Privacy Policy
Last updated: February 2026 · Effective date: February 2026
1. Who we are
ReviewToReport ("we", "us", "our") is a service that reads Google Business Profile reviews on behalf of business owners, generates analytics, and creates draft replies for human review. We do not post any content automatically.
Registered entity: MACHNIEV OLEKSANDR, NIF: Y9932881T Registered address: Calle Alcalde Ramón Pastor 6, 6C, 03065 Elche (Alicante), Spain
Privacy enquiries: privacy@reviewtoreport.com
We aim to respond to general enquiries within 24 hours.
2. Data processing role
Under the General Data Protection Regulation (GDPR), the parties involved in processing your data have the following roles:
- Client (you) = Data Controller. You determine the purposes and means of processing your Google Business Profile review data by connecting your account to ReviewToReport.
- ReviewToReport = Data Processor. We process personal data (review text, reviewer names, ratings) strictly on your behalf and according to your instructions, solely to provide the ReviewToReport service.
3. What data we collect
We collect and process the following categories of data:
- Account information: workspace name and owner email address provided during onboarding.
- Google Business Profile review data: review text, rating, reviewer display name, and review date - fetched via the Google Business Profile API on your behalf.
- OAuth tokens: access and refresh tokens issued by Google, stored in encrypted form using AES-256 symmetric encryption. Tokens are never stored in plain text.
- Generated content: AI-generated draft replies and weekly digest summaries derived from your review data. These are drafts only - nothing is posted automatically.
- Usage data: scheduled job execution logs for system reliability monitoring. We do not use third-party analytics or advertising trackers.
- Browser storage: your language preference is stored in
localStoragein your browser. No tracking cookies are used.
4. Data collected via Google API
Via the Google Business Profile API we access and process the following data on your behalf:
- Business profile metadata (business name, location identifier)
- Reviews content (review text, reviewer display name)
- Public rating data (star ratings, review dates)
We explicitly confirm:
- No automated publishing of replies or any other content
- No resale or transfer of this data to third parties
- No profiling of reviewers or business owners beyond service analytics
5. How we use your data
We use your data exclusively to provide the ReviewToReport service:
- Read your Google Business Profile reviews via the Google Business Profile API.
- Generate analytics summaries and sentiment analysis.
- Generate draft replies for your consideration - you decide what to post and when.
- Deliver weekly digest reports summarising review activity.
We do not use your data for advertising, profiling, or any purpose unrelated to the core service described above.
6. Google API Services - Limited Use disclosure
ReviewToReport's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We only request the
https://www.googleapis.com/auth/business.managescope, because Google does not offer a reviews-only read scope. - Our application only reads review data. We perform no write operations on your Google Business Profile.
- No data is transferred to third parties for any purpose other than those described in this policy.
- Data is used only for user-facing functionality - analytics and draft generation within the ReviewToReport service.
- No advertising use. Google API data is never used to serve advertisements.
- No data resale. We do not sell, license, or otherwise monetise your Google API data.
- We do not allow humans to read your Google API data unless you explicitly request support and consent to access.
7. Data sharing and third parties
We do not sell, rent, or share your personal data or review data with any third parties, except:
- Supabase (database hosting): review data and tokens are stored in a Supabase-managed PostgreSQL database. Supabase operates in compliance with GDPR.
- AI model provider: review text may be sent to an AI model API to generate draft replies and summaries. Review text is not used to train external models.
- Google APIs: your OAuth tokens are used solely to authenticate read requests to the Google Business Profile API.
- Legal obligations: if required by applicable law or court order.
8. Data retention
Review data is retained for up to 12 months unless the client requests earlier deletion. You may request deletion at any time (see Section 10).
OAuth tokens are deleted immediately when you disconnect your Google integration or request account deletion.
9. Data storage location
Application servers and primary database infrastructure are hosted within the European Union. No data is transferred outside the EU/EEA except where explicitly described in Section 7.
10. Security
OAuth access and refresh tokens are encrypted at rest using AES-256 symmetric encryption. Encryption keys are stored separately from the database. All data in transit is protected with TLS.
11. Your rights (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate personal data.
- Right to erasure: request deletion of your personal data and all associated review data.
- Right to data portability: receive your data in a structured, machine-readable format.
- Right to object: object to our processing of your personal data.
- Right to withdraw consent: disconnect your Google integration at any time, which immediately revokes our access to your GBP data.
To exercise any of these rights, contact us at privacy@reviewtoreport.com. We will respond within 30 days.
Legal basis for processing: we process your data on the basis of your explicit consent (OAuth authorisation) and the legitimate interest in providing the service you requested.
12. Cookies and browser storage
ReviewToReport does not use tracking or advertising cookies. We store only your language preference in browser localStorage (key: rr_lang) and a consent acknowledgement (key: rr_cookie_consent). These are functional only. You can clear them at any time via your browser settings.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to the owner address on file at least 14 days before taking effect.
Questions? Contact privacy@reviewtoreport.com