AionReviews

Privacy Policy

Last Updated: January 6, 2026

AionReviews, Inc. ("AionReviews," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our review management platform and related services (collectively, the "Services").

This policy applies to our B2B SaaS platform accessible at aionreviews.com and is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), and other applicable data protection laws.

Disclaimer: This privacy policy is provided for informational purposes and does not constitute legal advice. Consult with a qualified attorney for legal advice specific to your situation. If you are a healthcare organization handling Protected Health Information (PHI), please contact us to execute a Business Associate Agreement (BAA).

Table of Contents

  1. 1. Information We Collect
  2. 2. How We Use Your Information
  3. 3. Data Sharing and Third-Party Services
  4. 4. Your Rights Under GDPR
  5. 5. HIPAA Compliance
  6. 6. Data Retention
  7. 7. International Data Transfers
  8. 8. Cookies and Tracking Technologies
  9. 9. Security Measures
  10. 10. Children's Privacy
  11. 11. Changes to This Privacy Policy
  12. 12. Contact Information

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

  • Name, email address, phone number
  • Company name, business address, tax identification number
  • Billing information (processed through secure third-party payment processors)
  • Password (encrypted and never stored in plain text)

Business Data:

  • Location information for your business locations
  • Product and service catalog data
  • Personnel information (staff names, roles, assignments)
  • Organization settings and preferences

Customer Data (on behalf of your business):

  • Customer names, email addresses, and phone numbers
  • Transaction data and purchase history
  • Review requests and responses
  • Communication preferences

Review Content:

  • Reviews submitted through our platform
  • Review responses and interactions
  • Ratings, comments, and feedback
  • Media files (photos, videos) uploaded with reviews

1.2 Information Collected Automatically

Usage Data:

  • IP address, browser type, and device information
  • Pages visited, features used, and time spent on the platform
  • Referring URLs and search terms
  • Error logs and performance metrics

Cookies and Similar Technologies:

  • Session cookies for authentication
  • Preference cookies for user settings
  • Analytics cookies to understand platform usage

1.3 Information from Third-Party Sources

We may receive information from:

  • Review Platforms: Google Business Profile, Yelp, Facebook (when you connect your accounts)
  • OAuth Providers: Google Sign-In (name, email, profile picture)
  • Public Sources: Publicly available business information

2. How We Use Your Information

2.1 Service Delivery

  • Provide and maintain the AionReviews platform
  • Process and fulfill review requests
  • Send review invitations via email and SMS on your behalf
  • Aggregate and display reviews from multiple sources
  • Enable communication between you and your customers
  • Process payments and manage subscriptions

2.2 AI-Powered Features

  • Sentiment Analysis: Analyze review sentiment (positive, neutral, negative) using OpenAI GPT-4
  • Emotion Detection: Identify emotional tones in reviews
  • Topic Extraction: Automatically categorize review topics
  • Response Generation: Generate suggested responses to reviews in multiple styles
  • Summary Creation: Create AI-generated summaries of review content

AI Processing Note: Review content is sent to OpenAI for processing. We have implemented data processing agreements with OpenAI, and they do not use customer data to train their models. See Section 3.2 for more details.

2.3 Analytics and Improvement

  • Generate analytics dashboards and reports
  • Track review trends and performance metrics
  • Improve our Services and develop new features
  • Conduct research and analysis to enhance user experience
  • Monitor for security threats and fraudulent activity

2.4 Communication

  • Send service-related notifications and updates
  • Respond to your inquiries and support requests
  • Send marketing communications (with your consent)
  • Notify you of changes to our Services or policies

2.5 Legal Compliance

  • Comply with legal obligations and regulatory requirements
  • Enforce our Terms of Service and other agreements
  • Protect our rights, privacy, safety, or property
  • Respond to lawful requests from public authorities

2.6 Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contractual Necessity: Processing necessary to perform our contract with you
  • Legitimate Interests: Our legitimate business interests (e.g., improving Services, preventing fraud)
  • Consent: Where you have provided explicit consent (e.g., marketing communications)
  • Legal Obligation: Compliance with applicable laws and regulations

3. Data Sharing and Third-Party Services

We do not sell your personal information. We may share your information with third-party service providers who assist us in operating our platform, subject to appropriate data processing agreements and security measures.

