Privacy Policy

Last updated: May 12, 2026

BetterReviews ("we", "our", "us") operates the BetterReviews platform, a Shopify app that helps merchants collect and display product reviews. This policy explains how we collect, use, and protect personal data.

1. Data We Collect

From Customers (via Shopify stores)

Email address — to send post-purchase review request emails and match reviews to verified buyers
First name — to personalize review request emails and display verified buyer attribution
Review content — ratings, titles, text, and uploaded photos/videos submitted by customers
Order data — order IDs, fulfillment status, and product line items to trigger post-purchase review request emails and verify purchases for verified buyer badges
Conversation transcripts — full AI-guided conversation messages when using the chat-based review flow
AI analysis data — quality scores, sentiment analysis, and content classifications generated from review content

From Merchants

Account email — for authentication and communication
Store information — store name, domain, subscription status
Shopify access token — encrypted, used for metafield writes and order verification
Notification recipient emails — when a merchant enables email-driven moderation, they may add additional recipient email addresses (typically their customer-support team) to receive notifications about pending reviews and customer support requests. Each recipient row carries two independent flags (notify_reviews, notify_support) that control which kinds of emails the address receives — at least one must be true. These addresses are stored encrypted at rest, masked when displayed in the merchant admin dashboard, and require one-time email-link verification before becoming active. Each recipient can revoke themselves at any time. During the unified-recipient grace window (through Q3 2026), addresses configured in the legacy Settings → Support panel are read-capable as a fallback; revoking through the new Notifications tab removes the address from the unified recipient list, but legacy support_emails aliases may continue to receive chat-bubble forwards until the legacy column is retired.
Customer private-reply emails — when a merchant's CS rep explicitly clicks Reply Privately on a support-routed review notification, BetterReviews sends a one-time email to the customer carrying the rep's reply, a CAN-SPAM footer, and an independent unsubscribe link. Clicking the unsubscribe link in a private-reply email suppresses ONLY future private replies from BetterReviews — it does not affect review-request emails (which the customer can unsubscribe from independently) or merchant-notification emails (which are not customer-facing). Each suppression kind (customer, customer_reply, merchant_notification) routes through an isolated discriminator so opting out of one channel never silences the others.

Analytics Events

Web pixel events — product views, widget interactions, and purchase events
We collect only opaque identifiers (customer_id, order_id) — no email, name, or other personally identifiable information
Analytics data cannot be reverse-mapped to individuals without Shopify API access
Collection respects Shopify's Customer Privacy API consent signals

2. How We Use Data

Review collection — sending post-purchase review request emails to customers
Verified buyer badges — matching reviewers to orders to display trust signals
Review display — showing reviews on product pages via theme extensions
Product analytics — aggregated metrics on review performance and product page optimization
AI conversations — guiding customers through detailed review submissions
AI-powered review analysis — quality assessment, content moderation, and spam detection

We do not sell personal data. We do not use personal data for advertising or profiling.

3. Lawful Basis for Processing (GDPR)

Legitimate interest (Article 6(1)(f)) — review submission is voluntary, and customers reasonably expect their data to be processed for the purpose of publishing their review on the merchant's store
Contract performance (Article 6(1)(b)) — when a customer responds to a review request email, processing is necessary to fulfill that request

Under the legitimate interest basis, no consent checkbox is required at the point of submission. Transparency is provided by this privacy policy, which is linked from all review submission forms.

