Who We Are
RevSmart ("we", "us", or "our") operates the RevSmart SaaS platform at revsmart.pro β an AI-powered review response generation service for local businesses.
RevSmart is the data controller for personal information collected through the Service. Our primary contact for privacy matters is [email protected].
This Privacy Policy applies to all users of the Service regardless of location, and contains specific sections for users in the European Union, United Kingdom, and California where additional rights apply.
Data We Collect
We collect only the information necessary to provide the Service. Here is a complete breakdown:
| Category | Data Collected | How Collected |
|---|---|---|
| Account data | Full name, email address, encrypted password | Provided by you at sign-up |
| Business data | Business name, business type / industry | Provided by you when generating responses |
| Review content | Review text you paste into the generator (first 120 characters stored in history) | Provided by you when using the Service |
| Usage data | Number of responses generated per month, plan tier, response history (Pro/Agency) | Automatically recorded when you use the Service |
| Payment data | Billing status, subscription plan. Card details are processed and held by Stripe β RevSmart never sees or stores full card numbers. | Via Stripe payment processor |
| Technical data | Session tokens (stored locally in your browser). We do not collect IP addresses or device fingerprints. | Automatically generated at login |
Data We Do NOT Collect
- We do not collect IP addresses for tracking or profiling purposes;
- We do not use third-party analytics or advertising trackers;
- We do not collect sensitive personal data (health, race, religion, biometric data);
- We do not track your activity outside of our Service.
How We Use Your Data
We use your personal information only for the following purposes:
- Providing the Service: To generate AI review responses, manage your account, apply your subscription plan, and track your monthly usage;
- Processing payments: To manage your subscription and communicate billing information via Stripe;
- Service communications: To send you essential account notifications (password resets, billing receipts, service updates). We do not send marketing emails without your separate consent;
- Security: To authenticate your sessions, prevent abuse, and protect the integrity of the Service;
- Legal compliance: To comply with applicable laws and respond to lawful requests from authorities;
- Service improvement: Aggregate, anonymised usage statistics may be used to improve the Service. We do not use your personal data or review content to train AI models.
Legal Basis for Processing (GDPR)
If you are located in the European Union or United Kingdom, we process your personal data under the following legal bases as required by the GDPR:
- Contract performance (Art. 6(1)(b)): Processing your account data, business data, and usage data is necessary to provide the Service you have contracted for;
- Legitimate interests (Art. 6(1)(f)): Processing technical/security data to maintain the security and integrity of the Service;
- Legal obligation (Art. 6(1)(c)): Retaining certain data as required by Canadian and applicable law;
- Consent (Art. 6(1)(a)): Where we rely on consent (e.g., optional marketing emails), you may withdraw consent at any time without affecting prior processing.
Sharing Your Data
We share your personal information only with the following trusted third-party service providers, and only to the extent necessary to operate the Service:
| Third Party | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, and user data storage | Account data, usage data, review history | USA (AWS infrastructure) |
| Stripe, Inc. | Payment processing and subscription management | Email address, billing status | USA |
| Anthropic, PBC | AI model for generating review responses | Review text, business type, business name, sentiment | USA |
Each of these providers is bound by their own privacy policies and data processing agreements. We have selected providers who offer strong data protection commitments.
We may also disclose your information: (a) to comply with a legal obligation or lawful request from a government authority; (b) to protect the rights, property, or safety of RevSmart, our users, or the public; or (c) in connection with a merger, acquisition, or sale of assets, with prior notice to you.
Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:
- Account data: Retained for the duration of your account, plus up to 90 days after deletion to allow for account recovery;
- Usage data: Monthly usage counts are retained for 24 months for billing and fraud prevention purposes;
- Review history: Retained indefinitely while your account is active (Pro/Agency plans). You may delete individual entries at any time;
- Payment records: Retained for 7 years as required by Canadian tax law;
- Session tokens: Stored in your browser's local storage and cleared on sign-out.
Upon account deletion, we will delete or anonymize your personal data within 90 days, except where retention is required by law.
