Privacy Policy
Last updated: July 14, 2026
1. Introduction & Data Controller
RevlyHQ ("we," "our," or "us") is an AI-powered review response platform designed for multi-location restaurant chains in the United States. RevlyHQ is operated as a sole proprietorship based in India.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at revlyhq.com. By using RevlyHQ, you agree to the practices described in this policy.
Data Controller: RevlyHQ (sole proprietorship, India)
Privacy Contact: privacy@revlyhq.com
If you are located in the European Economic Area (EEA) or the United Kingdom, you have certain rights under the General Data Protection Regulation (GDPR). If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA). We respect and honor these rights regardless of where you are located.
2. Information We Collect
Account Information
When you register for RevlyHQ, we collect your full name, email address, and business name. This information is used to create and manage your account, communicate with you about your subscription, and provide customer support.
Google Business Profile Data (via OAuth)
To provide our core service, you authorize RevlyHQ to access your Google Business Profile through Google's OAuth 2.0 protocol. The data we access includes:
- Your Google Business Profile information (business name, address, category, locations)
- Customer reviews posted to your business locations
- Location-level metadata necessary to post review responses
- OAuth access and refresh tokens required to act on your behalf
We access only the data necessary to generate and post review responses. We do not access your personal Google account data, Gmail, Google Drive, or any Google service outside of the Google My Business API scope you explicitly authorize.
Payment Information
Billing and subscription payments are processed by Dodo Payments and/or Razorpay, our third-party payment processors. We do not collect, transmit, or store your credit card numbers, bank account details, or other sensitive payment credentials. We receive only a payment confirmation token, subscription status, and billing metadata (such as amount paid and invoice date) from these processors.
Usage Data
We use PostHog to collect anonymized analytics about how you interact with the RevlyHQ dashboard. This includes pages visited, features used, review response rates, and general product engagement metrics. This data helps us improve the product experience.
Technical Data
We automatically collect certain technical information when you use our platform, including your IP address, browser type and version, device type, operating system, and referring URLs. We also use Sentry for error monitoring, which captures diagnostic information (such as stack traces and device context) when our application encounters an error. This data is used solely to diagnose and fix technical issues.
3. How We Use Your Information
We use the information we collect for the following purposes:
- AI Review Response Generation: Review text from your Google Business Profile is sent to OpenAI's API (GPT-4o-mini) to generate professional, context-aware response drafts on your behalf.
- Posting Responses to Google: Using your authorized Google OAuth credentials, we post approved review responses directly to your Google Business Profile locations.
- Transactional Email Communications: We use Resend to send emails related to your account, including welcome messages, billing receipts, subscription changes, and important product notifications.
- Billing and Subscription Management: We use your billing metadata to manage your subscription plan, process renewals, handle upgrades or downgrades, and generate invoices.
- Analytics and Product Improvement: Usage data collected via PostHog is analyzed in aggregate to understand feature adoption, identify friction points, and improve the RevlyHQ platform.
- Error Monitoring and Security: Technical data collected via Sentry is used to detect, investigate, and resolve application errors, crashes, and performance issues.
- Legal Compliance: We may process your data as required to comply with applicable laws, regulations, court orders, or government requests.
4. Data Sharing and Third-Party Services
We do not sell your personal data. We share data only with the following third-party service providers, and only to the extent necessary to operate our platform:
OpenAI
Review text is sent to OpenAI to generate response suggestions. OpenAI's data use is governed by their API data usage policies. Data sent is limited to review content required for generation.
We interact with Google's OAuth and Business Profile APIs under your authorization. Google's Privacy Policy governs how Google handles data on their end.
Supabase
Your account data, Google OAuth tokens, and review/response records are stored in a Supabase-hosted PostgreSQL database. Data is encrypted at rest and in transit.
Dodo Payments / Razorpay
Payment processing is handled entirely by our payment processors. They receive your payment information directly and return only a billing status to us. Their own privacy policies govern the handling of payment data.
Resend
Your name and email address are shared with Resend solely to deliver transactional emails on our behalf.
PostHog
Anonymized usage events and analytics are sent to PostHog to help us understand product usage patterns. We do not send personally identifiable information to PostHog beyond what is technically inevitable (such as IP address, which PostHog may anonymize).
Sentry
Error diagnostics including stack traces, browser/device context, and related technical metadata are shared with Sentry to facilitate error resolution.
We require all third-party processors to maintain appropriate data protection standards and use your data only as directed by us. We do not share your personal data with any other parties except as required by law.
5. Google User Data
This section specifically addresses how RevlyHQ accesses, uses, stores, and shares data obtained through Google APIs, in compliance with Google's API Services User Data Policy.
