ResultsPricingFAQLogin

Privacy Policy

Effective Date: January 29, 2026

Last Updated: March 22, 2026

1. Introduction

ReviewsOS, operated by Y&E Group LLC (“we,” “our,” or “us”), is a business-to-business (B2B) software-as-a-service platform that helps businesses manage their Google Business Profile reviews. This Privacy Policy describes how ReviewsOS collects, uses, stores, shares, and protects information obtained through our platform, including information received from Google APIs.

This policy applies to all users of the ReviewsOS platform, including organization administrators who connect their Google Business Profile accounts and organization users who access review data through our portal.

By using ReviewsOS, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Definitions

  • Organization: A business entity registered on the ReviewsOS platform.
  • Organization Admin: A user with administrative privileges who connects a Google Business Profile to ReviewsOS and manages the organization's settings.
  • Organization User (ORG_USER): A user associated with a specific organization who can view their organization's review data.
  • Google Business Profile (GBP): Google's platform for managing business listings, formerly known as Google My Business.
  • Technician (Tech): A service professional associated with an organization whose name may appear in customer reviews.

3. Google User Data We Collect

When an Organization Admin connects their Google Business Profile to ReviewsOS via Google OAuth, we request access using the business.manage scope. Through this authorized connection, we collect and store the following categories of Google user data:

3.1 OAuth Authentication Tokens

  • Google access token: A short-lived token used to make authorized API requests to Google Business Profile APIs on behalf of the organization.
  • Google refresh token: A long-lived token used to obtain new access tokens without requiring the user to re-authorize.
  • Token expiry timestamp: The expiration time of the current access token.

These tokens are stored server-side in our database and are never exposed to the frontend application or to end users.

3.2 Google Business Profile Account Data

  • Account resource name: The Google Business Profile account identifier (e.g., accounts/123456), stored as a reference to associate the organization with its GBP account.

3.3 Location Data

For each business location associated with the connected Google Business Profile account, we collect:

  • GBP location identifier: The unique location resource name assigned by Google.
  • Location name: The internal name of the business location within Google Business Profile.
  • Display name: The public-facing name of the business location.
  • Address: The physical address of the business location.
  • Google review URL: The direct link to the location's Google review page.
  • GBP verification status: Whether the location has been verified through Google's verification process.

3.4 Review Data

For each review posted to the connected business locations, we collect:

  • External review identifier: The unique review ID assigned by Google.
  • Reviewer display name: The name shown on the review as provided by Google.
  • Reviewer photo URL: The URL of the reviewer's profile photo as provided by Google.
  • Star rating: The numeric rating (1-5 stars) given by the reviewer.
  • Review comment: The text content of the review.
  • Review timestamp: The date and time the review was posted.
  • Reply status: Whether the business owner has replied to the review.
  • Reply text: The content of the business owner's reply, if one exists.
  • Reply timestamp: The date and time of the reply, if one exists.

3.5 Data We Do NOT Collect

ReviewsOS does not collect the following through its Google API integration:

  • Google account email address or personal profile information of the person who authorizes the Google Business Profile OAuth connection
  • Google Chat message content, membership information, or conversation history (we only read space names and IDs during setup; see Section 11)
  • Gmail data
  • Google Photos or media files
  • Google financial or payment data
  • Google Ads data
  • Google Analytics data
  • Any data from Google services other than Google Business Profile

4. How We Use Google User Data

Google Business Profile data collected through our platform is used exclusively for the following purposes, all of which directly serve the organization that authorized the connection:

4.1 Review Management Dashboard

We display reviews from connected Google Business Profile locations in the ReviewsOS portal so that organization administrators and users can view and monitor customer feedback in a centralized interface.

4.2 Technician Attribution

We scan review comment text for technician first names using case-insensitive word boundary matching to automatically attribute reviews to specific service professionals within the organization. This helps businesses understand individual technician performance. Attribution is performed entirely within our system and does not involve sending review data to any external AI or machine learning service.

4.3 Review Statistics and Reporting

We aggregate review data (star ratings, review counts, review frequency) to generate performance statistics and reports for the organization's internal use.

