Privacy Policy

For data collected from a business owner (your account email, business name, brand colour, Google review URL, billing details), ReviewFlow AI is the controller.

For data collected from a customer who scans your QR code (their rating, highlights, typed feedback, AI draft, optional private feedback), the business owner is the controller and ReviewFlow AI is the processor — we only handle this data on the business's behalf.

• Email address and password (for account sign-in via Supabase Auth)
• Business profile: name, slug, industry, brand colour, logo, property image, Google review URL, support email
• Subscription status and Razorpay subscription / payment identifiers (we do not store card numbers)
• Basic analytics events tied to your account (QR scans, draft generations, etc.)

• Rating (Excellent / Good / Average / Needs improvement)
• Answer to the business's quick question (Yes / Partially / No)
• Selected highlight tags (e.g. "Service", "Cleanliness")
• Optional typed feedback in their own words
• AI-generated draft text built from the above inputs
• Whether they tapped Copy or Open Google Review
• Optional private feedback text (visible only to the business owner)

We do not collect the customer's name, email, phone number, or Google account credentials. We never ask the customer to log in to anything.

• To operate the service: generate AI drafts, show owner dashboards, track usage limits.
• To process payments via Razorpay (₹199/month + ₹100/month per extra location).
• To send email customer support (paid customers only, via support@reviewflow.ai).
• To improve product quality through aggregated, anonymised analytics.

We do not sell your data, sell customer feedback, or share it with third parties for marketing.

• Supabase (Mumbai region) — auth + Postgres database
• Vercel — application hosting and CDN
• Razorpay — payment processing (PCI-DSS compliant)
• OpenAI / Anthropic — AI review draft generation. Inputs (customer's selections + typed feedback) are sent to generate the draft. We do not allow the model providers to train on this data.

Customer feedback and business profile data is stored in Supabase Postgres in the South Asia (Mumbai) region. We do not transfer your data outside India for storage, though some operational requests (e.g. AI draft generation) involve processing on US-based servers operated by our AI subprocessor.

• While your account is active, we keep your business data and customer responses indefinitely so you can see your history.
• When you cancel and ask for deletion, we delete your business and all associated customer responses within 30 days.
• Razorpay payment records may be retained for up to 8 years for Indian tax compliance.

You can at any time:

• Access the data we hold about your business — visible directly in your dashboard.
• Correct or update your business profile in Settings.
• Export your customer responses as CSV (email us — we will send within 7 working days).
• Delete your account by emailing support@reviewflow.ai from the registered account email.

Customers who left feedback on a business's QR page can ask the business owner to delete their response, or email us directly.

All data is encrypted in transit (HTTPS) and at rest (Supabase managed encryption). Database access is restricted by Row-Level Security so one business can never read another business's data. Admin-level access is limited to a small allowlist of operator emails and is logged.

The service is for business owners and their adult customers. We do not knowingly collect information from anyone under 18.

If we make material changes, we will email all active account owners at least 14 days before they take effect.

Questions, requests, or complaints: support@reviewflow.ai.