4. Data We Do NOT Collect

Physical addresses
Phone numbers
Payment or credit card information
Browsing history outside of the merchant's store

5. Data Retention

Data Type	Retention Period
Reviews (content)	Until merchant deletes or store uninstalls
Customer PII in reviews	Until redaction request (within 30 days)
Review requests	90 days after sending
Conversation transcripts	Until merchant deletes or store uninstalls
AI analysis data	Until merchant deletes or store uninstalls
Analytics events	13 months
Compliance exports	90 days
Database backups	7-day rolling

6. Third-Party Processors

Provider	Purpose	Data Shared
Google Workspace	Business email (inbox)	Email correspondence content
Resend	Transactional email delivery (primary)	Recipient email, email content
AWS SES	Transactional email delivery (fallback)	Recipient email, email content
OpenAI	AI conversation guidance and review analysis	Review text, conversation messages (no email or name)
Anthropic	AI conversation guidance and review analysis	Review text, conversation messages (no email or name)
Tinybird	Analytics pipeline	Opaque IDs only (no PII)
Cloudflare R2	Media storage	Uploaded images/videos
Hetzner	Infrastructure hosting	All application data (encrypted)
PostHog (US)	Product analytics and session replay for the merchant admin app	Masked DOM events, route paths, click coordinates, viewport size, store identifier. HTTP request bodies and headers are not recorded. Inputs and rendered text are masked client-side before transmission.
LogRocket (US)	Session replay for the merchant admin app	Masked DOM events and network request URLs. HTTP bodies are not recorded; sensitive headers (Authorization, Cookie, X-CSRF-Token, X-Shopify-Access-Token) are stripped client-side. Visitor IP is not recorded.

PostHog and LogRocket are used only on the merchant admin dashboard inside the Shopify Admin. They do not run on customer-facing storefronts and never see customer review submissions in transit. Both are configured mask-by-default — every input value and every rendered text node is replaced with a placeholder before the snapshot leaves the browser. Customer review content visible to merchants in the admin is additionally redacted at the DOM level so it does not appear in replays.

Syndication to third-party product-rating services

When a merchant enables a syndication integration in their BetterReviews admin (currently Google Shopping; Meta Shops is planned), approved reviews you submit may be shared with the corresponding third-party product-rating service so that the merchant can display review ratings on their listings in Google Shopping, Google Search, Google Ads, and (when enabled) Meta Shops. The data shared per review is limited to:

Your displayed reviewer name (first name or the display name you entered)
Review title, body content, and star rating
Verified-buyer status (true/false)
The product identifier (Shopify product ID and URL) the review is associated with
The review submission timestamp

The following are never shared with these services:

Reviewer email address
Order ID or any order details
Conversation transcripts or AI analysis data
Shopify customer ID
Uploaded photos or videos

If a redaction request is processed for your review, the syndicated copy is refreshed on the third-party service's next crawl of our feed (typically within 24 hours). The third-party service may retain its own copy of the previously-fetched feed for an additional period under its own retention policy.

7. Security Measures

AES-256-GCM encryption for customer PII and Shopify access tokens at rest
TLS 1.3 for all data in transit
bcrypt password hashing with strong password requirements
SHA-256 one-way hashing for API keys
Per-store rate limiting
Database accessible only via internal network (no public access)

8. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

Access — request a copy of your stored data
Rectification — request correction of inaccurate data
Erasure — request deletion of your data
Restriction — request limits on how your data is processed
Portability — receive your data in a machine-readable format
Objection — object to processing of your data

To exercise these rights, contact the Shopify store where you made your purchase. The merchant will submit your request through Shopify, which triggers our automated GDPR webhook handlers. We process all data requests and redaction requests within 30 days.

9. Your Rights (CCPA)

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt out of the sale of your personal information

We do not sell personal information. To exercise your rights, contact the Shopify store where you made your purchase, or email us directly.

10. Cookies

BetterReviews does not set first-party cookies on merchant storefronts. Our web pixel uses Shopify's built-in analytics infrastructure, which respects the merchant's cookie consent configuration.

The merchant admin dashboard (used only by store owners and staff inside the Shopify Admin) does set first-party cookies via PostHog and LogRocket for session replay and product analytics. These cookies are not set on shopper-facing pages.

11. Children's Privacy

BetterReviews is not directed at children under 13. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the app dashboard. The "last updated" date at the top reflects the most recent revision.

13. Contact

For privacy inquiries: privacy@betterreviews.app

BetterReviews is operated by Daniel Studzinski.