Legal
Privacy Policy
This policy explains how WiserReview collects, uses, stores, and protects your personal data, and what rights you have over it.
1. Who We Are
WiserReview is a review management platform operated by Tatvam Cloud Solutions, Inc (“WiserReview”, “we”, “us”, or “our”). Our platform allows merchants to collect, manage, and display customer reviews across their e-commerce stores.
This Privacy Policy applies to:
- Merchants: businesses and individuals who create a WiserReview account to use our services.
- End Consumers: customers of merchants who submit reviews or whose data is processed through our platform.
- Website Visitors: visitors to wiserreview.com.
For GDPR purposes, WiserReview acts as a Data Processor on behalf of merchants (who are Data Controllers) with respect to consumer data. WiserReview acts as a Data Controller with respect to merchant account data. Our formal Data Processing Agreement is available at wiserreview.com/dpa.
2. Data We Collect
We only collect data that is necessary to deliver our services.
| Category | Examples | Source | Purpose | Legal Basis |
|---|---|---|---|---|
| Account & Registration Data | Name, email address, company name, platform (Shopify, WooCommerce, etc.) | Provided by merchant during registration or OAuth | Account creation, authentication, service delivery | Contract |
| Review & Customer Data | Reviewer name, email, review text, star rating, photos/videos, IP address | Submitted by end-customers or imported by merchant | Core review management service | Legitimate Interest / Consent |
| Order Data | Order ID, customer email, product name, order date | Connected e-commerce platform via API/webhook | Triggering review requests, verified buyer badge | Contract / Legitimate Interest |
| Usage & Log Data | IP address, browser type, pages visited, timestamps, API response times | Automatically collected during service use | Security, fraud prevention, error monitoring, performance | Legitimate Interest |
| Billing Data | Subscription plan, billing cycle (card data handled by Chargebee, not stored by us) | Chargebee (PCI DSS Level 1 billing provider) | Subscription management | Contract |
3. How We Use Your Information
- Service Delivery: To collect, process, display, and manage reviews on behalf of merchants.
- Email Communications: To send review request emails to end consumers on behalf of merchants, and to send merchants account, billing, and product notifications.
- Security & Fraud Prevention: To detect and prevent abuse, spam, fraudulent reviews, and unauthorized access.
- Platform Integrations: To sync order and product data from connected e-commerce platforms (Shopify, WooCommerce, Wix, BigCommerce, etc.).
- AI Features: To power AI-assisted review generation and grammar correction. Only review text is sent to our AI provider (OpenAI). No personally identifiable information is included.
- Error Monitoring & Diagnostics: To monitor application health and diagnose errors via Sentry. Error reports may include anonymized request context.
- Analytics & Improvement: To understand how the platform is used and improve our service. We use aggregated, non-identifying data only.
4. Cookies & Tracking Technologies
WiserReview uses cookies and similar tracking technologies on our website and dashboard. Cookies allow us to recognise your session, remember your preferences, and understand how our platform is used.
We use essential cookies (required for the service to function), analytics cookies (to understand usage patterns), and third-party tools including Google Tag Manager for marketing analytics.
For full details on the cookies we use, how to control them, and how to opt out, see our Cookie Policy.
