Reviewz Limited ("Reviewz," "we," "us," or "our") operates the Reviewz application (the "App") available on the Shopify App Store, along with the website reviewz.ai and any related services (collectively, the "Services"). The Services help Shopify merchants automate the collection of customer reviews on Trustpilot and related post-purchase workflows, including upsell mechanics.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you install the App, use the Services, or visit our website. It also describes the rights available to individuals whose data we process.

If you do not agree with this Privacy Policy, please do not install the App or use the Services.

1. Who we are

Reviewz Limited is a company incorporated in Hong Kong SAR.

• Company name: Reviewz Limited
• Jurisdiction of incorporation: Hong Kong Special Administrative Region
• Contact email: privacy@reviewz.ai
• Website: https://reviewz.ai

For any privacy-related question, request, or complaint, you can contact us at privacy@reviewz.ai.

2. Scope of this Policy

This Privacy Policy applies to two main categories of individuals:

1. Merchants — Shopify store owners and their staff who install the App, visit our website, or interact with our Services.
2. End customers — Customers of merchants who use our App. We process end customers' personal data on behalf of the merchant, who is the data controller.

Where we act as a data processor (or "service provider") on behalf of a merchant, the merchant's own privacy policy governs how end-customer data is collected and used. Reviewz only processes such data according to the merchant's instructions and the terms of our Data Processing Agreement.

3. Our role under data protection laws

Depending on the context, Reviewz acts as:

• Controller / Data User — for personal data relating to merchants (e.g., account holders, billing contacts, website visitors, support requests).
• Processor / Data Processor — for personal data relating to end customers that merchants collect through their Shopify store and that we process to provide the Services (e.g., sending review requests).

This Privacy Policy is designed to meet the requirements of the Hong Kong Personal Data (Privacy) Ordinance (PDPO), the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA), where applicable.

4. Personal data we collect

4.1 Data collected from merchants

When a merchant installs the App or contacts us, we may collect:

• Account data: store name, Shopify store URL, merchant name, email address, country, language, time zone.
• Billing data: subscription plan, billing history, tax identifiers. Payment card details are handled directly by Shopify Billing — we never see or store full card numbers.
• Technical data: IP address, browser type, device identifiers, operating system, log files, cookies, referring URLs, session activity.
• Communications: messages, attachments, and metadata exchanged via email, support chat, onboarding calls, or the help center.
• Marketing data: preferences regarding newsletters, product updates, and marketing communications.

4.2 Data processed on behalf of merchants (end-customer data)

Through the Shopify API and the App's features, we process end-customer data strictly to deliver the Services to the merchant. This may include:

• Identity and contact data: first name, last name, email address, phone number.
• Order data: order ID, order status, purchase date, product(s) purchased, order value, currency, fulfillment status.
• Shipping data: shipping country and city (postal address is accessed only where strictly required).
• Review interactions: whether the customer opened the review request, clicked through, submitted a review, and the content of the review submitted on Trustpilot (as returned by the Trustpilot integration).
• Upsell interactions: whether the customer clicked on a post-review upsell offer and any resulting order.

We do not knowingly collect special categories of personal data (health, religion, political opinions, sexual orientation, etc.) or data relating to children under 16.

4.3 Data collected automatically on our website

When you visit reviewz.ai, we may collect:

• IP address, device and browser information, pages viewed, time spent, and referring site.
• Cookies and similar technologies (see Section 11).
• Information you voluntarily provide through forms (demo requests, contact forms, newsletter signups).

5. How we use personal data

We use personal data for the following purposes and legal bases:

PurposeCategories of dataLegal basis (GDPR)

Providing and operating the App and ServicesAccount, technical, order, customer contact dataPerformance of a contractSending review request emails / messages on behalf of the merchantEnd-customer contact and order data

Processor role — merchant's legal basis applies

Processing subscription payments and issuing invoices

Account and billing dataPerformance of a contract; legal obligation

Providing customer supportAccount data, communications

Performance of a contract; legitimate interests

Improving and securing the Services (bug fixes, analytics, fraud prevention)

Technical data, log data

Legitimate interests

Sending product updates and marketing emails to merchants

Account data, marketing preferences

Consent; legitimate interests (B2B)

Complying with legal obligations

As requiredLegal obligation

Enforcing our Terms and protecting our rights

All categoriesLegitimate interests

We do not use personal data to make decisions that produce legal or similarly significant effects on individuals without human intervention.

6. How we share personal data

We do not sell personal data. We share personal data only with the following categories of recipients:

6.1 Service providers (sub-processors)

We rely on trusted third parties to operate the Services. Each sub-processor is bound by contractual obligations consistent with this Policy and applicable law.

