Privacy Policy

We provide the Service to local businesses (our "Customers"). This policy applies to two kinds of people, and our role differs for each:

• Customers and visitors — When you sign up, browse superfivestar.com, or administer an account, we act as the "business" (controller) of your personal information and this policy governs directly.
• Your customers (review recipients) — When a Customer uploads or connects contact lists and we send review requests on their behalf, we act as a "service provider" / processor on the Customer's instructions. Our handling of that data is also governed by our agreement with the Customer (see "Data we process for our Customers" below). If you received a review request and have questions, please contact the business that sent it.

• Account and organization data — Your name, email address, password credentials, organization/business name, role, and team membership, managed through our authentication provider.
• Business and location data — The business profiles, locations, review destinations, and Google Business Profile listings you connect, including business name, address, phone, time zone, categories, place identifiers, and the destination URLs (such as Google or Facebook) where you route reviewers.
• Review and customer-contact data — Review content and ratings from your connected profiles, and the customer contact details (such as name, email address, or mobile phone number) you upload, type in, or sync from a connected system so we can send review requests on your behalf. Where a contact is synced from an integration, we also record the source of that contact (for example, that a phone number came from your Square account).
• Connected-integration and transaction data — When you connect a business tool such as Square or QuickBooks Online, we receive the access and refresh tokens needed to call that tool's API on your behalf, and we receive notifications and limited records about qualifying events — for example, that a payment was completed, an invoice was paid, or an appointment finished — together with the related customer's contact details. We use this only to decide when, and to whom, to send a review request.
• Social-media connection data — If you connect a Facebook Page and, optionally, a linked Instagram Business account to publish review content, we receive and store the page and account identifiers and the access tokens (which we keep encrypted) that let us post on your behalf, plus the status and identifiers of the posts we publish.
• Content we generate for you — Branded review-card images we render from your reviews and brand kit (your logo and brand color), which we store so you can download, copy a link to, or auto-publish them.
• Messaging and consent records — For email and text-message (SMS) review requests, we keep send, delivery, click, bounce, complaint, and opt-out records, and — for SMS — your recorded attestation that you hold the required consent to text your customers, so we can operate the messaging program and honor opt-outs.
• Billing data — Subscription, plan, entitlement, and payment status. Card and payment details are collected and processed directly by our payment processor; we do not store full payment card numbers.
• Usage, device, and log data — IP address, browser and device information, pages viewed, actions taken, timestamps, and error/diagnostic logs needed to operate, secure, and improve the Service.
• Communications — Messages you send us (e.g. support requests) and our correspondence with you.

If you connect a Google account, we access Google Business Profile data through Google APIs solely to provide the Service's review features — for example, reading your business locations and reviews and posting replies you author.

SuperFiveStar's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

• We do not transfer Google user data to others except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger or acquisition.
• We do not use Google user data for serving advertisements, and we do not sell it.
• We do not use Google user data to develop, train, or improve generalized or foundational artificial-intelligence or machine-learning models.
• We do not allow humans to read your Google user data unless we have your affirmative consent for specific messages, it is necessary for security or to comply with law, or the data has been aggregated and anonymized.
• You can disconnect your Google account at any time from your account settings, which revokes our ongoing access.

You can connect third-party business tools so the Service can automatically request reviews after a customer transacts, and publish review content for you. You authorize each connection, and you can disconnect it at any time from your account settings, which revokes our ongoing access. We request the narrowest access each integration needs.

• Google Business Profile — To read your locations and reviews and to post replies you author (see the Limited Use section above).
• Square and QuickBooks Online — To detect qualifying events (such as a completed payment, a paid invoice, or a finished appointment) and obtain the related customer's contact details so we can send a review request. We store the OAuth tokens for these connections and refresh them as their providers require.
• Facebook and Instagram — To publish your branded review cards and captions to your connected Facebook Page and, if you link it, your Instagram Business account. We store the page/account identifiers and the access tokens (which we keep encrypted) needed to post on your behalf.

Your use of each connected platform remains governed by that platform's own terms and policies — including the Google API Services User Data Policy, the Meta Platform Terms and Developer Policies, the Square Developer and Application terms, and the Intuit Developer terms. We are not responsible for those platforms, and we may stop supporting an integration if a provider changes or discontinues it.

• To provide, operate, maintain, and secure the Service.
• To send review requests and follow-ups on your behalf, by email or text message (SMS), to the contacts you provide.
• To detect qualifying events in your connected tools and time review requests accordingly.
• To generate, store, and — where you enable it — publish review replies and branded social content you request to your connected accounts.
• To process subscriptions, billing, and account administration.
• To communicate with you about your account, security, changes, and support.
• To monitor, analyze, and improve performance, reliability, and features.
• To detect, prevent, and address fraud, abuse, and violations of our Terms.
• To comply with legal obligations and enforce our agreements.

Where required by law, our legal bases for processing are: performance of our contract with you, our legitimate interests in operating and improving the Service, your consent (where requested), and compliance with legal obligations.

We use strictly necessary cookies and similar technologies to keep you signed in, secure the Service, and remember your preferences. Our authentication and payment providers may set their own cookies to deliver their functionality. We do not use cookies to build advertising profiles. You can control cookies through your browser settings, though disabling necessary cookies may prevent the Service from working.