3.1 Service Providers

Supabase (Database & Authentication)

  • Purpose: Database hosting, user authentication, row-level security
  • Data Shared: All platform data including user accounts, business data, reviews
  • Location: United States (AWS infrastructure)
  • Security: SOC 2 Type II certified, GDPR compliant
  • Agreement: Data Processing Agreement in place

OpenAI (AI Processing)

  • Purpose: Sentiment analysis, emotion detection, response generation, content summarization
  • Data Shared: Review text content, customer feedback
  • Location: United States
  • Security: SOC 2 Type II certified, does not train on customer data
  • Agreement: Business terms prohibiting model training on submitted data
  • Data Retention: OpenAI retains data for 30 days for abuse monitoring, then deletes

Resend (Email Delivery)

  • Purpose: Transactional emails, review invitations
  • Data Shared: Email addresses, names, email content
  • Location: United States (AWS SES)
  • Security: SOC 2 Type II certified, GDPR compliant

Twilio (SMS Delivery)

  • Purpose: SMS review invitations and notifications
  • Data Shared: Phone numbers, SMS content
  • Location: United States with global infrastructure
  • Security: SOC 2 Type II certified, GDPR compliant, HIPAA-eligible
  • Agreement: Business Associate Agreement available for HIPAA compliance

Vercel (Hosting & Infrastructure)

  • Purpose: Application hosting, content delivery, serverless functions
  • Data Shared: Application code, user requests, logs
  • Location: United States (AWS infrastructure)
  • Security: SOC 2 Type II certified, GDPR compliant

3.2 Review Platform Integrations

When you connect third-party review platforms, we may share data with:

  • Google Business Profile: Business information, review responses
  • Yelp: Business information, review responses (via Yelp API)
  • Facebook: Page information, review responses

You control these integrations and can disconnect them at any time through your account settings.

3.3 Other Disclosures

We may disclose your information in the following circumstances:

  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • Legal Requirements: To comply with legal obligations, court orders, or government requests
  • Protection of Rights: To protect our rights, property, or safety, or that of others
  • With Your Consent: When you explicitly authorize disclosure

4. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

4.1 Right of Access

You have the right to request a copy of the personal data we hold about you.

4.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data.

4.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data under certain circumstances, including:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed

Note: We may retain certain data to comply with legal obligations or for legitimate business purposes (e.g., financial records, dispute resolution).

4.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON) and to transmit that data to another controller.

4.5 Right to Restriction of Processing

You have the right to request that we limit the processing of your personal data when:

  • You contest the accuracy of the data
  • Processing is unlawful but you oppose erasure
  • We no longer need the data, but you need it for legal claims
  • You have objected to processing pending verification of legitimate grounds

4.6 Right to Object

You have the right to object to processing of your personal data based on:

  • Legitimate interests or performance of a task in the public interest
  • Direct marketing purposes (including profiling)
  • Scientific or historical research purposes

4.7 Right to Withdraw Consent

Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before withdrawal.

4.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

We will respond to your request within 30 days and may request additional information to verify your identity before processing your request.

5. HIPAA Compliance

Important Notice for Healthcare Organizations

If your organization is a HIPAA-covered entity or business associate handling Protected Health Information (PHI), you must contact us to execute a Business Associate Agreement (BAA) before using AionReviews to process PHI.

