GDPR Compliance | ReviewBounce

ReviewBounce is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR requirements and how you can exercise your rights.

While ReviewBounce operates from India, we recognize and respect the data protection rights of individuals in the European Economic Area (EEA) and United Kingdom (UK). We apply GDPR-aligned practices to all users, regardless of location.

1. Roles & Responsibilities

Under GDPR, data handling involves two key roles. Here is how they apply within the ReviewBounce ecosystem:

1.1 When ReviewBounce Is the Data Controller

We act as the data controller when we collect and process:

Agency account registration data (name, email, agency details)
Billing and payment information
Usage analytics and platform interaction data
Support communications

1.2 When ReviewBounce Is the Data Processor

We act as the data processor when agencies use our platform to manage client data. In this capacity:

The agency is the data controller for their clients' business profile data, review data, and end-customer interactions
ReviewBounce processes this data solely on the agency's instructions and for the purpose of providing the Service
We do not independently determine the purpose or means of processing client data

2. Lawful Basis for Processing

We process personal data under the following legal bases as defined by GDPR Article 6:

Processing Activity	Lawful Basis
Account creation and management	Contract — Necessary to provide the Service you subscribed to
Billing and payment processing	Contract — Necessary to fulfill subscription obligations
Google Business Profile data sync	Contract — Core functionality of the Service
AI-powered review responses	Contract — Feature included in your subscription
Platform analytics and improvement	Legitimate Interest — Improving service quality and performance
Security monitoring and fraud prevention	Legitimate Interest — Protecting users and infrastructure
Marketing communications	Consent — Only with your explicit opt-in
Cookie analytics (non-essential)	Consent — Via cookie consent mechanism

3. Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights regarding your personal data:

3.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this in a commonly used, machine-readable format within 30 days.

3.2 Right to Rectification (Article 16)

If any personal data we hold is inaccurate or incomplete, you can request that we correct or complete it. You can also update most information directly through your agency dashboard.

3.3 Right to Erasure / Right to Be Forgotten (Article 17)

You can request deletion of your personal data. Upon receiving such a request, we will:

Delete your agency account and associated data
Remove all connected Google Business Profile data from our systems
Delete uploaded media, custom branding assets, and configuration
Revoke all stored Google API tokens
Retain only data required for legal compliance (e.g., billing records for tax purposes)

3.4 Right to Data Portability (Article 20)

You can request your data in a structured, commonly used, and machine-readable format (JSON or CSV). This includes your account data, review data, response history, and analytics reports.

3.5 Right to Restrict Processing (Article 18)

You can request that we temporarily stop processing your personal data while we verify the accuracy of data or assess a processing objection.

3.6 Right to Object (Article 21)

You can object to processing based on legitimate interest. If you object, we will stop processing unless we demonstrate compelling legitimate grounds that override your interests.

3.7 Right Related to Automated Decision-Making (Article 22)

Our AI engine automates review response generation and sentiment analysis. You have the right to:

Disable automatic review response publishing and switch to manual approval
Review and edit any AI-generated content before it is published
Request human review of AI sentiment categorizations

4. How to Exercise Your Rights

To exercise any of the above rights, contact our data protection team:

Email: support@reviewbounce.com
Subject Line: "GDPR Data Request — [Your Name / Agency Name]"

We will verify your identity before processing any request. You will receive a response within 30 days. If we need more time (up to an additional 60 days for complex requests), we will inform you of the reason for the delay.

5. Data Processing Details

5.1 Sub-Processors

We use the following sub-processors to deliver the Service:

Sub-Processor	Purpose	Data Processed
Supabase	Database & authentication	Account data, application data, auth tokens
Cloudflare (R2)	Media storage & CDN	Uploaded images, GBP media files
Google Cloud (Gemini AI)	AI review responses & sentiment analysis	Review text content (no PII)
Google APIs	GBP data synchronization	Business profile data, reviews, metrics
Vercel	Application hosting	Application traffic, server-side rendering
Stripe	Payment processing	Customer name, email, billing details
Lemon Squeezy	Payment processing & Merchant of Record	Customer name, email, billing details

5.2 Data Transfers

Some sub-processors may process data outside the EEA. Where this occurs, we ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Binding corporate rules of the sub-processor

5.3 Data Retention

We retain personal data only for as long as necessary to provide the Service and fulfill our legal obligations:

Active accounts: Data retained throughout the subscription period
Cancelled accounts: Data retained for 30 days, then deleted
Billing records: Retained for 7 years as required by Indian tax law
Support tickets: Retained for 2 years after resolution
Analytics data: Aggregated and anonymized — retained indefinitely

6. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
Notify affected agencies without undue delay if the breach is likely to result in high risk
Document all breaches, including the facts, effects, and remedial actions taken

7. For Agencies: Your GDPR Obligations

As an agency using ReviewBounce to manage client data, you also have GDPR obligations:

Ensure you have a lawful basis to connect and manage your clients' Google Business Profiles
Inform your clients about how their data is processed through the ReviewBounce platform
If operating a white-label platform on a custom domain, implement appropriate cookie consent mechanisms
Respond to data subject requests from your own clients in a timely manner
Notify ReviewBounce promptly if a data subject requests deletion or restriction of data held in our systems

8. Contact Our Data Protection Team

For any GDPR-related inquiries, data subject requests, or concerns about how we handle personal data:

Email: support@reviewbounce.com
Response Time: Within 30 days of receiving your request

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.