ReviewFlow ← Back home

GDPR Notice

Last updated: May 9, 2026

This GDPR Notice describes how ReviewFlow complies with the EU General Data Protection Regulation and the rights it grants to data subjects.

Data controller

The workspace owner is the data controller for any personal data processed within their workspace (customer contacts, review authors, etc.). ReviewFlow acts as the data processor under instructions from the controller.

For data controllers (workspace owners), ReviewFlow processes account-level data (your name, email, billing info) — for that, ReviewFlow is the controller.

Lawful bases

We rely on the following lawful bases:

Your rights

If you are an EU/EEA/UK resident (or in another jurisdiction with similar law), you have the right to:

  1. Access — request a copy of the personal data we hold about you.
  2. Rectification — correct inaccurate data.
  3. Erasure — request deletion of your personal data.
  4. Restriction — limit how we process your data.
  5. Portability — receive your data in a machine-readable format.
  6. Object — object to processing based on legitimate interest.
  7. Lodge a complaint with your local data protection authority.

To exercise these rights, email the support address in your dashboard. We will respond within 30 days.

Data subprocessors

We use the following subprocessors to operate the Service:

International transfers

Some subprocessors are located outside the EU/EEA. Where required, we rely on Standard Contractual Clauses (SCCs) and similar safeguards.

Data Protection Officer

For workspaces requiring a DPO contact, please email the support address listed in your dashboard settings.