Privacy Policy

This policy applies to:

• Biz Reputation Clients — small businesses (dental offices, auto repair shops, HVAC companies, restaurants, med spas, home services, and similar) that purchase a Biz Reputation subscription.
• End Customers — individual consumers who receive review-request messages (SMS or email) on behalf of a Biz Reputation Client.
• Website Visitors — anyone who browses bizreputations.com.

Biz Reputation acts as a data controller for Client account data and website visitor data, and as a data processor (service provider) for End Customer data submitted by Biz Reputation Clients.

2.1 Account & Business Data (Clients)

• Business name, email address, phone number, and billing address
• Payment information processed by Stripe (we do not store raw card numbers)
• Google Business Profile (GBP) data — including business name, address, phone number, review content, star ratings, and response history — obtained through the Google Business Profile API after you grant OAuth authorization
• Login credentials (hashed passwords or OAuth tokens)
• Subscription tier, billing history, and usage metrics

2.2 End Customer Data (Collected on Behalf of Clients)

• Consumer name, email address, and/or mobile phone number provided by the Client for the purpose of sending review request messages
• Whether the recipient opened, clicked, or responded to a review request
• Any review content submitted through a Biz Reputation-hosted review funnel

2.3 Outreach & Lead Data

• Business contact information sourced from Google Maps via Outscraper and verified email addresses sourced via Hunter.io for lead generation campaigns
• Outreach interaction data — email opens, clicks, replies, and opt-out events

2.4 Automatically Collected Data

• IP address, browser type, operating system, referring URL, and pages visited
• Cookie identifiers and session data (see our Cookie Policy for details)
• Approximate geolocation derived from IP address

2.5 AI Processing Data

When you use Biz Reputation's AI features (e.g., automated review response drafting or AI-generated outreach copy), review text and related context may be transmitted to our AI infrastructure providers — currently OpenRouter and Anthropic — for processing. See Section 5 for full disclosure.

We rely on the following legal bases:

• Contract performance — processing necessary to provide the Service you subscribed to (account creation, billing, delivering review campaigns).
• Legitimate interests — platform security, fraud prevention, product analytics, and improving our services, where these interests are not overridden by your rights.
• Legal obligation — complying with applicable laws, court orders, or regulatory requests.
• Consent — where required by applicable law (e.g., marketing emails, non-essential cookies, GDPR situations). You may withdraw consent at any time without affecting prior lawful processing.

• Providing, operating, and maintaining the Biz Reputation platform
• Connecting to and managing your Google Business Profile on your behalf via the Google Business Profile API
• Sending review request SMS and email messages to End Customers on behalf of Clients
• Processing payments and managing subscriptions through Stripe
• Generating AI-assisted review responses, outreach copy, and reports using OpenRouter/Anthropic models
• Sourcing and verifying business leads using Outscraper and Hunter.io for Clients using our lead generation features
• Sending transactional communications — receipts, usage alerts, security notices
• Sending marketing communications about Biz Reputation features and offers (opt-out available at any time)
• Detecting and preventing fraud, abuse, and unauthorized access
• Complying with legal obligations
• Analyzing aggregate, de-identified usage trends to improve the Service

We do not sell your personal data to third parties for their own marketing purposes, and we do not use End Customer data for any purpose other than delivering the review request service on behalf of the applicable Client.

What data is processed by AI systems:

• Review text (including reviewer names and star ratings) when drafting AI response suggestions
• Business profile information (name, category, services) used to personalize AI outputs
• Lead contact information and outreach history when generating campaign copy

AI providers we use:

• Anthropic(Claude models) — via OpenRouter API. Anthropic's privacy policy is available at anthropic.com/privacy.
• OpenRouter — API routing layer. Data transmitted to OpenRouter is governed by their terms at openrouter.ai/privacy.

We do not permit our AI providers to train their models on your data. Data transmitted to AI providers is used solely for generating the requested output and is not retained beyond the context window of the individual API call, subject to each provider's data retention policies.

