Privacy Policy
Last updated: April 25, 2026
ReviewConcierge (“ReviewConcierge”, “we”, “us”, “our”) respects your privacy. This Privacy Policy explains what information we collect, how we use it, how we share it, and the choices you have. It applies to our services at reviewconcierge.ai and our web application (the “Service”).
Entity note: ReviewConcierge is currently operated by Kyle McKay as a sole proprietorship based in California, USA. A California limited liability company is in formation and will replace this entity on publication of an updated policy.
Important: ReviewConcierge generates reply drafts to help you respond faster and stay on-brand. We do not post replies to Google on your behalf without your explicit approval. We also do not use your data or your customers’ review data to train artificial intelligence models.
1. Summary
ReviewConcierge helps hospitality businesses respond to Google reviews more efficiently by drafting owner-approved reply suggestions in the owner’s configured voice, across six languages. To provide this service we process two categories of data: account data about you as our customer, and Google Business Profile data you authorize us to access on your behalf. We do not sell, rent, or transfer your data to third parties for their own marketing purposes. You can revoke our access and request deletion of your data at any time.
2. Information we collect
2.1 Information you provide directly
- Account information: name, email address, password (hashed), business name, business location, business category, preferred language(s).
- Billing information: processed by Stripe. We do not store full credit card numbers; we receive only a token and limited metadata (last four digits, card brand, expiration).
- Voice samples and preferences: text samples you upload to train the drafting engine in your voice, configured preferences for tone and style.
- Communications: emails and support messages you send us.
2.2 Information collected automatically
- Usage data: pages visited, features used, timestamps, approximate location derived from IP address.
- Device data: browser type and version, operating system, device identifiers, screen resolution.
- Cookies and similar technologies: session cookies for authentication, preference cookies for language and settings. We do not use advertising or cross-site tracking cookies.
2.3 Google Business Profile data (with your authorization)
When you connect your Google Business Profile to ReviewConcierge — either through Google OAuth or by granting us Manager access to your Google Business Profile — we access the following through the Google Business Profile APIs:
- Reviews: review text, rating, reviewer name as displayed by Google, review timestamp, reviewer profile photo URL, reviewer language.
- Business location metadata: business name, address, phone number, hours, categories, place ID.
- Your reply drafts and published replies: the text of replies you approve and post through ReviewConcierge.
- Owner profile information: your Google account email and basic profile metadata, used solely to verify the authorization.
We access this data only for locations you have explicitly authorized ReviewConcierge to manage. We do not access data from any other Google Business Profile.
3. How we use your information
We use the information we collect to provide the Service (drafting replies, displaying reviews, posting approved replies), bill you for subscriptions, communicate about the Service, improve the Service using aggregated and de-identified data, prevent fraud and security incidents, and comply with legal obligations.
What we do NOT do with your data
- We do not use Google Business Profile data, review content, voice samples, or any customer data to train artificial intelligence models. When we use AI services (including Anthropic’s Claude) to generate draft replies, we send data to those services only for the purpose of generating a single draft, subject to contractual protections that prohibit training on that data.
- We do not sell or rent your personal information to third parties.
- We do not share your data with advertisers or data brokers.
- We do not use your data for any purpose not disclosed in this policy.
4. How we share your information
We share information only in the following limited circumstances:
4.1 Sub-processors
We use the following service providers to operate ReviewConcierge. Each sub-processor is contractually bound to protect your data and may only process it on our behalf:
| Sub-processor | Purpose | Location | Privacy |
|---|---|---|---|
| Anthropic, PBC | AI drafting (Claude API) | USA | Link |
| Supabase, Inc. | Database, authentication, storage | USA | Link |
| Stripe, Inc. | Payment processing | USA | Link |
| Vercel Inc. | Hosting, edge network, file storage | USA | Link |
| Google LLC | Business Profile APIs, Workspace email | USA | Link |
| Loom, Inc. | Demo and onboarding video hosting | USA | Link |
We may update this list from time to time. Material changes will be communicated by email or through the Service.
4.2 Legal disclosures
We may disclose personal information if required by law, subpoena, court order, or other governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request. We will notify you of such requests unless legally prohibited.
4.3 Business transfers
If ReviewConcierge is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to the acquiring party’s agreement to honor the commitments in this policy.
5. International data transfers
ReviewConcierge is based in the United States, and our sub-processors primarily store and process data in the United States. If you access the Service from outside the United States, your information will be transferred to, processed, and stored in the United States.