4.4 New Review Notifications

When new reviews are detected through our periodic polling process, we send notifications to channels that have been explicitly configured by the organization administrator. These may include webhooks, Discord, Slack, Telegram, Google Chat, or WhatsApp channels. Notifications contain review details (reviewer name, rating, comment text) so that the organization can respond promptly to customer feedback.

4.5 Location Verification Status

We read the Google Business Profile verification status of locations to display this information in the ReviewsOS portal, helping organization administrators understand which locations are fully verified.

4.6 Prohibited Uses

We do not use Google user data for any of the following purposes:

  • Advertising: Google user data is never used to serve, target, or personalize advertisements.
  • Sale of data: Google user data is never sold to any third party, including data brokers, information resellers, or advertising networks.
  • Credit assessment: Google user data is never used to determine creditworthiness or for lending purposes.
  • AI/ML model training: Google user data is never used to train artificial intelligence or machine learning models, whether our own or those of any third party.
  • Profiling: Google user data is never used to build user profiles for purposes unrelated to the organization's own review management.

5. Google API Services Limited Use Disclosure

ReviewsOS's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, ReviewsOS limits its use of Google user data as follows:

  1. We only use Google user data to provide and improve the ReviewsOS review management features that the user has explicitly requested. We do not use this data for any purpose unrelated to the core functionality of our platform.
  2. We do not transfer Google user data to third parties except:
    • When necessary to provide the review management features requested by the organization administrator (e.g., sending review notifications to admin-configured channels);
    • When necessary to comply with applicable laws or regulations;
    • As part of a merger, acquisition, or asset sale, with prior notice to affected users.
  3. We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  4. We do not allow humans to read Google user data unless:
    • We have obtained the user's affirmative agreement for specific data;
    • It is necessary for security purposes (e.g., investigating a security incident);
    • It is necessary to comply with applicable law;
    • The data has been aggregated and anonymized and is used for internal operations.

    Access to Google user data stored in our database is restricted to authorized personnel who require access for system administration, security monitoring, or direct customer support purposes. All database access is authenticated and controlled through network-level restrictions.

6. Data Sharing and Transfer

6.1 Third-Party Sharing

ReviewsOS shares Google Business Profile data only with third-party services that have been explicitly configured by the organization administrator. These include:

  • Webhook endpoints: Organization administrators may configure custom webhook URLs to receive HTTP POST notifications containing review data when new reviews are detected. Webhook payloads are signed with HMAC-SHA256 to ensure integrity and authenticity.
  • Notification channels: Organization administrators may configure notification delivery to one or more of the following services: Discord, Slack, Telegram, Google Chat, or WhatsApp. Review data (reviewer name, star rating, comment text, and location information) is formatted into messages and delivered to the configured channel.

In all cases, the organization administrator has full control over whether and where review data is sent. No data sharing occurs unless the administrator actively configures a notification channel or webhook.

6.2 Parties We Never Share Data With

We do not share, sell, rent, or otherwise transfer Google user data to:

  • Advertising networks or platforms
  • Data brokers or information resellers
  • Analytics or market research providers (other than for our own anonymized, aggregated internal analytics)
  • Any other third party not explicitly configured by the organization administrator

6.3 Legal and Safety Disclosures

We may disclose data if we believe in good faith that disclosure is necessary to:

  • Comply with a legal obligation, subpoena, court order, or governmental request
  • Protect the rights, property, or safety of ReviewsOS, our users, or the public
  • Detect, prevent, or address fraud, security, or technical issues

6.4 Business Transfers

If ReviewsOS is involved in a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. We will provide notice before data is transferred and becomes subject to a different privacy policy.

7. Data Protection and Security

We implement the following security measures to protect Google user data and all other data processed by our platform:

7.1 Encryption in Transit

All data transmitted between users, our servers, and third-party services (including the Google API) is encrypted using TLS/HTTPS. No data is transmitted in cleartext.

7.2 Access Controls

  • Database access is restricted through authentication credentials and network-level access controls. Only authorized services within our infrastructure can connect to the database.
  • OAuth tokens (access tokens and refresh tokens) are stored server-side in the database and are never exposed to frontend applications, browser clients, or end users.
  • API authentication uses JWT (JSON Web Token) based sessions. All API endpoints that access organization data require valid authentication and enforce role-based authorization.