We share personal data only in the following circumstances:

• Service providers (sub-processors): Stripe (payment processing), Google (Business Profile API), Outscraper (Google Maps data), Hunter.io (email verification), OpenRouter / Anthropic (AI processing), and our cloud infrastructure and email delivery providers. Each is bound by data processing agreements obligating them to protect your data.
• Between Clients and End Customers: Review request messages are sent on behalf of the Client to their End Customers. The Client is responsible for ensuring they have the right to submit End Customer contact information to Biz Reputation.
• Legal compliance: We may disclose data if required by law, subpoena, court order, or to protect our legal rights or the safety of others.
• Business transfer: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. We will notify you via email or prominent notice on our website at least 30 days before any such transfer.
• Aggregated / de-identified data: We may share anonymized, aggregate statistics (e.g., industry-wide review trends) that cannot reasonably identify any individual.

We do not sell personal data. We do not sell, rent, or trade personal data to data brokers, advertisers, or other third parties for independent commercial use.

When you connect your Google Business Profile to Biz Reputation, you grant us OAuth access to read and write data on your behalf. We use this access to:

• Retrieve your reviews and star ratings for display within the dashboard
• Post AI-drafted responses to your reviews (only upon your approval)
• Sync your business name, address, phone, and business hours
• Pull reporting data such as search impressions and direction requests

Our use of Google API data complies with the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google data for advertising purposes, share it with third parties except as necessary to provide the Service, or use it to train AI models beyond the context of your individual session.

You may revoke our Google access at any time through your Google Account permissions page. Revoking access will disable GBP-connected features in Biz Reputation but will not affect your subscription billing.

Depending on your location, you may have the following rights. To exercise any of them, contact [email protected]. We will respond within 45 days (extendable once by an additional 45 days with notice).

Rights available to Utah residents (UCPA):

• Right to know — confirm whether we process your personal data and access the categories of data we hold.
• Right to delete — request deletion of personal data you have provided to us (subject to legal retention obligations).
• Right to data portability — obtain a copy of your data in a portable, machine-readable format.
• Right to opt out of targeted advertising or sale — Biz Reputation does not sell personal data or engage in targeted advertising using personal data.

Additional rights for California residents (CCPA/CPRA):

• Right to know the specific pieces of personal information we have collected about you
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising)
• Right to limit use and disclosure of sensitive personal information (we do not use sensitive personal information beyond what is necessary to provide the Service)
• Right to non-discrimination for exercising your privacy rights

Rights for EEA/UK residents (GDPR/UK GDPR):

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure / "right to be forgotten" (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Rights related to automated decision-making (Article 22) — see Section 5 above

EEA/UK residents may also lodge a complaint with their local supervisory authority. For cross-border transfers from the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission where applicable.

• Active account data — retained for the duration of your subscription plus 90 days after cancellation to allow for reactivation.
• Billing records — retained for 7 years to comply with tax and accounting requirements.
• End Customer contact data — retained for up to 24 months after the last campaign interaction, or until the Client deletes the contact, whichever comes first.
• Outreach / lead data — retained for the life of the campaign plus 12 months.
• Anonymized analytics data — may be retained indefinitely after de-identification.
• Legal hold — data subject to litigation hold or regulatory inquiry will be retained for the duration of the relevant proceeding.

We implement commercially reasonable technical and organizational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and role-based permissions within the platform
• Regular security reviews and penetration testing
• Stripe PCI-DSS compliance for all payment card data (we never store raw card numbers)

No system is 100% secure. In the event of a data breach affecting your rights or freedoms, we will notify affected individuals and applicable regulators within the timeframes required by law.

Biz Reputation is a business-to-business service intended for adults operating businesses. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected such data, contact us immediately at [email protected] and we will promptly delete it.

Review request messages are sent via SMS and email to End Customers on behalf of Biz Reputation Clients. Each message includes an easy mechanism to opt out of future messages. Opt-out requests are processed within 10 business days and are honored indefinitely.

Biz Reputation Clients are responsible for ensuring that all End Customer contact information submitted to Biz Reputation was obtained with appropriate consent, and that sending review requests to those contacts complies with the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, and any other applicable laws.

We use cookies and similar tracking technologies. For a full explanation of each type of cookie, how to manage your preferences, and how to opt out, please see our Cookie Policy.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on file) and/or by posting a prominent notice on bizreputations.com at least 30 days before the changes take effect. The "Effective Date" at the top of this page will always reflect the date of the current version.

Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

For privacy-related questions, requests, or complaints: