Privacy Policy

Last Updated: October 7, 2025

Introduction

Review Runner ("we", "our", or "us") is committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy explains how we collect, use, store, and protect your information when you use our review request platform.

Review Runner is registered in the United Kingdom and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who We Are

Data Controller: Review Runner

Contact: matt@review-runner.co.uk

ICO Registration: [Registration number]

Information We Collect

1. Business Account Information

When you register for Review Runner, we collect:

  • Business name and address
  • Contact name and email address
  • Phone number
  • Google Places business information
  • Billing and payment information

2. Customer Contact Information

When you add customers to send review requests, we process:

  • Customer names
  • Phone numbers (for SMS requests)
  • Email addresses (for email requests)
  • Review request history and engagement data

3. Usage and Technical Data

We automatically collect:

  • Device and browser information
  • IP addresses and location data
  • Usage statistics and analytics
  • Error logs and performance data
  • Authentication and session data
  • Marketing website interactions and page views (via analytics and advertising pixels)

4. Communications Data

We record:

  • SMS and email delivery status
  • Message engagement (opens, clicks)
  • Customer opt-outs and preferences
  • Support correspondence

Legal Basis for Processing

We process your data under the following legal bases:

  • Contract Performance: To provide our review request services to you
  • Legitimate Interests: To improve our services, prevent fraud, and ensure platform security
  • Legal Obligation: To comply with UK tax, accounting, and legal requirements
  • Consent: For marketing communications and non-essential cookies (including analytics and advertising pixels on our marketing website)

For customer contact data that you upload, you act as the data controller and we act as your data processor. You are responsible for ensuring you have appropriate legal basis and consent to collect and process your customers' data.

How We Use Your Information

1. Provide Our Service

  • Send SMS and email review requests on your behalf
  • Track delivery status and engagement metrics
  • Generate analytics and reporting
  • Manage your account and billing

2. Service Improvement

  • Analyse usage patterns to improve features
  • Troubleshoot technical issues
  • Develop new functionality

3. Communication

  • Send service updates and notifications
  • Respond to support requests
  • Send marketing communications (with your consent)

4. Legal and Security

  • Prevent fraud and abuse
  • Comply with legal obligations
  • Enforce our terms of service

Third-Party Services

We use trusted service providers to deliver Review Runner. All providers are contractually bound to GDPR-equivalent data protection standards through Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) where applicable.

Service Categories

Core Infrastructure:

  • Authentication and identity management
  • Database hosting (UK-based)
  • Application hosting (EU-based)
  • Message queue processing (EU-based)

Communication Services:

  • SMS message delivery
  • Email message delivery

Business Services:

  • Business verification and location data
  • Web fonts delivery
  • Payment processing (details to be added when service launches)

Marketing (Website Only):

  • Website analytics (with consent)
  • Advertising and conversion tracking (with consent)

Detailed Subprocessor Information

For complete details about each subprocessor, including:

  • Specific data processed
  • Data storage locations
  • Security certifications
  • Transfer mechanisms and safeguards
  • Contact information

See our complete Subprocessor List

Subprocessor Changes

We will notify you at least 30 days before making material changes to our subprocessors, giving you the opportunity to object. Updates to our subprocessor list are reflected on the dedicated subprocessors page.

International Data Transfers

Data Storage Locations

Your data is stored and processed primarily within the UK and European Union:

Infrastructure Hosting:

  • Primary Database (Supabase): AWS eu-west-2 (London, UK)
  • Application Hosting (Vercel): AWS eu-west-1 (Dublin, Ireland)
  • Message Queue (Upstash Redis): AWS eu-west-1 (Dublin, Ireland)

This means your core data—customer contacts, review requests, business information—remains within UK/EU data centers with strong data protection laws.

US-Based Service Providers

While data is hosted in UK/EU, we use certain US-based service providers who process data on our behalf. Under UK GDPR, this constitutes an "international data transfer" because these companies are subject to US jurisdiction, even when using EU infrastructure.

Service Providers Subject to US Jurisdiction:

  • Clerk - User authentication and access control
  • Twilio - SMS message delivery
  • SendGrid by Twilio - Email message delivery
  • Google Cloud Platform - Business information services (Google Places API, Google Fonts API)

For detailed information about each service provider, see our Subprocessors page.

