ReviewCroft Launching soon
Legal

Privacy Policy

Effective date: June 2, 2026

This Privacy Policy explains how ReviewCroft collects, uses, shares, and protects information when you use the ReviewCroft service (the “Service”). ReviewCroft is a product of Vookie Labs, operated by Sevcan Yorulmazlar, a sole proprietorship registered in Türkiye. In this policy, “we,” “us,” and “ReviewCroft” refer to that operator. By using the Service you agree to the practices described here.

1. Who we are

ReviewCroft is a B2B software-as-a-service product that helps local businesses aggregate, analyze, and respond to reviews published on third-party platforms. The data controller for personal data processed through the Service is the operator named above. You can reach us at [email protected].

2. Information we collect

2.1 Information you provide

  • Account: email address, display name (you can edit), and any account preferences you set.
  • Profile: first name, last name, country.
  • Billing: legal name (individual or company), postal address, country, and tax identification number.
  • Business details: business name, category, timezone, and an optional logo image.
  • Team invitations: the email address (and an optional name hint) of teammates you invite.
  • Content you create: review replies, social captions, AI prompts you customize, and support messages you send us.

2.2 Information collected automatically

  • Session data: session token, IP address, user agent, last activity timestamp.
  • Diagnostic logs: request timing, error traces, feature interactions used to operate and debug the Service.
  • Embed widgets: when our review widget loads on your website, we record aggregate usage. We do not collect personal data about your end visitors via the widget.

2.3 Information from third parties you connect

  • Google Business Profile: when you sign in with Google to connect a location, we receive an access token, refresh token, and the profile location identifier. OAuth tokens are stored encrypted at rest. We use this access only to read and respond to reviews on your behalf.
  • Yelp, TripAdvisor, Booking.com, OpenTable, Expedia: for these sources you provide the public business URL. We then retrieve the publicly visible review content (reviewer display name, rating, body, timestamp) on your behalf so it can be shown alongside your other reviews.
  • Instagram: when you connect Instagram for social posting, we receive an account ID, username, and OAuth tokens (stored encrypted). We use this access only to publish posts you direct us to publish.
  • Payments: when you subscribe, our payments subprocessor (DodoPayments) returns a customer identifier, subscription status, and invoice metadata. We never receive your full card number. Payment details are entered directly with the processor.

2.4 Review content from platforms

When you connect a review source, we ingest reviews left by your customers on that platform. This content (reviewer display name as shown publicly, star rating, review body, response history) is processed so we can show it to you, run AI-assisted analysis on it, and let you reply. ReviewCroft is not the publisher of this content; the original platform is. We process it under our legitimate interest in providing the service you signed up for.

3. How we use information

We use the information described above to:

  • Authenticate you and keep your session active.
  • Fetch, organize, and display reviews from sources you connect.
  • Run AI-based analysis: review sentiment, aspect tagging, response suggestions, and social caption generation.
  • Post replies and social media content on your behalf when you direct us to.
  • Send transactional email: verification, magic-link sign-in, account changes, billing receipts, security alerts.
  • Bill your subscription and issue invoices.
  • Provide customer support and respond to your requests.
  • Detect and prevent abuse, fraud, and security incidents.
  • Comply with our legal and tax obligations.

We do not sell your personal data, share it with advertisers, or use review content to train external AI models outside the inference calls you direct us to make.

For users protected by the EU/UK GDPR or by Türkiye’s KVKK (Law No. 6698), we rely on the following legal bases:

  • Performance of a contract. To deliver the Service you signed up for and to fulfill our terms of service.
  • Legitimate interests. To operate, secure, and improve the Service, prevent abuse, and conduct internal analytics.
  • Consent. For any future marketing communications and for non-essential cookies if we add them. You can withdraw consent at any time.
  • Legal obligation. To comply with accounting, tax, and law-enforcement requirements.

5. How we share information

We share data only with subprocessors that help us run the Service. We do not sell personal information. We have data processing agreements (or equivalent contractual safeguards) with each subprocessor below.

SubprocessorPurposeRegion
HetznerApplication and worker hostingGermany (EU)
NeonManaged PostgreSQL databaseEU / US
Redis CloudSession storage and background job queueEU / US
CloudflareCDN, edge caching, DDoS protectionGlobal
Amazon Web Services (S3)Object storage for generated imagesEU / US
DodoPaymentsSubscription billing and invoicingGlobal
ResendTransactional email deliveryUS
OpenAIAI inference for sentiment, response and caption outputUS
Google (Google Analytics)Aggregate audience measurement on the marketing site (loaded only after you consent via the cookie banner)US / Global

We may also disclose information when required by law (court orders, valid legal process), when necessary to enforce our terms, or to protect the rights, property, or safety of ReviewCroft, our users, or the public. If ReviewCroft or its assets are acquired by another company, your information may be transferred as part of that transaction; we will notify you before any such transfer takes effect.