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising. We disclose information only as follows:

• Service providers (subprocessors) — Vendors who power the product under contract, limited to what they need to perform their function: authentication and organization management (Clerk), database, storage, and hosting infrastructure (Supabase, Vercel), background-job processing (Inngest), transactional email delivery (Resend), text-message (SMS) delivery (Twilio), payment processing (Stripe, via our billing provider), and the business platforms you connect (Google, Square, QuickBooks Online, and Meta) for the features you enable.
• On your instruction — Review requests and follow-ups we send by email or SMS to the recipients you designate, and review content we publish to the social accounts you connect.
• Legal and safety — When required by law, subpoena, or legal process, or to protect the rights, property, or safety of our users, the public, or us.
• Business transfers — In connection with a merger, acquisition, financing, or sale of assets, subject to this policy.

When we handle customer-contact data and reviews on behalf of a Customer, we act as that Customer's service provider/processor. We process such data only to provide the Service per the Customer's instructions and our agreement, do not sell it, and do not use it for our own purposes. Customers are responsible for having a lawful basis and any required consent to upload contacts and to send communications. If you are a Customer who needs a Data Processing Addendum (DPA) for GDPR or CCPA purposes, contact us at support@superfivestar.com.

Email review requests we send on your behalf are designed to comply with the U.S. CAN-SPAM Act: every message identifies the sending business, includes a valid physical postal address, accurately describes the message in the subject line, and provides a working unsubscribe mechanism that we honor promptly. Recipients who unsubscribe are suppressed from future sends for that business.

If you enable text-message (SMS) review requests, we send them on your behalf through our messaging provider (Twilio) over carrier-registered application-to-person (A2P 10DLC) infrastructure. You are the sender of these messages and are responsible for the consent behind them. We do not send marketing texts to anyone except the contacts you supply, and only after you attest that you hold the consent the law requires.

• Consent — U.S. law (the Telephone Consumer Protection Act, or TCPA) generally requires prior express written consent before sending marketing or telemarketing texts. Before you can enable SMS, you must attest that you have obtained that consent from each recipient and that it was not made a condition of any purchase. Consent is never transferred or sold, and message frequency varies.
• Opt-out — Recipients can stop messages at any time by replying STOP (or other reasonable opt-out words such as END, QUIT, CANCEL, or UNSUBSCRIBE); replying HELP returns help information. We honor opt-outs received by any reasonable means, promptly and within the time the law allows, and a business can also record an opt-out manually at a customer's request. Opting out of texts does not affect email, and vice versa.
• Timing — We schedule texts to land only within local daytime quiet-hours windows for the business location, consistent with federal and state calling-time restrictions.
• Carrier charges — Message and data rates may apply to recipients depending on their mobile plan. We do not control carrier charges.
• No sharing of opt-in data — SMS opt-in data and consent will not be shared with third parties. Mobile opt-in information and consent are used only to send the messages the recipient has agreed to receive; they are not sold, rented, or transferred to any other party.

If you connect a Facebook Page and, optionally, a linked Instagram Business account and turn on auto-publishing, we publish your branded review cards and captions to those accounts on your behalf, subject to the limits you set (such as a minimum star rating and a daily cap). We act on your instruction and store the identifiers and access tokens needed to post; you can turn off auto-publishing or disconnect at any time. Posting through these platforms is also governed by the Meta Platform Terms and Developer Policies.

Depending on where you live, you may have some or all of the following rights. We do not discriminate against you for exercising them.

• California (CCPA/CPRA) — The right to know/access the personal information we collect, to delete it, to correct it, and to opt out of sale or sharing. We do not sell or share personal information as those terms are defined. You may also limit the use of sensitive personal information; we do not use sensitive personal information for purposes requiring an opt-out.
• EEA/UK (GDPR/UK GDPR) — The right to access, rectify, erase, restrict, or object to processing, the right to data portability, the right to withdraw consent, and the right to lodge a complaint with your supervisory authority.
• Other U.S. states — Residents of states with comprehensive privacy laws have comparable rights to access, correct, delete, and opt out, which we extend on request.

To exercise a right, email support@superfivestar.com. We will verify your request and respond within the timeframe required by applicable law. You may use an authorized agent where the law permits. If your request concerns data we process on behalf of a Customer, we will refer or forward it to that Customer.

We retain personal information for as long as your account is active and as needed to provide the Service, then for a limited period to comply with legal, tax, accounting, security, and dispute-resolution obligations, after which we delete or anonymize it. Customers can request deletion of their account data, subject to these limits.

We apply administrative, technical, and organizational safeguards appropriate to the risk, including encryption in transit, access controls, and database-enforced tenant isolation so each organization's data is segregated. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify you and any regulators as required by law.

We are based in the United States and our service providers may process data in the United States and other countries. Where we transfer personal information from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, contact us and we will delete it.

We may update this Privacy Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice (such as email or an in-product notice). If a change involves accessing or using a new category of Google user data, we will update this policy and obtain your consent before doing so. Your continued use of the Service after an update means you accept the revised policy.

If you have questions or requests about this policy or your personal information, email support@superfivestar.com or write to SuperFiveStar LLC · PO Box 73, Olathe, KS 66051.