Privacy Policy

This Privacy Policy describes how Rewoly ("we", "us", "our") collects, uses, and protects information when you use our service.

1. Information we collect

When you sign up and connect a Google Business Profile, we collect:

• Your name and email address (from your Google account or email signup)
• OAuth tokens granting us scoped access to your Google Business Profile API
• Business Profile metadata: location names, addresses, time zones
• Reviews and review replies retrieved via the Google Business Profile API
• Settings you configure (brand voice, tone preferences)
• Subscription and billing information processed by Stripe

2. How we use your information

• To sync reviews from your Google Business Profile to your Rewoly inbox
• To generate AI-suggested replies tailored to your brand voice
• To post replies to Google when you authorize them
• To provide analytics and aggregated metrics within your account
• To process your subscription and send service-related emails

3. Google API data usage

Rewoly's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only request the business.manage OAuth scope, plus email/profile for sign-in identification
• We do NOT use Google data to serve advertising
• We do NOT sell or share your Google data with third parties
• We do NOT allow humans to read your reviews or replies, except where required to investigate abuse, enforce our terms, comply with legal process, or with your explicit consent
• You may revoke our access at any time from your Google account permissions page

4. Data storage and security

Your data is stored on managed infrastructure (Supabase, Render, Upstash) in EU-region data centers. Access tokens and other sensitive credentials are stored with row-level access controls; only our backend service can read them. We do not store your Google account password — we never see it.

5. AI processing

Review text and your configured brand voice settings are sent to OpenAI for the sole purpose of generating reply drafts. OpenAI's data handling for API requests follows their standard privacy policy; API inputs are not used to train OpenAI models.

6. Your rights

You may request access to, correction of, or deletion of your personal data at any time by emailing [email protected]. Disconnecting a Google account from Rewoly removes all associated tokens and stops further data sync; full account deletion removes everything within 30 days.

7. Cookies

We use a single first-party authentication cookie (managed by Supabase Auth) to keep you signed in. We do not use third-party tracking or advertising cookies.

8. Changes to this policy

We may update this policy from time to time. Material changes will be communicated to active users via email at least 14 days before they take effect.

9. Contact

Questions about this policy? Email [email protected].