6. International data transfers

ReviewCroft is operated from Türkiye, our customers are worldwide, and our subprocessors are located in the European Union, the United Kingdom, the United States, and other jurisdictions. When personal data is transferred across borders we rely on:

  • European Commission adequacy decisions where they apply.
  • Standard Contractual Clauses (EU 2021/914) for transfers outside the EEA without an adequacy decision.
  • The EU-US Data Privacy Framework where the receiving processor is certified under it.
  • Equivalent safeguards under Türkiye’s KVKK for transfers from Türkiye.

7. How long we keep data

  • Active account data: retained while your account is active.
  • Cancelled accounts: retained in read-only mode so you can return; permanently deleted on request, or automatically 30 days after a deletion request is confirmed.
  • Backups: encrypted backups containing personal data are retained for up to 90 days, then destroyed on the normal rotation cycle.
  • Billing and tax records: retained for the period required by Turkish accounting and tax law (typically up to 10 years).
  • Authentication and abuse logs: retained for up to 12 months for security and incident response.

8. Your rights

Depending on where you live, you may have some or all of the following rights with respect to your personal data:

  • Access. Request a copy of the personal data we hold about you.
  • Rectification. Correct inaccurate or incomplete data.
  • Erasure. Ask us to delete your data (“right to be forgotten”).
  • Restriction. Limit how we use your data while a request is being resolved.
  • Objection. Object to processing based on legitimate interests.
  • Portability. Receive a machine-readable copy of data you provided.
  • Withdraw consent. Where consent is the legal basis, you can withdraw it at any time.
  • Lodge a complaint. With your local supervisory authority.

EU/UK residents (GDPR): contact your national data protection authority if you believe our processing infringes your rights.

Türkiye residents (KVKK): you may exercise the rights granted under Article 11 of Law No. 6698 by writing to us, and you may apply to the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) under Articles 13–14.

California residents (CCPA / CPRA): you have the right to know, delete, correct, and limit the use of sensitive personal information; the right to opt out of the “sale” or “sharing” of personal information (we do not sell or share personal information for cross-context behavioural advertising); and the right not to be discriminated against for exercising any right.

To exercise any right, email [email protected]. We respond within 30 days. We may need to verify your identity before fulfilling certain requests.

9. Cookies and tracking

We use two categories of cookies. We do not use advertising cookies or any third-party tracker for cross-site behavioural advertising.

Essential cookies. Required for sign-in and session management on the dashboard, and to remember your cookie-consent choice on the marketing site. Always on; the Service cannot function without them.

Analytics cookies (opt-in). When you visit the marketing site at reviewcroft.com we ask, via a consent banner, whether you allow Google Analytics 4 to set its measurement cookies (_ga, _ga_*). These cookies record aggregate, pseudonymous usage of the marketing site (page views, referrers, device type) so we can understand which pages are useful and where the site is broken. They are not loaded until you click Accept. Data is processed by Google in the United States and globally; we have a data processing agreement with Google for EU and UK transfers.

Withdrawing consent. You can change your mind at any time by clicking “Manage cookies” in the footer of the marketing site, or by clearing your browser cookies for our domain. Withdrawing consent stops Google Analytics from loading on subsequent visits.

If we introduce additional non-essential cookies in the future we will update this policy and ask for your consent through the same banner.

10. Marketing communications

As of the effective date, we send only transactional email: sign-in links, billing notices, security alerts, and replies to your support requests. If we introduce marketing email later, we will send it only to users who have opted in, and every marketing message will include a one-click unsubscribe link.

11. Security

We protect your data with industry-standard measures, including:

  • TLS 1.2+ for data in transit.
  • Encryption at rest at the database and object-storage layer.
  • Authenticated encryption (AES-GCM) for OAuth tokens and other third-party credentials before they are written to the database.
  • Strict access controls, audit logging, and least-privilege defaults on production systems.
  • Regular review of dependencies and security advisories.

No system is perfectly secure. If you discover a security issue, please report it responsibly to [email protected] and we will work with you on disclosure.

12. Children’s privacy

ReviewCroft is a business tool aimed at owners of local businesses. It is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will notify account holders by email and post the updated version here. The “effective date” at the top of this page reflects when the latest version took effect.

14. Contact

ReviewCroft is a product of Vookie Labs, operated by Sevcan Yorulmazlar (sole proprietor, Türkiye).

Address: Eğitim Mahallesi, Muratpaşa Cad. Kent Plus Sitesi No: 17 İç Kapı No: 67, Kadıköy / İstanbul, Türkiye

Email: [email protected]