Privacy Policy

1. Introduction

Welcome to Pawfect Reviews ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at reputation-management-sigma.vercel.app (the "Service").

This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, and Google account details when you sign up
• Business Information: Business name, location details, and Google Business Profile information
• Preferences: Auto-reply settings, notification preferences, response templates, and tone preferences
• Customer Data: Customer names, visit information, and pet details you choose to track

2.2 Information Collected Automatically

• Google Business Profile Data: Reviews, ratings, reviewer information, review dates, and business metrics
• Google Calendar Data: Event titles, dates, times, descriptions, and attendee information from calendars you connect
• Usage Data: Pages visited, features used, time spent in the Service, and interaction patterns
• Device Information: IP address, browser type, operating system, device identifiers
• Authentication Tokens: OAuth tokens and refresh tokens for Google API access

2.3 Information from Third Parties

• Google: Profile information, business locations, reviews, calendar events
• OpenAI: AI-generated content based on review data (processed, not stored by OpenAI)

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Service Provision

• Authenticating and managing your account
• Synchronizing reviews from your Google Business Profile
• Syncing calendar events to track appointments
• Generating AI-powered or template-based review responses
• Posting approved responses to your Google Business Profile
• Analyzing review sentiment and providing analytics
• Managing multiple business locations
• Tracking customers and visits

3.2 Communication

• Sending notifications about new reviews, especially negative ones
• Alerting you to calendar events and appointment completions
• Providing service updates and important announcements
• Responding to your inquiries and support requests

3.3 Service Improvement

• Analyzing usage patterns to improve features
• Identifying and fixing technical issues
• Developing new features based on user needs
• Improving AI response quality and accuracy

3.4 Legal and Security

• Complying with legal obligations and requests
• Preventing fraud, abuse, and security incidents
• Enforcing our Terms of Service
• Protecting our rights and property

4. Legal Basis for Processing (GDPR)

For users in the EEA, UK, or Switzerland, we process your data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested
• Consent: When you opt-in to AI auto-replies, template responses, or notifications
• Legitimate Interests: Improving our Service, preventing fraud, and ensuring security
• Legal Obligation: Complying with applicable laws and regulations

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

• Google: To access your Business Profile and Calendar data via their APIs
• OpenAI: To generate AI-powered review responses (data is sent but not stored by OpenAI)
• Vercel: For hosting and deployment infrastructure
• Database Provider: For secure PostgreSQL data storage

These service providers are contractually obligated to use your data only for providing services to us and are prohibited from using it for their own purposes.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (subpoenas, court orders)
• Government or regulatory requests
• Protection of rights, property, or safety
• Prevention of fraud or security threats

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and your options.

5.4 With Your Consent

We may share your information with other third parties when you explicitly consent to such sharing.

6. Data Storage and Security

6.1 Where We Store Your Data

• Application: Hosted on Vercel's secure infrastructure
• Database: PostgreSQL database with encrypted connections
• Backups: Regular automated backups for disaster recovery
• OAuth Tokens: Encrypted storage for Google API access tokens

6.2 Security Measures

We implement industry-standard security measures including:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for sensitive data
• Secure authentication using OAuth 2.0
• Regular security audits and updates
• Access controls and authentication requirements
• Monitoring for suspicious activity

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6.3 Data Retention

We retain your information for as long as:

• Your account is active
• Needed to provide the Service to you
• Required by law or for legitimate business purposes
• Necessary to resolve disputes or enforce our Terms

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required for legal, regulatory, or operational purposes.

7. Your Rights and Choices

7.1 Access and Portability

You have the right to:

• Access your personal data stored in our Service
• Export your data in a machine-readable format
• Request a copy of your data for transfer to another service

7.2 Correction and Update

You can:

• Update your account information through the settings page
• Correct inaccurate or incomplete data
• Request correction of data you cannot update yourself

7.3 Deletion (Right to be Forgotten)

You can:

• Delete your account through the settings page
• Request deletion of specific data
• Revoke Google account access through Google Account settings

Note: Some data may be retained for legal or operational purposes even after deletion.

7.4 Opt-Out and Consent Withdrawal

You can:

• Disable AI auto-replies at any time
• Turn off template-based responses
• Manage notification preferences
• Disconnect Google Calendar or Business Profile access
• Revoke Google API permissions through your Google Account

7.5 Object and Restrict Processing

You have the right to:

• Object to processing based on legitimate interests
• Request restriction of processing in certain circumstances
• Opt out of automated decision-making (though our AI responses are subject to your review and approval)

7.6 Lodge a Complaint

If you are in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

8. Google API Services User Data Policy

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only access the minimum Google user data necessary to provide our Service
• We do not use Google user data for serving advertisements
• We do not allow humans to read your Google data unless necessary for security, compliance, or with your consent
• We do not transfer Google user data to third parties except as necessary to provide the Service
• You can revoke our access to your Google data at any time through your Google Account settings

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Session Cookies: Maintain your login state and session information
• Authentication Cookies: Verify your identity and secure your account
• Preference Cookies: Remember your settings and preferences
• Analytics: Understand how users interact with our Service (anonymized)

Most browsers allow you to control cookies through settings. However, disabling cookies may affect your ability to use certain features of the Service.

10. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will delete such information.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from your jurisdiction.

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by relevant authorities
• Your explicit consent where required

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information collected, used, and shared
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale of personal information (note: we do not sell data)
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, please contact us using the information in Section 14.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Send you an email notification
• Display a prominent notice in the Service
• Request your consent if required by law

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-related inquiries, please include "GDPR Request" in your email subject line. We will respond to your request within 30 days as required by law.