For customers located in the European Economic Area, United Kingdom, or Switzerland, these transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, which we have in place with our sub-processors. For customers in other jurisdictions with cross-border transfer restrictions, we rely on legally valid transfer mechanisms applicable to your jurisdiction.
If you require a copy of the applicable transfer mechanism for your contracts, contact privacy@reviewconcierge.ai.
6. Data retention
We retain personal information only as long as necessary:
- Account information: while your account is active.
- Google Business Profile review data, draft replies, voice samples: while your account is active, plus 30 days after cancellation.
- OAuth refresh tokens and Manager access tokens: until revoked or 30 days after cancellation, whichever is sooner.
- Audit logs and security logs: 90 days from creation.
- Billing records (invoices, payment history): 7 years (US tax law requirement).
- Communications (support emails): 2 years from last interaction.
After the retention period, data is hard-deleted from primary systems. Backups are rotated on a 30-day cycle, so fully-deleted data may persist in backups for up to 30 additional days before being overwritten. If you explicitly request deletion under applicable law, we will delete your data within 30 days of verifying the request, except where we are legally required to retain specific records.
7. Your rights
Depending on your jurisdiction, you may have rights to access, rectify, erase, restrict, port, or object to processing of your personal information, and to withdraw consent or lodge a complaint with a supervisory authority.
To exercise these rights, email privacy@reviewconcierge.ai with your name, account email, the right you wish to exercise, and sufficient information for us to verify your identity. We respond within 30 days. There is no charge except where requests are manifestly unfounded or excessive.
7.1 California residents (CCPA / CPRA)
California residents have additional rights, including the right to know what personal information we collect, use, and disclose; to request deletion or correction; to opt out of sale or sharing (we do not sell or share personal information as defined under California law); to limit use of sensitive personal information; and to non-discrimination for exercising these rights.
7.2 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)
Customers in these jurisdictions have the rights listed above. Our lawful bases for processing are performance of contract, legitimate interest, legal obligation, and consent where applicable. You may lodge a complaint with your local data protection authority. EU/UK business customers may request a Data Processing Agreement (DPA) by emailing dpo@reviewconcierge.ai.
7.3 Australia, New Zealand, and South Africa
We handle personal information in accordance with the Australian Privacy Principles (Privacy Act 1988), the New Zealand Privacy Act 2020, and the South African Protection of Personal Information Act (POPIA). You may contact your local regulator with complaints.
7.4 Revoking Google Business Profile access
You can revoke ReviewConcierge’s access to your Google Business Profile at any time:
- If you connected via OAuth: visit myaccount.google.com/permissions, locate ReviewConcierge, and click Remove access.
- If you added ReviewConcierge as a Manager: visit business.google.com, open your listing, navigate to Settings → Managers, and remove kyle@reviewconcierge.ai.
Revocation is immediate. We will stop all data access within one hour and delete associated stored data within 30 days.
8. Security
We implement reasonable administrative, technical, and physical safeguards to protect personal information, including encryption of data in transit (TLS 1.2 or higher), encryption at rest (AES-256), row-level security in our database to isolate each organization’s data, strict access controls, and regular review of security practices.
No system is perfectly secure. If you become aware of a potential security issue, email security@reviewconcierge.ai. In the event of a data breach affecting your personal information, we will notify affected customers without undue delay, and within 72 hours of becoming aware of the breach where required by applicable law.
9. Children’s privacy
ReviewConcierge is a business-to-business service intended for business owners and operators. We do not knowingly collect personal information from individuals under 16. If we learn we have collected data from a minor, we will delete it promptly.
10. Google API Services User Data Policy
ReviewConcierge’s use and transfer of information received from Google APIs to any other app adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we use Google user data only to provide or improve user-facing features of ReviewConcierge that are prominent in the requesting application’s user experience; we do not transfer Google user data to others except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with user notice; we do not use Google user data for serving advertisements; we do not allow humans to read Google user data unless we have explicit consent, for security purposes, to comply with applicable law, or where the data is aggregated and anonymized; and we do not use Google user data to train AI or machine learning models.
11. Contact
For privacy-related questions and requests:
- General privacy questions: privacy@reviewconcierge.ai
- Data subject rights requests: privacy@reviewconcierge.ai
- Security incidents: security@reviewconcierge.ai
- Data Protection Officer (informal): dpo@reviewconcierge.ai
Business address:
Kyle McKay
ReviewConcierge
2021 Fillmore Street, PMB #1105
San Francisco, CA 94115-2708
United States
12. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email to active customers at least 30 days before taking effect, and will be posted on this page with a revised “Last updated” date. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.