• Shopify Inc. — App platform and API provider.
• Cloud hosting and database providers — To host the application and customer data.
• Email and messaging providers — To deliver transactional emails and review requests.
• Analytics and error monitoring tools — To monitor performance and fix bugs.
• Payment processing — Handled by Shopify Billing; we do not receive card data.
• Customer support and CRM tools — To handle support tickets and communications.
• Accounting providers — For invoicing, tax, and financial record-keeping.

An up-to-date list of sub-processors is available on request at privacy@reviewz.ai.

6.2 Legal and regulatory disclosures

We may disclose personal data if required by applicable law, court order, or governmental regulation, or to protect our rights, property, or safety, or that of our users or the public.

6.3 Business transfers

If Reviewz is involved in a merger, acquisition, reorganization, or sale of assets, personal data may be transferred as part of the transaction. We will notify affected users and ensure that any successor continues to honor the commitments in this Policy.

6.4 Merchants

End-customer data collected through our App is shared back with the merchant that controls the relevant Shopify store. Merchants are independent controllers for their own use of that data.

7. International data transfers

Reviewz is based in Hong Kong and may process personal data in jurisdictions outside your country of residence, including the European Economic Area (EEA), the United Kingdom, the United States, and other countries where our sub-processors are located.

When transferring personal data from the EEA, the UK, or Switzerland to a country that is not recognized as providing an adequate level of protection, we rely on appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs.
• Additional technical and organizational measures where needed.

A copy of the relevant transfer mechanism can be requested at privacy@reviewz.ai.

8. Data retention

We retain personal data only for as long as necessary for the purposes described in this Policy.

• Merchant account data — Retained for the duration of your subscription and up to 24 months after account closure for legal, tax, and security purposes.
• End-customer data — Retained while the merchant actively uses the App. Upon uninstall, we delete or anonymize end-customer data within 48 hours, except where longer retention is required by law or for the resolution of disputes.
• Billing and accounting data — Retained for the period required by applicable tax and accounting laws (typically 7 years in Hong Kong).
• Support communications — Retained for up to 36 months after the last interaction.
• Website analytics data — Retained for up to 14 months.

Merchants may request earlier deletion by contacting privacy@reviewz.ai.

9. Security

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest.
• Access controls and the principle of least privilege for our personnel.
• Regular security reviews, vulnerability scanning, and monitoring.
• Secure software development practices and code review.
• Incident response procedures and breach notification processes.

No system is 100% secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the competent supervisory authority in accordance with applicable law.

10. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of access — Obtain confirmation of whether we process your data and receive a copy.
• Right to rectification — Correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — Request deletion of your data.
• Right to restriction of processing — Limit how we use your data.
• Right to data portability — Receive your data in a structured, machine-readable format.
• Right to object — Object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent — Withdraw consent at any time, without affecting past processing.
• Right not to be subject to automated decision-making — Including profiling, where applicable.

For end customers of merchants: we act as a processor. Please direct requests to the merchant who operates the store where you made your purchase. If the merchant forwards the request to us, we will assist promptly.

To exercise your rights, contact us at privacy@reviewz.ai. We will respond within 30 days (or as required by applicable law). You may also lodge a complaint with your local data protection authority — in Hong Kong, the Office of the Privacy Commissioner for Personal Data (PCPD) at www.pcpd.org.hk.

Additional rights for California residents (CCPA/CPRA)

California residents have the right to know what personal information is collected, disclosed, or sold; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information; and the right to non-discrimination for exercising these rights. Reviewz does not sell personal information as defined by the CCPA.

11. Cookies and similar technologies

Our website uses cookies and similar technologies to:

• Ensure the site functions correctly (strictly necessary cookies).
• Measure traffic and analyze usage (analytics cookies).
• Remember your preferences.

You can manage cookie preferences through our cookie banner or your browser settings. Blocking certain cookies may affect the functionality of the site.

12. Children's privacy

The Services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@reviewz.ai so we can delete it.

13. Third-party links and integrations

The Services may contain links to or integrations with third-party websites or services (Shopify, Trustpilot, etc.). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will notify merchants by email or through the App at least 30 days before the changes take effect. The "Last updated" date at the top indicates when the Policy was last revised. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

15. Contact us

For any question, request, or concern regarding this Privacy Policy or our data practices:

Reviewz LimitedEmail: privacy@reviewz.aiWebsite: https://reviewz.ai

This Privacy Policy is governed by the laws of the Hong Kong Special Administrative Region, without prejudice to mandatory data protection rights available to individuals in their country of residence.

‍