Legal
Privacy Policy
Last updated: June 2026
1. Introduction
ReviewX ("we", "our", or "us") is a SaaS platform that aggregates and analyses guest reviews for hospitality businesses. For the purposes of EU data protection law, GCentrix acts as the data controller in respect of personal data we collect directly from visitors and users of our platform.
We are committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it. Please read it carefully alongside our Cookie Policy and Terms of Service.
2. Data We Collect
We collect and process the following categories of personal data:
- —Account data — your name, email address, and hashed password when you register for an account.
- —Usage data — crawl job logs, review data retrieved from supported platforms (Agoda, Booking.com, Expedia, Google, OpenTable, Trip.com), profile configurations, and document counts associated with your account.
- —Technical data — IP address, browser type and version, operating system, referring URL, and timestamps of requests made to our API. This data is collected automatically via server logs.
- —Payment data — billing and subscription status. We do not store full card details; payment processing is handled by our payment processor (Stripe), which maintains its own privacy policy.
3. How We Use Your Data
We use your personal data for the following purposes:
- —To create and manage your ReviewX account and authenticate your sessions.
- —To provide the core service — executing review crawl jobs, storing retrieved review documents, and making them accessible through your dashboard.
- —To communicate with you — service-related notifications, security alerts, and responses to support requests. We will only send marketing emails where you have provided explicit consent.
- —To improve and develop the platform — we analyse aggregated, anonymised usage patterns to understand how features are used and to identify bugs.
- —To comply with legal obligations — including fraud prevention, tax record-keeping, and responding to lawful requests from regulatory authorities.
4. Data Sharing
We do not sell your personal data to third parties. We share data only where strictly necessary with the following categories of processor:
- —AWS S3 — cloud object storage for review document blobs and export files.
- —MongoDB Atlas — managed database hosting for account, profile, and review document records.
- —Stripe — payment processing and subscription management.
All processors are contractually bound by data processing agreements that require them to protect your data in accordance with applicable law, including GDPR where relevant. See our GDPR & DPA page for further details.
5. Data Retention
We retain your personal data for as long as your account is active. When you close your account:
- —Account data (name, email) is retained for 90 days after deletion to allow for account recovery requests and to comply with legal obligations, then permanently erased.
- —Review documents and profile data associated with your account are purged within 30 days of account deletion unless retention is required by law.
- —Server logs containing IP addresses are retained for a maximum of 12 months for security and debugging purposes.
6. Your Rights (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under GDPR / UK GDPR:
- —Right of access: request a copy of the personal data we hold about you.
- —Right to rectification: request correction of inaccurate or incomplete data.
- —Right to erasure: request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
- —Right to data portability: receive your data in a structured, machine-readable format (JSON export available via dashboard).
- —Right to object: object to processing based on legitimate interests or for direct marketing.
- —Right to restrict processing: request that we limit how we use your data in certain circumstances.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK).
7. Cookies
We use a minimal set of cookies and browser storage mechanisms to operate the service. For full details of what we set and how to control it, please read our Cookie Policy.
8. Contact & DPA Requests
For privacy-related enquiries, data subject access requests, or to request a Data Processing Agreement for your organisation, contact:
Email: [email protected]
DPA requests: Email the above address with subject line "DPA Request — [Your Company Name]". We will respond within 5 business days with a draft DPA for review and countersignature.