training on data protection; incident response procedures with 72-hour breach notification.
Your Rights Under GDPR
Right to Access
You can request a copy of all personal data we hold about you and your business. We will provide this within 30 days of your request.
Right to Erasure
You can request the deletion of your personal data. We will erase your data within 30 days, except where retention is required by law.
Right to Portability
You can request your data in a structured, machine-readable format (JSON or CSV) to transfer to another service provider.
Right to Restrict Processing
You can request that we limit how we process your data while we address your concerns or verify the accuracy of your information.
Right to Object
You can object to the processing of your data for direct marketing purposes. We will stop processing your data for marketing immediately upon request.
Right to Rectification
You can request correction of any inaccurate or incomplete personal data we hold about you. Updates will be applied within 7 business days.
Exercising Your Rights
To exercise any of your GDPR rights, please contact our Data Protection Officer at [email protected]. We will respond to your request within 30 days. If we need additional time, we will inform you of the extension and the reasons for the delay. There is no fee for exercising your rights, except in cases of manifestly unfounded or excessive requests.
Data Protection Officer
Our Data Protection Officer can be reached at:
Email: [email protected]
Address: 123 Market Street, Suite 400, San Francisco, CA 94105
Supervisory Authority
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with your local supervisory authority. We encourage you to contact us first so we can address your concerns directly.