Privacy Policy

1. Introduction

Inside Review ("InsideReview," "we," "our," "us") is a United-States-only, subscription-only feedback platform intended exclusively for adults who are at least 18 years old. We do not market to, or knowingly collect information from, anyone under 18. By accessing InsideReview.site (the "Site") or using our services (the "Services") you represent that you are (a) 18 or older and (b) physically present in the United States. If you do not meet these criteria, do not use the Services.

2. Information We Collect

a. Account & Users

• Identity: name, business email, phone, title.
• Billing: Stripe payment ID, last-4 card digits, billing address, sales-tax location evidence.
• Authentication: salted bcrypt hash of password or magic-link tokens.

b. Recipients (your customers)

• Contact: e-mail or SMS-capable phone number, first name (optional).
• Feedback: text comments, numeric scores, sentiment tags.
• Metadata: U.S. IP address, device type, opened-at, responded-at.

c. Automatic

• Strictly functional cookies (session, CSRF).
• Server logs retained 30 days then erased.
• No geolocation data is stored beyond U.S.-state-level tax evidence.

3. Legal Basis (CCPA/CPRA & state laws)

We collect and process Personal Information only:

• To perform the service contract with the Account.
• To comply with legal obligations (e.g., state tax, fraud prevention).
• For our legitimate interests in security, product improvement, and customer support.
• With your consent for optional cookies or marketing emails (which you may withdraw at any time).

4. Use of Information

• Provide, secure, and bill for the Services.
• Enforce subscription quotas and seat limits.
• Generate de-identified analytics.
• Deliver transactional notices (quota alerts, password resets).
• Create end-of-period PDF reports for the Account.
• Detect and prevent fraud or abuse.

5. What We Never Do

• We do not publish, syndicate, or transfer feedback to any public review site.
• We do not sell Personal Information as defined under CCPA/CPRA.
• We do not share Personal Information for cross-context behavioral advertising.
• We do not collect Sensitive Personal Information (SPI) such as social-security, driver-license, or precise geolocation.

6. Retention

• Feedback content: subscription term + 3 years (configurable up to 7).
• Billing records: 7 years to satisfy U.S. tax laws.
• Marketing opt-ins: until you withdraw consent.
• Deleted Accounts: hard-delete within 90 days except legally required data.

7. Security

• TLS 1.3 in transit; AES-256 at rest on AWS us-east-1 (Virginia only).
• Row-Level Security scoped to Account ID.
• Annual penetration tests; summary available under NDA.
• MFA required for staff; optional for Users on Enterprise plans.

8. Your U.S. Privacy Rights

California, Colorado, Connecticut, Utah, Virginia residents may:

• Access Personal Information we hold about you.
• Correct inaccuracies.
• Delete Personal Information (subject to legal retention).
• Obtain a portable copy of your data (CSV/JSON).
• Opt out of any sale or sharing (we do neither) or profiling for targeted ads (we do neither).
• Appeal our decision within 30 days by emailing help@insidereview.site.

9. Cookies & Tracking

We use only first-party, functional cookies. No third-party ad trackers. Non-essential analytics cookies require opt-in. You may withdraw consent at any time in Settings.

10. Children

The Services are not directed to children under 18. We do not knowingly collect or sell Personal Information of minors. If we learn otherwise, we will promptly delete such data.

11. International Transfers

Data is stored exclusively in AWS us-east-1 (Virginia). We do not transfer Personal Information outside the United States. If you travel outside the U.S., access may be blocked for compliance.

12. Changes to This Policy

Material changes will be announced by e-mail or in-app banner at least 14 days before effectiveness. Continued use after the effective date means you accept the revised Policy.