What we hold, why, and for how long.

Palaute24 (“we”, “us”) operates the Palaute24 application at auto-review-2a9d.vercel.app. For the purposes of EU/UK GDPR we are a processor for the Google Business Profile content uploaded or synced by our customers, and a controller for the limited account data we collect to operate the service (email, name, billing).

2.1 Account data

When you sign up we store your email address, your name (if supplied via OAuth), the organization you belong to, and your role within that organization. Billing data is processed by our payment provider (Stripe); we receive only the resulting subscription status and a customer reference, not card numbers.

2.2 Google Business Profile content

When you connect a Google account we receive an OAuth authorization with the single scope https://www.googleapis.com/auth/business.manage. Using that scope we read:

• The list of locations the connected account can manage.
• Reviews on those locations, including reviewer name, star rating, review text, and review timestamps.
• Existing replies on those reviews.

We do not request, receive, or process any other Google data — Gmail, Calendar, Drive, Contacts, Photos, YouTube and other Google services are out of scope.

2.3 Operational metadata

We log timestamps, request IDs, audit events (who did what, when), and usage counts. These logs do not contain Google review content.

Per Google’s Business Profile API “Content Storage” policy, cached review content (review text, reviewer names, ratings) is held for at most 30 days from the moment we last fetched it from Google. A nightly job (/api/cron/prune-content) deletes any review row whose cache timestamp is older than 30 days. If a review is re-fetched from Google before then, the 30-day clock resets from that fetch.

Operational records derived from your activity in the app (replies you sent, rules you configured, audit events) are retained for the lifetime of your subscription plus the applicable backup retention window.

When you disconnect Google or delete your organization, all cached Google Business Profile content for that organization is deleted immediately.

4.1 Operating the service

We display your reviews to authorized members of your organization, generate AI-drafted replies on request, and post replies (manually-triggered, or auto-replied if you have granted explicit consent) to Google on your behalf.

4.2 AI generation

When you generate a draft reply, the relevant review text and your configured tone/voice settings are sent to our model provider (currently OpenAI) over an authenticated API. The provider returns one or more candidate replies; we discard the response after writing the chosen draft to your database. Per our agreement with the provider, your data is not used to train models.

4.3 What we never do

• We do not aggregate, index, mine, or build derived datasets from your Google Business Profile content for any purpose other than serving your own operational dashboard.
• We do not sell, rent, or share your reviews with any third party for marketing, analytics, training, or any other purpose.
• We do not use your reviews to train AI models, including our own.
• We do not use your data to advertise to you, profile you, or create “insights” products.

We rely on a small number of subprocessors to run the service. All are bound by data-processing terms equivalent to or stricter than those in this policy.

• Supabase (Postgres hosting): stores all application data, including the 30-day review cache.
• Vercel (application hosting): serves the web app and runs cron jobs.
• OpenAI (AI model provider): receives review text and tone settings on demand to generate draft replies.
• Stripe (payments): processes billing.
• Sentry (error reporting): collects stack traces; PII is scrubbed before upload.

Subject to applicable law you have the right to access, correct, export, and erase your personal data. For most requests you can self-serve from inside the app:

• Disconnect Google. The Disconnect button on the Settings page revokes our OAuth token at Google, deletes every cached review and location for your organization, disables auto-reply rules, and revokes auto-reply consent.
• Revoke auto-reply consent. The consent page at /settings/auto-replies/consent immediately stops all live auto-reply rules.
• Export your replies. The Reviews page can emit a CSV of every reply you have sent through the app.
• Direct revocation at Google. You can also revoke our access at any time from your Google account permissions page.

For data subject requests we cannot fulfill in-product (e.g. full account deletion, GDPR/CCPA access requests), email info@palaute24.fi and we will respond within 30 days.

Security controls (encrypted OAuth tokens, row-level security, HMAC-signed OAuth state, server-side moderation, audit logging) are enforced as described in this policy and in connection with the subprocessors referenced above.

Application data is stored in the United States. If you are located in the EU, UK, or another jurisdiction with cross- border restrictions, the relevant Standard Contractual Clauses apply between you and us, and between us and our subprocessors.

We will post material changes here and, where required, send notice by email at least 14 days before they take effect. The “last updated” date at the top of this page is authoritative.

Questions about this policy: email info@palaute24.fi. Security concerns: email info@palaute24.fi.