Privacy Policy

Last updated: June 22, 2026

BetterReviews ("we", "our", "us") operates the BetterReviews platform, a Shopify app that helps merchants collect and display product reviews. This policy explains how we collect, use, and protect personal data.

1. Data We Collect

From Customers (via Shopify stores)

Email address — to send post-purchase review request emails and match reviews to verified buyers
First name — to personalize review request emails and display verified buyer attribution
Review content — ratings, titles, text, and uploaded photos/videos submitted by customers
Order data — order IDs, fulfillment status, and product line items to trigger post-purchase review request emails and verify purchases for verified buyer badges
Conversation transcripts — full AI-guided conversation messages when using the chat-based review flow
AI analysis data — quality scores, sentiment analysis, and content classifications generated from review content

From Merchants

Account email — for authentication and communication
Store information — store name, domain, subscription status
Shopify access token — encrypted, used for metafield writes and order verification
Notification recipient emails — when a merchant enables email-driven moderation, they may add additional recipient email addresses (typically their customer-support team) to receive notifications about pending reviews and customer support requests. Each recipient row carries two independent flags (notify_reviews, notify_support) that control which kinds of emails the address receives — at least one must be true. These addresses are stored encrypted at rest, masked when displayed in the merchant admin dashboard, and require one-time email-link verification before becoming active. Each recipient can revoke themselves at any time. During the unified-recipient grace window (through Q3 2026), addresses configured in the legacy Settings → Support panel are read-capable as a fallback; revoking through the new Notifications tab removes the address from the unified recipient list, but legacy support_emails aliases may continue to receive chat-bubble forwards until the legacy column is retired.
Customer private-reply emails — when a merchant's CS rep explicitly clicks Reply Privately on a support-routed review notification, BetterReviews sends a one-time email to the customer carrying the rep's reply, a CAN-SPAM footer, and an independent unsubscribe link. Clicking the unsubscribe link in a private-reply email suppresses ONLY future private replies from BetterReviews — it does not affect review-request emails (which the customer can unsubscribe from independently) or merchant-notification emails (which are not customer-facing). Each suppression kind (customer, customer_reply, merchant_notification) routes through an isolated discriminator so opting out of one channel never silences the others.

Analytics Events

Web pixel events — product views, widget interactions, and purchase events
We collect only opaque identifiers (customer_id, order_id) — no email, name, or other personally identifiable information
Analytics data cannot be reverse-mapped to individuals without Shopify API access
Collection respects Shopify's Customer Privacy API consent signals

From Visitors to Our Free Review-to-Ad Tool

Review content you provide for analysis — when you use our free "Studio Glimpse" review-to-ad tool on betterreviews.app, you either (a) upload a file of reviews you control, or (b) submit a store/product URL and ask us to read the reviews publicly displayed on that page. We process that review content (review text, star ratings, reviewer display names, and, where shown, review photos) to generate sample marketing creatives for you. You confirm, via a required checkbox, that you have the right to provide this content for this purpose.
How we handle reviewer details on the URL path — where you submit a URL, we minimize third-party personal data: reviewer names are masked to a first name and last initial (e.g. "Jane Doe" becomes "Jane D."), personal names are scrubbed from quoted text, and any review photos are shown only temporarily in your browser and are not included in the emailed copy. Generated creatives quote or paraphrase review content; you are responsible for clearing any result before you use it.
Lead email — if you choose to have your results emailed, the email address you enter and a timestamped record that you ticked the consent checkbox (see §3).
We do not use tool inputs to train AI models. Review content and uploaded files are sent to our AI provider only to generate your results (inference), never to train, fine-tune, or develop any model.

From Visitors Who Request a Demo

Demo request details — when you submit our demo-request form on betterreviews.app, we collect your name, work email address, company name, and approximate company revenue bracket, along with a first-party analytics visitor identifier and your approximate region (derived from your IP), so our team can prepare for and follow up on your demo. Your name is delivered to our internal sales channel; your email is stored only as encrypted ciphertext plus a one-way hash, and your company, revenue bracket, analytics identifier, and region are stored in our database. We use these details solely to contact you about your demo request and to understand which marketing channel brought you to us. We do not add you to any automated marketing email sequence on the basis of a demo request, and the analytics identifier is kept for our own internal correlation only — it is never sent to our analytics provider. See §3 for the lawful basis and §13 to exercise your erasure right.

