AutoReviewsPilot is fully committed to compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the UK GDPR as retained in UK law by the Data Protection Act 2018.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to all organisations that process personal data of individuals in the European Economic Area (EEA) and the United Kingdom. It came into force on 25 May 2018.
AutoReviewsPilot takes data protection seriously. This page explains how we comply with GDPR and what it means for you as a user of our platform.
For general information about how we process your data, please refer to our Privacy Policy.
Under GDPR, there are two key roles in data processing:
When you create an account and use our service, AutoReviewsPilot is the Data Controller for your account data (name, email, billing information, etc.). We determine the purposes and means of processing this data.
When you upload your customers' contact information to our platform to send review request emails, you are the Data Controller for your customers' data, and AutoReviewsPilot acts as your Data Processor.
This means:
Article 28 GDPR — Data Processing Agreement: By accepting our Terms of Service, you enter into a data processing agreement with us as required by GDPR Article 28. We process your customers' data only to provide the review collection service you have contracted us to deliver.
We process personal data under the following lawful bases as required by GDPR Article 6:
| Processing Activity | Lawful Basis | GDPR Article |
|---|---|---|
| Account creation and management | Contract performance | Art. 6(1)(b) |
| Payment processing and billing | Contract performance | Art. 6(1)(b) |
| Sending transactional emails | Contract performance | Art. 6(1)(b) |
| Security and fraud prevention | Legitimate interests | Art. 6(1)(f) |
| Technical platform improvement | Legitimate interests | Art. 6(1)(f) |
| Tax and financial record keeping | Legal obligation | Art. 6(1)(c) |
| Marketing communications | Consent | Art. 6(1)(a) |
GDPR grants data subjects (individuals whose data is processed) the following rights. We are committed to facilitating these rights.
You have the right to obtain a copy of all personal data we hold about you and information about how we process it. We will respond within 1 month (extendable by 2 months for complex requests).
You have the right to have inaccurate personal data corrected. You can update most of your data directly in your account settings.
You have the right to request deletion of your personal data when:
Note: We may retain certain data for legal obligations (e.g., financial records required by tax law).
You may request restriction of processing while accuracy is contested, or while an objection is being considered.
You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit that data to another controller.
You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
AutoReviewsPilot does not make automated decisions that produce legal or significant effects on individuals.
Submit a request to privacy@autoreviewspilot.com with the subject line "GDPR Rights Request". We will verify your identity and respond within 30 days. Requests are free of charge.
If your business requires a formal Data Processing Agreement (DPA) under GDPR Article 28 (e.g., for enterprise compliance), please contact us at legal@autoreviewspilot.com.
Our standard DPA covers:
Under GDPR Chapter V, transferring personal data outside the EEA requires appropriate safeguards. Where we use service providers outside the EEA, we ensure adequate protections through:
Our primary sub-processors and their locations:
| Sub-processor | Location | Purpose | Safeguard |
|---|---|---|---|
| Stripe | USA / Ireland | Payment processing | SCCs + DPF |
| cPanel/Hosting Provider | EU/EEA | Server infrastructure | GDPR compliant |
In accordance with GDPR Articles 33 and 34:
We maintain an internal breach register and have incident response procedures in place.
We conduct Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35 for any new feature or processing activity that is likely to result in a high risk to individuals' rights and freedoms. Where required, we consult with supervisory authorities prior to processing.
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account personal data | Duration of account + 30 days | Contract / Art. 6(1)(b) |
| Customer email lists | Deleted within 30 days of account closure or on request | Contract / Art. 6(1)(b) |
| Financial/billing records | 7 years | Legal obligation / Art. 6(1)(c) |
| Email delivery logs | 90 days | Legitimate interests / Art. 6(1)(f) |
| Security/access logs | 90 days | Legitimate interests / Art. 6(1)(f) |
| Support tickets | 3 years after closure | Legitimate interests / Art. 6(1)(f) |
| Encrypted backups | Purged within 90 days after deletion | Contract performance |
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA):
To exercise California rights, contact privacy@autoreviewspilot.com with subject "CCPA Request".
If you believe we have not handled your data in accordance with GDPR, you have the right to lodge a complaint with your national supervisory authority:
For all GDPR-related enquiries, data subject rights requests, or to obtain a copy of our Data Processing Agreement:
We take every data protection enquiry seriously. All requests are logged and responded to by a member of our team. We do not use automated responses for privacy enquiries.