This Privacy Policy describes how Shopreviews.com, operated by Gearlab B.V. ("we", "us", "our"), collects and processes personal data when you use our website and review-aggregation service. It applies to all users of Shopreviews.com, including visitors, registered merchants, and anyone who contacts us for support. We process personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch privacy law. Please read this policy carefully — if you have any questions, do not hesitate to contact us at hello@shopreviews.com.
1. Who We Are (Data Controller)
The data controller responsible for your personal data is:
Gearlab B.V.
Gonnetstraat 26, 2011 KA Haarlem, Netherlands
KVK-nummer: 83574085
Email: hello@shopreviews.com
As data controller, Gearlab B.V. determines the purposes and means of processing your personal data in connection with the Shopreviews.com service.
2. What Personal Data We Collect
We only collect personal data that is necessary to provide and improve the Shopreviews service. The categories of data we collect depend on how you interact with us.
Account data
When you register for Shopreviews, we collect your name, email address, company name and billing address. This information is necessary to create and manage your account.
Usage data
We collect information about how you use the service, including pages visited, widget configuration settings, API calls made and technical log data (such as your IP address, browser type, referring URL and timestamps). This helps us operate the service reliably and identify issues.
Review source credentials
To connect your review platforms (for example Google, Trustpilot or Kiyoh), you may provide OAuth tokens or API keys. These credentials are stored encrypted at rest and are never shared with third parties beyond what is required to fetch your review data.
Payment data
Payment card data is handled exclusively by Stripe — we never see or store your card number, CVV or full card details. We do retain your billing address and invoice history for accounting purposes.
Support communications
If you contact us for help, we collect the content of your messages, including email correspondence and live-chat transcripts, so that we can assist you and maintain a record of our support interactions.
Cookie and analytics data
We use privacy-first analytics and may set cookies in your browser. For full details, please see our Cookie Policy.
3. Legal Basis for Processing (GDPR Art. 6)
Every processing activity we carry out has a specific legal basis under the GDPR. The table below summarises those bases.
| Legal Basis | GDPR Article | Activities Covered |
|---|---|---|
| Contract performance | Art. 6(1)(b) | Account creation and management, service delivery, billing and invoicing |
| Legitimate interests | Art. 6(1)(f) | Security monitoring, fraud prevention, product analytics (aggregated and anonymised), service improvement |
| Legal obligation | Art. 6(1)(c) | Retention of financial records and invoices as required by Dutch tax law |
| Consent | Art. 6(1)(a) | Sending marketing and promotional emails; placing non-essential cookies |
Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You can object to processing based on legitimate interests at any time — see Section 8.
4. How We Use Your Data
We use the personal data we collect for the following purposes:
- Provide and operate the Shopreviews service, including syncing reviews from your connected platforms and rendering widgets on your storefront.
- Process payments and issue invoices for your subscription.
- Send transactional emails such as password resets, invoice confirmations and service alerts. These are necessary for the operation of your account and cannot be opted out of while you are a subscriber.
- Send marketing emails about new features, tips and promotions — but only if you have given your consent. You can withdraw consent and unsubscribe at any time using the link in any marketing email.
- Improve the product by analysing aggregated, anonymised usage patterns. We do not use identifiable personal data for product analytics.
- Prevent fraud and abuse, including monitoring for unusual API usage and protecting the security of our infrastructure.
- Comply with legal obligations, such as retaining financial records for the period required by Dutch law.
5. Data Sharing and Third-Party Processors
We do not sell your personal data to third parties, ever. We do share data with a limited number of trusted sub-processors who help us deliver the service. Each processor is bound by a data processing agreement and may only process your data on our documented instructions.
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing — stripe.com/privacy | USA (SCCs) |
| Amazon Web Services | Cloud hosting infrastructure | EU-West-1, Ireland |
| Postmark / SendGrid | Transactional email delivery | EU / USA (SCCs) |
| Intercom | Customer support chat | USA (SCCs) |
| Plausible Analytics | Privacy-first, cookieless website analytics | EU-hosted |
A complete and up-to-date list of our sub-processors is maintained in our Data Processing Agreement (DPA), which is available to all customers.
6. Data Retention
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law.
- Account data: Retained for the duration of your active subscription and for 12 months after cancellation, after which it is permanently deleted or anonymised.
- Invoices and financial records: Retained for 7 years in accordance with Dutch statutory accounting requirements.
- Support communications: Retained for 2 years from the date of the last interaction.
- Analytics data: Retained on a 13-month rolling basis, then automatically purged.
- API tokens and OAuth credentials: Deleted immediately when you disconnect a review source from your account.
7. International Data Transfers
Our primary infrastructure is hosted on Amazon Web Services EU-West-1 in Dublin, Ireland, which is within the European Economic Area (EEA). Your data is processed in the EU by default.
Some of our sub-processors — including Stripe and Intercom — may process data in the United States. Where this occurs, transfers are made under Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46(2)(c) GDPR, ensuring an equivalent level of protection for your data.
We do not transfer personal data to countries that lack an adequacy decision or appropriate safeguards.
8. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights with respect to your personal data:
- Right of access — You can request a copy of the personal data we hold about you.
- Right to rectification — You can ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — You can ask us to delete your personal data, subject to our legal retention obligations.
- Right to restriction of processing — You can ask us to limit how we use your data in certain circumstances.
- Right to data portability — You can request your data in a structured, machine-readable format.
- Right to object — You can object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent — Where we rely on your consent (e.g. marketing emails), you can withdraw it at any time without affecting the lawfulness of processing that took place before withdrawal.
- Right to lodge a complaint — You have the right to lodge a complaint with the Dutch data protection authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
To exercise any of these rights, please email hello@shopreviews.com. We will respond within 30 days. We may need to verify your identity before processing your request.
9. Security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it:
- Encryption in transit: All data transmitted between your browser and our servers is protected by TLS (Transport Layer Security).
- Encryption at rest: Stored data is encrypted using AES-256.
- Credential security: OAuth tokens and API keys are stored with additional encryption and are never logged in plaintext.
- Access controls: Access to production systems and customer data is restricted to authorised personnel and protected by multi-factor authentication and audit logging.
- Security reviews: We conduct an annual security review of our infrastructure and processes.
- Payment security: Card payments are processed by Stripe, which is PCI-DSS Level 1 certified. We never store, transmit or have access to full payment card data.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, inform affected individuals without undue delay.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer or applicable law. When we make material changes, we will notify all registered users by email at least 30 days before the changes take effect. We encourage you to review this page periodically.
The "last updated" date at the top of this page always reflects the version currently in force. Continued use of the Shopreviews service after the effective date of any changes constitutes your acceptance of the updated policy.
Privacy enquiries
For any questions about this policy or to exercise your data rights, please contact us:
Email: hello@shopreviews.com
Gearlab B.V.
Gonnetstraat 26
2011 KA Haarlem
Netherlands