2. How We Use Data

Review collection — sending post-purchase review request emails to customers
Verified buyer badges — matching reviewers to orders to display trust signals
Review display — showing reviews on product pages via theme extensions
Product analytics — aggregated metrics on review performance and product page optimization
AI conversations — guiding customers through detailed review submissions
AI-powered review analysis — quality assessment, content moderation, and spam detection

We do not sell personal data. We do not use personal data for advertising or profiling.

3. Lawful Basis for Processing (GDPR)

Legitimate interest (Article 6(1)(f)) — review submission is voluntary, and customers reasonably expect their data to be processed for the purpose of publishing their review on the merchant's store. The same legal basis covers sending post-purchase review-request emails to customers who bought from the merchant: the email is transactional (non-promotional, scoped to the product purchased, with an immediate-honor unsubscribe link), the merchant is the data controller, the customer was given a clear opt-out at the point of contact-details collection (Shopify's checkout marketing checkbox), and the processing is limited to what's necessary for the legitimate purpose of soliciting feedback on the purchased product. Where applicable, this also satisfies the PECR Regulation 22(3) soft-opt-in conditions (existing customer, similar products, opt-out at collection, opt-out in every message). Customers can withdraw consent at any time via the email's unsubscribe link or by setting their Shopify emailMarketingConsent.marketingState to UNSUBSCRIBED — both surfaces immediately suppress future BetterReviews emails to that recipient. Merchants whose legal posture requires the stricter explicit-opt-in interpretation can configure their store to send review-request emails only to customers in the SUBSCRIBED Shopify state.
Contract performance (Article 6(1)(b)) — when a customer responds to a review request email, processing is necessary to fulfill that request
Consent (Article 6(1)(a)) — on our free public review-to-ad tool (betterreviews.app), a visitor who enters their email to receive their generated creatives must tick a required checkbox consenting to receive those results and occasional marketing emails. We send the result email and enrol the address in a marketing email sequence (delivered via Loops.so) only on that consent. Every message carries a one-click unsubscribe that also erases the email from our records.
Legitimate interest (Article 6(1)(f)) — free-tool review processing — where you upload reviews you control, we process them to generate the creatives you requested, in reliance on your confirmation that you hold the necessary rights. Our free tool's URL path (reading reviews publicly displayed on a store page you submit) is not available to visitors in the EEA, UK, or Switzerland. To ask us to remove a store or review processed by the tool, email privacy@betterreviews.app.
Pre-contractual measures (Article 6(1)(b)) and legitimate interest (Article 6(1)(f)) — demo requests — when you submit our demo-request form, you have asked us to contact you about using BetterReviews, so processing your request details is necessary to take steps at your request prior to entering into a contract, and we also have a legitimate interest in responding to inbound sales inquiries and attributing them to our marketing. We rely on this basis — not consent — because you initiated the contact and we do not enrol you in any automated marketing email sequence. To request erasure of your demo-request data, email privacy@betterreviews.app; because we send you no automated email, there is no self-serve unsubscribe link, so this is the route to exercise that right.

Under the legitimate interest basis, no consent checkbox is required at the point of submission. Transparency is provided by this privacy policy, which is linked from all review submission forms.