5. Data Sharing & Sub-Processors
We do not sell personal data. We do not share personal data with third parties beyond what is strictly required to deliver our services. The sub-processors below are the only third parties with access to data processed through WiserReview:
| Sub-Processor | Purpose | Location | Compliance |
|---|---|---|---|
| Microsoft Azure | Application hosting, compute, storage, message queuing | United States / Global | SOC 2, ISO 27001, GDPR |
| MongoDB Atlas | Primary database | United States | SOC 2, ISO 27001, GDPR |
| Cloudflare | CDN, WAF, DDoS protection | Global edge | SOC 2, ISO 27001, GDPR |
| AWS SES | Transactional email delivery | United States | SOC 2, ISO 27001, GDPR |
| AWS S3 | Media file storage (photos/videos) | United States | SOC 2, ISO 27001, GDPR |
| Azure Blob Storage | Media file storage | United States | SOC 2, ISO 27001, GDPR |
| Azure Service Bus | Message queuing for email delivery pipeline | United States | SOC 2, ISO 27001, GDPR |
| SendGrid | Transactional email (secondary) | United States | SOC 2, GDPR |
| Chargebee | Billing and subscription management | United States | PCI DSS Level 1, SOC 2, GDPR |
| OpenAI | AI-assisted text generation (review text only, no PII sent) | United States | SOC 2 |
| Sentry | Error monitoring and diagnostics | United States | SOC 2, GDPR |
We may also disclose information if required by law, legal process, or to protect our rights and property. For a detailed breakdown of what data each sub-processor handles, see our Data Privacy & Protection document §6.
6. Data Retention
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Merchant account data | Active subscription lifetime | Account closure or deletion request |
| Review content & consumer data | While merchant account is active | Review deletion, GDPR request, or account closure |
| Order references | While merchant account is active | Account closure |
| Error & diagnostic logs | 90 days | Automatic rotation |
| Cache data | Transient (hours) | Automatic expiration |
| Inactive accounts | 60 days post-cancellation | Account marked inactive; user notified before deletion |
For deletion triggers per data category, see our Data Privacy & Protection document §5.
7. Your Rights
7.1 GDPR Rights (EU/UK Residents)
If you are in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):
Right to Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data (the 'right to be forgotten').
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Objection
Object to processing based on legitimate interests.
Right to Restriction
Request that we limit how we process your data while a dispute is resolved.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.
7.2 CCPA Rights (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:
Right to Know
Request disclosure of the categories and specific pieces of personal information we collect about you, and why.
Right to Delete
Request deletion of personal information we have collected from you, subject to certain exceptions.
Right to Opt-Out
WiserReview does not sell personal information. There is nothing to opt out of.
Right to Non-Discrimination
We will not discriminate against you for exercising any CCPA rights.
8. Cross-Border Data Transfers
WiserReview processes data primarily on Microsoft Azure infrastructure located in the United States. Our sub-processors (listed in Section 5) may process data in their respective regions.
For transfers from the EEA or UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V. All our major infrastructure providers (Azure, AWS, MongoDB Atlas, Cloudflare) have GDPR-compliant data transfer mechanisms in place.
9. Data Security
We implement technical and organizational measures to protect personal data:
- AES-256 encryption at rest (MongoDB Atlas, Azure Blob Storage, AWS S3)
- TLS 1.2+ encryption in transit on all endpoints
- Cloudflare WAF and DDoS protection on all services
- Industry-standard one-way password hashing; passwords are never stored in plaintext
- JWT-based authentication and role-based access control (RBAC)
- MongoDB Atlas IP whitelisting (database not publicly accessible)
- Workspace-level logical data isolation; no cross-tenant data access
See our full security documentation for detailed technical controls: Infrastructure Security, Access Control, and Security Overview.
10. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected merchants within 72 hours of discovery, in compliance with GDPR Article 33. We will also notify the relevant supervisory authority where required. A full incident response process is documented at /security/incident-response.
11. Children's Privacy
WiserReview is a B2B service intended for merchants and businesses. Our services are not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has submitted personal data through our platform, contact us at [email protected] and we will promptly delete it.
12. Business Transfers
If WiserReview is acquired, merged, or its assets are transferred, personal data we hold may be among the transferred assets. In such an event, we will provide notice and the acquiring party will be bound to honour the commitments in this Privacy Policy or obtain your consent before using your data in materially different ways.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this page and, where required by law, notify you by email or via the dashboard. Continued use of our services after changes constitute acceptance of the updated policy.
14. Contact Us
For privacy-related inquiries, data subject requests, or to request a copy of our Data Processing Agreement: