This policy explains what personal data Review Guru collects, how we use it, and your rights. If you are based in the EU/UK, consider this our GDPR notice. If you are based in Sri Lanka, consider this our notice under the Personal Data Protection Act No. 9 of 2022.
1. Data we collect
Account data
When you sign up, we store your email address, display name, optional profile photo, and hashed password (we never see your plain-text password). If you sign in via Google or another provider, we also receive a stable ID from that provider.
Content you publish
Reviews, ratings, photos, and replies are public by design. Your display name (first name + last initial) appears next to them.
Usage data
We log IP addresses, user agents, and request paths for security, rate-limiting, and analytics. We retain these logs for up to 90 days.
Cookies
We use strictly necessary cookies for authentication and security. See our Cookie policy for details.
2. How we use your data
- To provide the Service and let you post reviews.
- To prevent fraud, spam, and platform abuse, including AI-assisted moderation.
- To send you transactional email (verification, password resets, claim confirmations) — we do not send marketing without opt-in.
- To produce aggregate statistics that are not personally identifying.
3. Legal bases (EU/UK)
- Contract — processing needed to deliver the Service to you.
- Legitimate interests — moderation, fraud prevention, security logging.
- Consent — any optional processing (e.g. marketing email) is opt-in.
4. Sharing
We do not sell your personal data. We share it only with:
- Service providers who help us run the Service (email delivery, hosting, AI moderation) — bound by data-processing agreements.
- Authorities if we are legally required, after reviewing the request and challenging it where appropriate.
5. AI processing
We use OpenAI's models to help moderate reviews and generate short summaries of public review content. Your review text is transmitted to OpenAI for these purposes under OpenAI's zero-retention API terms. We do not transmit your email, password, or payment data.
6. International transfers
We are based in Sri Lanka. Some of our processors (e.g. OpenAI) are located in the United States. When we transfer data internationally we rely on standard contractual clauses or equivalent safeguards.
7. Your rights
You can, at any time:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and associated data (some content may remain in aggregate form).
- Object to certain processing, including moderation appeals.
- Export your data in a portable format.
Exercise these rights by emailing privacy@reviewguru.lk. We respond within 30 days.
8. Retention
- Account data: until you delete your account.
- Published reviews: kept indefinitely unless removed by you or moderators.
- Access logs: 90 days.
- Audit logs: 2 years (for security incident investigations).
9. Children
The Service is not directed at people under 16 and we do not knowingly collect their data. If you believe a child has signed up, contact us and we will delete the account.
10. Security
Passwords are hashed with bcrypt. Sessions use signed, HTTP-only cookies. Production traffic is HTTPS-only. We run periodic backups and apply security patches. No system is perfectly secure; we will notify affected users of any data breach as required by law.
11. Changes
We'll post updates to this page and, if material, notify registered users by email.
12. Contact
Privacy questions: privacy@reviewguru.lk.