4. Data We Do NOT Collect

Physical addresses
Phone numbers
Payment or credit card information
Browsing history outside of the merchant's store

5. Data Retention

Data Type	Retention Period
Reviews (content)	Until merchant deletes or store uninstalls
Customer PII in reviews	Until redaction request (within 30 days)
Review requests	90 days after sending
Conversation transcripts	Until merchant deletes or store uninstalls
AI analysis data	Until merchant deletes or store uninstalls
Analytics events	13 months
Compliance exports	90 days
Database backups	7-day rolling
Free-tool generated results (per run)	Ephemeral — held briefly server-side under an unguessable token solely to display and email your results, then automatically deleted (within ~7 days). Excluded from long-lived backups. No public, shareable, or indexed result page is created.
Free-tool lead email	Until you unsubscribe or request erasure (one click in any email). On unsubscribe we delete your email from our records and from our email provider, and add a one-way hash to a suppression list to honor your opt-out.
Demo-request details	Retained while we follow up on your demo request and for sales attribution, until you request erasure (email `privacy@betterreviews.app`). On erasure we delete the stored record(s) for your email and add a one-way hash to a suppression list so we do not re-capture it.

6. Third-Party Processors

Provider	Purpose	Data Shared
Google Workspace	Business email (inbox)	Email correspondence content
Resend	Transactional email delivery (primary)	Recipient email, email content
AWS SES	Transactional email delivery (fallback)	Recipient email, email content
OpenAI	AI conversation guidance and review analysis	Review text, conversation messages (no email or name)
Anthropic	AI conversation guidance and review analysis	Review text, conversation messages (no email or name)
Tinybird	Analytics pipeline	Opaque IDs only (no PII)
Cloudflare R2	Media storage	Uploaded images/videos
Hetzner	Infrastructure hosting	All application data (encrypted)
PostHog (US)	Product analytics and session replay for the merchant admin app	Masked DOM events, route paths, click coordinates, viewport size, store identifier. HTTP request bodies and headers are not recorded. Inputs and rendered text are masked client-side before transmission.
LogRocket (US)	Session replay for the merchant admin app	Masked DOM events and network request URLs. HTTP bodies are not recorded; sensitive headers (Authorization, Cookie, X-CSRF-Token, X-Shopify-Access-Token) are stripped client-side. Visitor IP is not recorded.
Google Analytics (US)	Visitor analytics on our marketing website (betterreviews.app) only	Pseudonymous usage events, IP-derived region, online identifiers (e.g. the `_ga` client ID). Advertising signals are disabled, so Google acts as a processor. Not run on storefronts or in the merchant admin.
DataFa.st	Visitor analytics on our marketing website (betterreviews.app) only	Page views, referrers, and first-party cookies, including a visitor identifier and a session identifier. No cross-site identifiers. For visitors in the EEA, UK, and Switzerland, loaded only after the visitor accepts our cookie banner.
Cloudflare Turnstile (US)	Bot protection on our free review-to-ad tool (betterreviews.app) only	Your IP address and a browser-challenge signal, used solely to block automated abuse. No tracking cookies, no cross-site identifiers, no advertising use.
Loops.so (US)	Marketing email delivery for free review-to-ad tool leads (betterreviews.app) only — used only after you consent	Your email address and non-identifying tags (which tool you used, the product name). We never send Loops the review content or generated creatives. You can unsubscribe and erase your email from any message.

PostHog and LogRocket are used only on the merchant admin dashboard inside the Shopify Admin. They do not run on customer-facing storefronts and never see customer review submissions in transit. Both are configured mask-by-default — every input value and every rendered text node is replaced with a placeholder before the snapshot leaves the browser. Customer review content visible to merchants in the admin is additionally redacted at the DOM level so it does not appear in replays.

Syndication to third-party product-rating services

When a merchant enables a syndication integration in their BetterReviews admin (currently Google Shopping; Meta Shops is planned), approved reviews you submit may be shared with the corresponding third-party product-rating service so that the merchant can display review ratings on their listings in Google Shopping, Google Search, Google Ads, and (when enabled) Meta Shops. The data shared per review is limited to:

Your displayed reviewer name (first name or the display name you entered)
Review title, body content, and star rating
Verified-buyer status (true/false)
The product identifier (Shopify product ID and URL) the review is associated with
The review submission timestamp

The following are never shared with these services:

Reviewer email address
Order ID or any order details
Conversation transcripts or AI analysis data
Shopify customer ID
Uploaded photos or videos

If a redaction request is processed for your review, the syndicated copy is refreshed on the third-party service's next crawl of our feed (typically within 24 hours). The third-party service may retain its own copy of the previously-fetched feed for an additional period under its own retention policy.