7.3 Webhook Payload Security

Webhook payloads containing review data are signed with HMAC-SHA256, allowing receiving servers to verify that payloads originate from ReviewsOS and have not been tampered with.

7.4 Role-Based Access

ReviewsOS enforces role-based access control:

  • Super Administrators have full system access for platform operations.
  • Administrators can manage organizations and settings.
  • Organization Users can only access data belonging to their own organization. They cannot view data from other organizations.

7.5 Human Access Restrictions

Access to Google user data by ReviewsOS personnel is limited to situations where it is:

  • Required for system administration or infrastructure maintenance
  • Required for investigating security incidents or abuse
  • Required to provide direct customer support at the request of the organization
  • Required to comply with legal obligations

Personnel with database access are limited to authorized team members. We do not permit general browsing of customer Google user data.

8. Data Retention

8.1 OAuth Tokens

Google OAuth access tokens and refresh tokens are retained for as long as the organization maintains an active Google Business Profile connection on ReviewsOS. Tokens are removed when:

  • The organization administrator disconnects their Google Business Profile from ReviewsOS, or
  • The organization account is deleted from ReviewsOS.

8.2 Review Data

Review data is retained indefinitely while the organization exists on ReviewsOS. Reviews that have been removed from Google are flagged as soft-deleted within our system (marked as removed) but are retained in our database for historical reporting purposes.

8.3 Location Data

Location data is retained and updated on each synchronization cycle for as long as the organization exists on ReviewsOS.

8.4 Account and Profile Data

Organization account data (names, settings, configurations) is retained for as long as the organization exists on ReviewsOS.

8.5 No Automatic Data Purge

ReviewsOS does not currently implement automated data purge schedules or time-to-live (TTL) policies for stored data. Data is retained until explicitly deleted through one of the deletion methods described in Sections 9 and 11.4.

9. Data Deletion

9.1 Disconnecting Google Business Profile

Organization administrators can disconnect their Google Business Profile from ReviewsOS at any time. Disconnecting clears all stored OAuth tokens (access token, refresh token, and token expiry). Previously collected review and location data is retained for historical reference unless the organization requests full deletion.

9.2 Organization Deletion

When an organization is deleted from ReviewsOS (by an administrator), all associated data is permanently deleted through cascading deletion. This includes:

  • All OAuth tokens and Google Business Profile account references
  • All location data
  • All review data and review-technician attributions
  • All technician records
  • All webhook configurations
  • All tip records and payout batches
  • All notification settings

This deletion is permanent and cannot be undone.

9.3 Revoking Google Access

Users can revoke ReviewsOS's access to their Google account at any time by visiting Google Account Permissions and removing ReviewsOS. Once access is revoked:

  • ReviewsOS will no longer be able to poll new reviews or sync location data.
  • Stored OAuth tokens will fail on the next refresh attempt and will be cleared automatically.
  • Previously collected review and location data will remain in our system until the organization is deleted or a deletion request is submitted.

9.4 Requesting Data Deletion

To request deletion of your organization's data, including all Google user data, please contact us at support@reviewsos.io. We will process deletion requests within 30 days of receipt.

10. Google Business Profile-Specific Terms

10.1 Authorized Access Only

ReviewsOS only accesses Google Business Profile data for business listings that the organization administrator has explicitly authorized through the Google OAuth consent flow. We do not access listings or accounts that have not been authorized by their owner.

10.2 Scope of Access

ReviewsOS requests the business.manage OAuth scope, which provides access to manage business listings on Google Business Profile. Within this scope, ReviewsOS performs the following operations:

  • Read business account and location information
  • Read reviews posted to authorized locations
  • Sync location data to keep our records current

10.3 Read-Only Review Access

ReviewsOS accesses reviews in a read-only capacity. We do not post, modify, or delete reviews or review responses on behalf of the organization through our automated systems.

10.4 Organization-Scoped Usage

All Google Business Profile data is used solely for the benefit of the organization that authorized the connection. Review data is used exclusively for that organization's own review management, technician performance tracking, and notification purposes.

11. Google Chat Integration

ReviewsOS offers an optional Google Chat integration that allows organizations to receive automated notifications (new reviews, team scoreboards) in Google Chat spaces.

