GDPR Notice
Last updated: May 9, 2026
This GDPR Notice describes how ReviewFlow complies with the EU General Data Protection Regulation and the rights it grants to data subjects.
Data controller
The workspace owner is the data controller for any personal data processed within their workspace (customer contacts, review authors, etc.). ReviewFlow acts as the data processor under instructions from the controller.
For data controllers (workspace owners), ReviewFlow processes account-level data (your name, email, billing info) — for that, ReviewFlow is the controller.
Lawful bases
We rely on the following lawful bases:
- Contract — to operate the Service for paying customers.
- Legitimate interest — to maintain security, prevent fraud, and improve the Service.
- Consent — for optional analytics, marketing email, and your customers' review requests.
Your rights
If you are an EU/EEA/UK resident (or in another jurisdiction with similar law), you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — request deletion of your personal data.
- Restriction — limit how we process your data.
- Portability — receive your data in a machine-readable format.
- Object — object to processing based on legitimate interest.
- Lodge a complaint with your local data protection authority.
To exercise these rights, email the support address in your dashboard. We will respond within 30 days.
Data subprocessors
We use the following subprocessors to operate the Service:
- Hosting: the hosting provider you have chosen for your workspace.
- Email delivery: Postalynk and/or your configured SMTP provider.
- Payment processing: Stripe.
- AI: OpenAI and/or Google (for AI reply drafts), only when you generate one.
- OAuth: Google, Facebook (when you connect those platforms).
International transfers
Some subprocessors are located outside the EU/EEA. Where required, we rely on Standard Contractual Clauses (SCCs) and similar safeguards.
Data Protection Officer
For workspaces requiring a DPO contact, please email the support address listed in your dashboard settings.