Merchant-connected email-marketing platforms (Klaviyo)

A merchant can connect their own email-marketing platform — currently Klaviyo — to their BetterReviews account. When that connection is active, data about your review and your contact details may be shared with the merchant's Klaviyo account so the merchant can send communications and include review content in their emails. The data shared may include:

Your name and email address
Your review title, body content, and star rating
Review metadata such as sentiment, verified-buyer status, and our internal quality/marketing scores
The product the review is associated with

The merchant is the data controller of their own Klaviyo account; Klaviyo acts as a processor for the merchant, and as a sub-processor in our processing chain. The merchant's use of your data inside Klaviyo is governed by the merchant's own privacy policy and Klaviyo's terms. You can review Klaviyo's privacy practices at klaviyo.com/legal/privacy-policy.

When you exercise your right to erasure, the merchant — as controller of their Klaviyo account — is responsible for deleting your profile there. As a courtesy, when a redaction request is processed, BetterReviews also asks Klaviyo to delete the corresponding profile on a best-effort basis. To exercise any data right, contact the Shopify store where you made your purchase.

Internal access by BetterReviews staff

A small number of authorized BetterReviews personnel (currently the two cofounders) may access encrypted customer personal data (email and name) for operational purposes — investigating support tickets, diagnosing review-submission issues, and reviewing platform health. Every such access is recorded in an append-only audit log and is bound by per-session rate limits. Access is restricted to staff devices on our private network; the access surface is not reachable from the public internet. Staff cannot modify customer data through this surface — it is read-only.

7. Security Measures

AES-256-GCM encryption for customer PII and Shopify access tokens at rest
TLS 1.3 for all data in transit
bcrypt password hashing with strong password requirements
SHA-256 one-way hashing for API keys
Per-store rate limiting
Database accessible only via internal network (no public access)

8. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

Access — request a copy of your stored data
Rectification — request correction of inaccurate data
Erasure — request deletion of your data
Restriction — request limits on how your data is processed
Portability — receive your data in a machine-readable format
Objection — object to processing of your data

To exercise these rights, contact the Shopify store where you made your purchase. The merchant will submit your request through Shopify, which triggers our automated GDPR webhook handlers. We process all data requests and redaction requests within 30 days.

9. Your Rights (CCPA)

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt out of the sale of your personal information

We do not sell personal information. To exercise your rights, contact the Shopify store where you made your purchase, or email us directly.

10. Cookies

BetterReviews does not set first-party cookies on merchant storefronts. Our web pixel uses Shopify's built-in analytics infrastructure, which respects the merchant's cookie consent configuration.

The merchant admin dashboard (used only by store owners and staff inside the Shopify Admin) does set first-party cookies via PostHog and LogRocket for session replay and product analytics. These cookies are not set on shopper-facing pages.

Our marketing website (betterreviews.app) uses Google Analytics, which sets _ga first-party cookies. For visitors in the EEA, UK, and Switzerland these cookies are set only after the visitor accepts our cookie banner; until then Google Analytics runs in a cookieless, consent-denied mode. For visitors elsewhere, where prior consent is not required, the cookies are set by default. The marketing site also uses DataFa.st for visitor analytics, which sets first-party cookies, including a visitor identifier and a session identifier. Like Google Analytics, for visitors in the EEA, UK, and Switzerland DataFa.st is loaded only after the visitor accepts our cookie banner; for visitors elsewhere it loads by default. Our free review-to-ad tool uses Cloudflare Turnstile for bot protection; it sets no tracking cookies, although Cloudflare may set a strictly-necessary security cookie if an interactive challenge is required, which is exempt from consent.

11. Children's Privacy

BetterReviews is not directed at children under 13. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the app dashboard. The "last updated" date at the top reflects the most recent revision.

13. Contact

For privacy inquiries: privacy@betterreviews.app

BetterReviews is operated by Daniel Studzinski.