Security
We implement industry-standard technical and organizational measures to protect your personal information:
- Passwords: Stored as bcrypt hashes via Supabase Auth. Plain-text passwords are never stored or transmitted;
- API keys: All third-party API credentials are stored server-side and are never exposed to the browser;
- Session security: Each authenticated session uses a cryptographic token. Unauthenticated requests cannot access the AI generation service;
- Data isolation: Row-level security policies in our database ensure each user can only access their own data;
- Transport encryption: All data in transit is encrypted via TLS/HTTPS.
Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. If you believe your account has been compromised, please contact us immediately at [email protected].
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authorities within the timeframes required by applicable law (72 hours under GDPR).
International Data Transfers
RevSmart is based in Canada, which the European Commission has recognized as providing an adequate level of data protection for personal data transferred from the EU. However, some of our service providers (Supabase, Stripe, and Anthropic) are located in the United States.
For EU/UK users, transfers to the USA are protected by:
- Standard Contractual Clauses (SCCs) in our data processing agreements with providers;
- The EUβUS Data Privacy Framework where applicable.
You may request details of the safeguards in place for international transfers by contacting [email protected].
Your Rights β EU & UK Users (GDPR)
If you are located in the European Union or United Kingdom, you have the following rights under the GDPR (UK GDPR):
- Right of access (Art. 15): Request a copy of the personal data we hold about you;
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data;
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations;
- Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances;
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format;
- Right to object (Art. 21): Object to processing based on legitimate interests;
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, email us at [email protected] with the subject line "GDPR Rights Request". We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority (e.g., the ICO in the UK, or your local EU supervisory authority).
Your Rights β California Residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you the following rights:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes for use, and the categories of third parties with whom we share it;
- Right to Delete: Request deletion of your personal information, subject to certain exceptions;
- Right to Correct: Request correction of inaccurate personal information;
- Right to Opt-Out of Sale or Sharing: RevSmart does not sell or share personal information for cross-context behavioural advertising. No opt-out is required, but you may contact us to confirm this;
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To submit a verifiable consumer request, email [email protected] with the subject "CCPA Rights Request". We will respond within 45 days.
Categories of personal information collected (CCPA categories): Identifiers (name, email); commercial information (subscription plan, payment status); internet or other electronic network activity (usage counts, session tokens); and inferences drawn from usage data to determine subscription tier.
Your Rights β Canadian Users (PIPEDA)
As a Canadian company, RevSmart complies with the Personal Information Protection and Electronic Documents Act (PIPEDA). Under PIPEDA, you have the right to:
- Know what personal information we hold about you and how it is used;
- Access your personal information and request corrections;
- Withdraw consent to the collection or use of your personal information (subject to legal and contractual restrictions);
- Lodge a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.
To exercise your PIPEDA rights, contact our Privacy Officer at [email protected].
Children's Privacy
The Service is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a minor, please contact us immediately at [email protected] and we will delete it promptly.
Cookies & Local Storage
RevSmart uses browser local storage (not traditional cookies) to store your session token and application preferences. We do not use third-party advertising cookies or tracking pixels. For full details, please see our Cookies Policy.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email and update the effective date at the top of this page.
We encourage you to review this Policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated Policy.
Contact & Privacy Officer
For all privacy-related enquiries, requests, or complaints, please contact our Privacy Officer:
- Email: [email protected]
- Subject line: Please use "Privacy Request β [your request type]" to ensure a fast response
- Response time: We aim to respond within 5 business days for general enquiries, and within 30 days for formal rights requests
If you are not satisfied with our response, you may contact the relevant supervisory authority:
- Canada: Office of the Privacy Commissioner of Canada β priv.gc.ca
- EU: Your national data protection authority (find yours at edpb.europa.eu)
- UK: Information Commissioner's Office (ICO) β ico.org.uk
- California: California Privacy Protection Agency β cppa.ca.gov
This Privacy Policy was last updated on February 24, 2026.