What Google Data We Access
- Google Business Profile locations associated with your account
- Customer reviews posted to your business locations (review text, star rating, reviewer name, date)
- The ability to post and manage review replies on your behalf
How We Use Google Data
Google user data is used exclusively to provide the RevlyHQ service you have requested — specifically, to retrieve your customer reviews, generate AI-powered response suggestions, and post approved responses back to your Google Business Profile. We do not use Google user data for advertising, profiling, or any purpose unrelated to the core functionality of responding to reviews.
Sharing of Google User Data
We do not share Google user data with any third parties except:
- OpenAI: Review text is transmitted to OpenAI's API solely to generate a response draft. This is the minimum necessary for the service to function. OpenAI's API data retention policies apply.
- Supabase: Review and response data is stored in our database to maintain a record of your activity within the platform.
We do not use Google data to train our own AI models. We do not transfer, sell, or use Google user data for any secondary purposes.
Revoking Google Access
You may revoke RevlyHQ's access to your Google account at any time by visiting your Google Account Permissions page and removing RevlyHQ. Upon revocation, we will no longer be able to access your Google Business Profile data. Existing data stored in our systems will be subject to our standard data retention policy outlined in Section 6.
6. Data Retention
We retain your data for as long as your account is active or as needed to provide you with our services, subject to the following:
- Account Data: Your name, email, and business information are retained for the duration of your account. Upon account deletion, this data is permanently deleted within 30 days, unless retention is required by law.
- Google OAuth Tokens: OAuth tokens are deleted immediately upon account deletion or Google access revocation.
- Review and Response Records: Records of reviews retrieved and responses generated or posted are retained for the duration of your account to support your dashboard history. These are deleted upon account deletion.
- Payment Records: Billing records, invoices, and transaction histories are retained for a minimum of 7 (seven) years to comply with applicable tax and financial record-keeping obligations under Indian and international law.
- Error Logs: Sentry diagnostic logs are automatically purged according to Sentry's retention settings, typically within 90 days.
To request deletion of your account and associated data, email us at privacy@revlyhq.com.
7. Security
We take the security of your data seriously and implement industry-standard safeguards, including:
- TLS/HTTPS encryption for all data transmitted between your browser and our servers
- Encryption at rest for all data stored in Supabase
- OAuth 2.0 tokens stored with restricted access controls
- Role-based access control within our infrastructure
- Regular dependency and security audits
- Real-time error and anomaly monitoring via Sentry
No method of data transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that materially affects your rights, we will notify affected users as required by applicable law.
8. Your Privacy Rights
GDPR Rights (EEA / UK Users)
If you are located in the EEA or UK, you have the following rights under the GDPR:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure: Request deletion of your personal data ("right to be forgotten").
- Right to Restriction: Request that we limit the processing of your data in certain circumstances.
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to certain types of processing, including processing based on legitimate interests.
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
CCPA Rights (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, and the purposes for which it is used.
- Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to Opt-Out of Sale: We do not sell your personal information. You can direct us not to sell your data at any time, though no sale is currently occurring.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To exercise any of these rights, please contact us at privacy@revlyhq.com. We will respond to verifiable requests within 30 days. We may need to verify your identity before processing your request.
9. Cookies and Tracking
RevlyHQ uses a minimal set of cookies necessary to operate the platform:
- Session Cookies: Required to maintain your authenticated session while using the dashboard. These are deleted when you close your browser or log out.
- Authentication Cookies: Set by Supabase Auth to persist your login state across sessions, if you choose the "Remember me" option.
We do not use advertising cookies, cross-site tracking pixels, or third-party marketing trackers. PostHog analytics may use a first-party cookie to maintain a consistent session identifier for product analytics purposes.
You can configure your browser to refuse or delete cookies, but doing so may impair the functionality of the RevlyHQ platform.
10. Children's Privacy
RevlyHQ is a business-to-business software platform intended solely for use by adults aged 18 and older. We do not knowingly collect or solicit personal information from anyone under the age of 18. If you believe a minor has provided us with personal information, please contact us at privacy@revlyhq.com and we will promptly delete that information.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email at the address associated with your account.
Your continued use of RevlyHQ after any changes to this policy constitutes your acceptance of the updated terms. We encourage you to review this policy periodically.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We aim to respond to all privacy-related inquiries within 5 business days. For formal data subject requests under GDPR or CCPA, we will respond within the legally required timeframe (30 days for CCPA; one month for GDPR, with the possibility of a two-month extension for complex requests).
© 2026 RevlyHQ. All rights reserved.