Legal Basis for International Transfers

All international data transfers are conducted under Standard Contractual Clauses (SCCs) approved by:

  • The European Commission (for EU GDPR compliance)
  • The UK Government (for UK GDPR compliance under Article 46)

SCCs are legally binding contracts that require US-based processors to provide equivalent data protection to UK GDPR standards.

Additional Safeguards

Beyond Standard Contractual Clauses, we implement supplementary measures:

Technical Safeguards:

  • Encryption in transit (TLS 1.3) and at rest
  • Strict access controls and authentication requirements
  • Data minimization (only necessary data shared)

Organizational Safeguards:

  • Quarterly compliance reviews of processor compliance
  • Contractual GDPR-equivalent obligations
  • Audit rights over processor practices
  • Mandatory data breach notification procedures
  • Subprocessor approval requirements

Legal Safeguards:

  • Transfer Impact Assessments (TIAs) completed for all US transfers
  • Contractual restrictions on government data access
  • Processors must facilitate your GDPR rights requests
  • Clear liability provisions

Your Rights Regarding International Transfers

You have the right to:

  • Request copies of the Standard Contractual Clauses we rely on
  • Object to transfers to specific processors (we'll work with you on alternatives)
  • Request additional information about safeguards in place
  • Receive our Transfer Impact Assessments upon request

To exercise these rights or request more information about our international data transfers, contact us at matt@review-runner.co.uk.

Changes to International Transfers

If we add new processors involving international transfers, change data processing jurisdictions, or modify transfer safeguards, we will update this Privacy Policy and notify you via email at least 30 days in advance, giving you the opportunity to object.

Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

  • Account Data: Retained while your account is active, plus 7 years for tax/legal compliance
  • Customer Contact Data: Retained while your account is active or until you delete it
  • Review Request Data: Retained for 24 months after the request is sent
  • Suppression Lists: Retained indefinitely to honour opt-out requests
  • Transaction Records: Retained for 7 years for accounting and tax purposes

You can request earlier deletion of your data, subject to our legal obligations to retain certain records.

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data (subject to legal retention requirements)
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for marketing communications
  • Right to Complain: Lodge a complaint with the ICO

To exercise any of these rights, please contact us at matt@review-runner.co.uk.

Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Regular backups and disaster recovery procedures
  • Employee training on data protection
  • Incident response procedures

Customer Data Responsibilities

As a Review Runner user, you are responsible for:

  • Ensuring you have appropriate legal basis and consent to collect and process your customers' contact information
  • Complying with UK GDPR and the Privacy and Electronic Communications Regulations (PECR)
  • Honouring opt-out requests and managing your suppression lists
  • Providing clear privacy information to your customers
  • Not using Review Runner for spam or unsolicited marketing

We provide tools to help you comply (such as automatic suppression list management and opt-out handling), but ultimate responsibility for lawful processing rests with you as the data controller for your customer data.

Cookies and Tracking

Application Platform

Within the Review Runner application, we use only essential cookies necessary for authentication and core functionality.

Marketing Website

Our marketing website (reviewrunner.co.uk) uses additional cookies and tracking technologies:

Essential Cookies:

  • Session management and security
  • User preferences

Analytics Cookies (with your consent):

  • Google Analytics/Tag Manager - To understand how visitors use our website
  • Vercel Analytics - Privacy-friendly website performance monitoring

Advertising and Remarketing (with your consent):

  • Meta Pixel (Facebook) - For conversion tracking and targeted advertising
  • LinkedIn Insight Tag - For B2B advertising and conversion tracking
  • Google Ads - For conversion tracking and remarketing campaigns

These advertising technologies allow us to show relevant ads to people who have visited our website and to measure the effectiveness of our advertising campaigns. They may track you across different websites and build an advertising profile.

Your Choices:

  • You can accept or decline non-essential cookies via our cookie consent banner
  • Manage your preferences at any time through your browser settings
  • Opt out of personalised advertising:

- Google: https://adssettings.google.com

- Meta: https://www.facebook.com/settings/?tab=ads

- LinkedIn: https://www.linkedin.com/psettings/advertising

Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Children's Privacy

Review Runner is not intended for use by individuals under 18. We do not knowingly collect data from children.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or prominent notice within the platform. Continued use of Review Runner after changes indicates acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: matt@review-runner.co.uk

For information about our subprocessors, see our Subprocessors page.

Complaints

If you're not satisfied with our response to any privacy concern, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

ICO Website: https://ico.org.uk/make-a-complaint/

ICO Helpline: 0303 123 1113