11.1 Google Chat Data We Collect

When an organization administrator connects Google Chat through ReviewsOS, we use the chat.spaces.readonly OAuth scope to call the Google Chat API spaces.list endpoint. This displays the user's Google Chat spaces in our notification settings so they can select which space receives notifications. Through this process, we collect and store:

  • Space resource name: The unique identifier assigned by Google (e.g., spaces/AAAA), used to route notification messages to the correct space.
  • Space display name: The human-readable name of the space, displayed in the ReviewsOS portal for easy identification.
  • OAuth tokens: A short-lived access token and a refresh token obtained during the setup flow, stored server-side and used only to list spaces when the administrator configures or reconfigures notification channels.
  • Google user ID and email: The identifier and email of the Google account used to authorize the connection, stored to associate the installation with the correct organization.

11.2 Google Chat Data We Do NOT Collect

ReviewsOS does not collect, read, or store:

  • Chat message content or conversation history
  • Space membership or participant information
  • Files, attachments, or media shared in spaces
  • Direct messages or group conversation content
  • Any data from Google Chat beyond space names and identifiers

11.3 How We Use Google Chat Data

Google Chat space information is used exclusively for the following purposes:

  • Notification delivery: We use the stored space resource name to post notification messages (new reviews, tip alerts, team scoreboards) to the selected Google Chat space on behalf of the organization.
  • Space selection UI: We display space names in the ReviewsOS portal so administrators can choose their notification destination.

Message delivery uses a service account with the chat.bot scope, which is a non-sensitive scope that allows the ReviewsOS Chat app to post messages only in spaces where it has been explicitly added by a user.

11.4 Google Chat Data Deletion

Google Chat connection data (OAuth tokens, space references) is deleted when:

  • The organization administrator removes the Google Chat notification channel from ReviewsOS;
  • The organization account is deleted from ReviewsOS; or
  • The user revokes ReviewsOS's access via Google Account Permissions.

12. Non-Google Data We Collect

In addition to Google user data, ReviewsOS collects the following information in the normal course of providing our service:

11.1 Account Information

  • Name, email address, and password (hashed) for user accounts
  • Organization name, contact information, and configuration settings

11.2 Technician Data

  • Technician names and associated organization, as entered by the organization administrator

11.3 Tip and Payment Data

  • Tip amounts, payment status, and Stripe payment identifiers for organizations using the tipping feature
  • Payout batch records and disbursement details

11.4 Tax-Related Data

For technicians receiving tips through the Service, Stripe may collect and process tax-related information including, but not limited to, legal name, Social Security Number (SSN) or Employer Identification Number (EIN), date of birth, and mailing address. This information is collected by Stripe directly from the technician through Stripe Express onboarding and is governed by the Stripe Privacy Policy and Stripe Services Agreement.

ReviewsOS does not directly collect or store technicians' Social Security Numbers. Tax forms (such as IRS Form 1099-K) are generated and delivered by Stripe based on payment data and the technician's information on file with Stripe.

11.5 Usage Data

  • Authentication session data (login timestamps, session tokens)
  • Impersonation logs (when administrators use the “view as” feature for support purposes)

13. Cookies and Tracking

ReviewsOS uses session-based authentication via JWT tokens. We do not use third-party tracking cookies, analytics pixels, or advertising trackers. Session tokens are used solely for maintaining authenticated user sessions.

14. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: You may request a copy of the data we hold about you or your organization.
  • Correction: You may request correction of inaccurate data.
  • Deletion: You may request deletion of your data as described in Section 9.
  • Portability: You may request your data in a portable format.
  • Objection: You may object to certain processing activities.
  • Revocation: You may revoke Google API access at any time via Google Account Permissions.

To exercise any of these rights, please contact us at support@reviewsos.io.

15. Children's Privacy

ReviewsOS is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, please contact us at support@reviewsos.io and we will promptly delete the information.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this policy:

  • We will update the “Last Updated” date at the top of this page.
  • We will notify affected users via email or through a prominent notice on our platform at least 30 days before the changes take effect.
  • Continued use of ReviewsOS after the effective date of changes constitutes acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your rights, please contact us at:

Email: support@reviewsos.io

We aim to respond to all privacy-related inquiries within 30 days.

This Privacy Policy was last updated on March 22, 2026.