ReputeAIReputeAI
Waitlist
Back to Home

Privacy Policy

Effective date: April 26, 2026 · Website: repute-app.com · Product: ReputeAI

1. Who we are

The Service is operated by the operator of ReputeAI, based in Cyprus ("we", "us", "our"). Contact: support@repute-app.com.

2. Scope

This Privacy Policy explains how we collect, use, disclose, and protect personal data when: you visit our website, you create and use an account, you connect a Google Business Profile and manage reviews through the Service.

3. Important B2B / multi-tenant note (Controller vs Processor)

The Service is designed for business use. Depending on how you use the Service:

  • We act as a controller for account, billing, and website data (e.g., your email, login events, subscription status).
  • We may act as a processor when we process customer content (e.g., Google Business Profile reviews) on behalf of a tenant (business customer). In such cases, the tenant is the controller.

If you are an end customer of a tenant and want to exercise data rights, please contact the relevant business first. We can assist the tenant where applicable.

4. Data we collect

A) Account and profile data

Name (optional), email, password hash (if applicable), authentication identifiers. Company/tenant information you provide.

B) Google Business Profile data (connected accounts)

When you connect Google Business Profile, we may process and store: location identifiers, name, address; reviews including rating, publication date, review text, and author name (or "Anonymous"); owner replies (drafted and published) and timestamps; access tokens / refresh tokens or similar credentials required to access Google APIs.

C) AI generation inputs and outputs

We may process: review text and rating; detected language and sentiment classification; brand settings you configure (e.g., business description, tone, signature); AI-generated drafts and edit history.

D) Technical and usage data

IP address, device/browser data, logs, timestamps, and actions performed in the Service. Session cookies required for authentication.

E) Billing data

If you subscribe, payments are processed by Stripe. We receive limited billing metadata (e.g., subscription status, plan, billing history identifiers). We do not store full card details.

5. Purposes and legal bases (GDPR)

We process personal data for:

  • Providing the Service (contract): create accounts, sync reviews, generate drafts, publish replies.
  • Security and abuse prevention (legitimate interests): protect accounts, prevent fraud and misuse.
  • Billing and compliance (legal obligation / contract): payments, invoices, accounting.
  • Service improvement (legitimate interests): reliability, performance, bug fixing. We do not use customer content to train third-party AI models unless explicitly stated and enabled by you.

6. AI subprocessors and automated processing

In line with the EU AI Act (Article 50) transparency obligations, we list every AI provider we route data through, what we send them, and why. We send only the minimum text needed for response generation; we do not attach personal identifiers (no email, no account ID, no customer name) to the prompts. AI outputs are drafts — publication always requires human review and approval inside the Service.

DeepSeek

Hangzhou DeepSeek Artificial Intelligence Co., Ltd. — China

Purpose: Drafting replies to Google Business Profile reviews. We send the review text, the rating, and the brand tone settings you have configured.

Data minimization: Only the minimum text needed for response generation; no personal identifiers attached.

Terms: DeepSeek Privacy Policy

Anthropic

Anthropic, PBC — United States

Purpose: Sentiment analysis of incoming reviews and, in some cases, drafting replies for negative reviews where higher nuance is required. We send the review text and rating only.

Data minimization: Only the minimum text needed for response generation; no personal identifiers attached.

Terms: anthropic.com/legal/privacy

Qwen (Alibaba Cloud)

Alibaba Cloud — Singapore region for EU traffic

Purpose: Alternative drafting model used for positive reviews when configured. We send the review text, rating, and brand tone settings.

Data minimization: Only the minimum text needed for response generation; no personal identifiers attached.

Terms: Alibaba Cloud Data Processing Addendum

DetectLanguage

Web Cats UAB — Vilnius, Lithuania (EU)

Purpose: Detecting the language of an incoming review so we can reply in the same language. We send the review text only.

Data minimization: Only the minimum text needed for language detection; no personal identifiers attached. The provider documents that submitted text is not stored — only the IP address of the API caller is logged.

Terms: DetectLanguage Privacy Policy

We do not allow these providers to use your content to train their models. AI output is never published automatically — a human user reviews and approves every reply before it is posted to Google.

7. Email and marketing subprocessor

We use Brevo (Sendinblue SAS — France) to handle waitlist signup confirmations, welcome emails, and our newsletter. Brevo stores its data on EU servers.

What we share with Brevo:

  • Your contact email and name
  • Optional business name (if you provided it)
  • UTM source / medium / campaign you arrived from (so we can credit the channel internally)
  • Country derived from your IP address at the time of signup (a 2-letter code only — see Analytics below)
  • Timestamps of signup and confirmation

Right of erasure: You can be removed from our marketing lists at any time. Use the Unsubscribe link in any email you have received from us, or email support@repute-app.com and we will delete your record from both our backend database and Brevo within 30 days.

Terms: brevo.com/legal/privacypolicy

8. Cookieless analytics

We run our own ClickHouse-based analytics in-house. We do not set tracking cookies, and we do not use Google Analytics, Plausible, Mixpanel, or any third-party tracker. Because the system is cookieless by design, we do not need a cookie consent banner under GDPR.

We hash your IP address with a server-only salt before it is written to storage and we never associate it with your name or email address. The country your visit came from is derived from your IP at the moment of the request and stored as a 2-letter ISO country code (for example, DE, UA, CY) — the raw IP itself is discarded after hashing.

We use this data only in aggregate, to understand which pages perform, which marketing channels work, and where to invest engineering effort. Events expire automatically after 13 months.

9. Other subprocessors / service providers

In addition to the AI, email, and analytics providers listed above, we share personal data with the following trusted providers who process it on our behalf:

  • Google (OAuth and Business Profile APIs)
  • Stripe (payments and subscriptions)
  • Our hosting and infrastructure providers

We only share what is necessary for the relevant purpose and require appropriate safeguards (DPA, Standard Contractual Clauses where transfers leave the EEA).

10. International transfers

Some providers (notably DeepSeek in China, Anthropic in the United States, and Alibaba Cloud serving from Singapore) may process data outside the EEA/UK. Where required, we use appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) and additional safeguards. Brevo and DetectLanguage process data within the EU.

11. Data retention

We keep data only as long as necessary:

  • Account data: for the life of the account and a reasonable period thereafter for security/legal purposes.
  • Google Business Profile data (reviews/drafts): while your account is active, unless you delete it.
  • Waitlist and marketing data (Brevo): until you unsubscribe or request deletion.
  • Analytics events (ClickHouse): 13 months, then deleted automatically.
  • Backups: we perform at least daily backups and retain them for 30 days (then they are overwritten or deleted).

12. Security

We use reasonable technical and organizational measures to protect data, including access controls, encryption where appropriate, and secure secret management.

13. Your rights (EEA/UK)

Subject to applicable law, you may have the right to: access, rectify, delete, restrict, object, and port your data; withdraw consent where processing is based on consent; lodge a complaint with a supervisory authority.

To exercise rights, contact support@repute-app.com. If we are acting as a processor for a tenant, we may redirect you to the tenant.

14. Cookies

We use essential cookies for authentication and session management, and a single non-tracking cookie (ra_variant) to keep your A/B test variant stable across page loads. We do not use marketing cookies and we do not use any third-party tracking cookies. See the Cookieless analytics section above for how we measure traffic without them.

15. Children

The Service is intended for business use and is not directed to children. We do not knowingly collect personal data from children.

16. Changes

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the effective date.

Back to HomeTerms of Service