5.1 Business Associate Agreement (BAA)

AionReviews acts as a Business Associate when healthcare organizations use our Services to process PHI. Our BAA establishes:

  • Permitted uses and disclosures of PHI
  • Safeguards to protect PHI confidentiality, integrity, and availability
  • Subcontractor agreements with our service providers (Supabase, Twilio, etc.)
  • Breach notification procedures
  • Audit rights and compliance monitoring
  • PHI return or destruction upon contract termination

To request a BAA, contact us at hipaa@aionreviews.com

5.2 PHI Handling

When processing PHI, we implement the following measures:

Administrative Safeguards

  • Security Management Process with risk analysis and management
  • Assigned Security Officer responsible for HIPAA compliance
  • Workforce training on PHI handling and security procedures
  • Access controls with role-based permissions
  • Security incident procedures and breach response plan
  • Contingency planning for disaster recovery

Physical Safeguards

  • Cloud infrastructure hosted by HIPAA-compliant providers (AWS via Supabase, Vercel)
  • SOC 2 Type II certified data centers with physical access controls
  • Workstation security policies for remote workforce
  • Device and media controls for PHI access

Technical Safeguards

  • Unique user identification and authentication
  • Automatic session timeout after 30 minutes of inactivity
  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Audit controls and access logging
  • Data integrity controls to prevent unauthorized alteration
  • Secure transmission of PHI over public networks

5.3 HIPAA-Eligible Subcontractors

We have executed BAAs with the following subcontractors who may process PHI:

  • Supabase (AWS): Database hosting with HIPAA-eligible infrastructure
  • Twilio: SMS delivery with HIPAA-compliant messaging
  • Vercel (AWS): Application hosting with SOC 2 compliance

Important: OpenAI (used for AI features) is not HIPAA-compliant. If you have a BAA with us, we will not process PHI through OpenAI. Healthcare organizations with BAAs must disable AI features or ensure review content is de-identified before AI processing.

5.4 Breach Notification

In the event of a breach of unsecured PHI, we will notify you without unreasonable delay and no later than 60 days after discovery. Our breach notification will include:

  • Identification of affected individuals
  • Description of the breach (date, type of PHI involved)
  • Steps taken to mitigate harm
  • Contact information for further inquiries

5.5 Minimum Necessary Standard

We apply the "minimum necessary" standard by limiting access to PHI to only what is reasonably necessary to accomplish the intended purpose. Role-based access controls ensure users only access PHI relevant to their responsibilities.

5.6 Patient Rights

As a Business Associate, we support covered entities in fulfilling patient rights under HIPAA, including:

  • Right of Access: Assist in providing individuals access to their PHI
  • Right to Amend: Support amendment requests for PHI
  • Accounting of Disclosures: Maintain logs of PHI disclosures
  • Right to Restrict Disclosures: Honor covered entity restrictions on PHI use/disclosure

HIPAA Compliance Contact

For HIPAA-related inquiries, BAA requests, or breach notifications:

  • Email: hipaa@aionreviews.com
  • Security Officer: Chief Security Officer, AionReviews, Inc.
  • Phone: +1 (555) 123-4567 (HIPAA Compliance Hotline)

6. Data Retention

We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

6.1 Retention Periods

Account Data

  • Active Accounts: Retained for the duration of your subscription
  • Canceled Accounts: Retained for 90 days after cancellation, then deleted
  • Inactive Accounts: After 24 months of inactivity, we may delete your account with 30 days notice

Review Data

  • Reviews: Retained for the duration of your subscription plus 90 days
  • Analytics Data: Aggregated analytics retained for 36 months
  • AI Analysis: Sentiment analysis results retained with reviews; raw data sent to OpenAI deleted after 30 days

Communication Records

  • Email Logs: Retained for 12 months
  • SMS Logs: Retained for 12 months
  • Support Tickets: Retained for 36 months

Financial Records

  • Invoices & Payments: Retained for 7 years (tax compliance)
  • Billing Information: Retained for the duration of subscription plus 90 days

Protected Health Information (PHI)

  • PHI under BAA: Retained per agreement terms (typically 6 years after last service date)
  • PHI Deletion: Securely deleted or returned to covered entity upon BAA termination

Legal & Security Logs

  • Audit Logs: Retained for 12 months (36 months for HIPAA-covered accounts)
  • Security Incident Logs: Retained for 36 months
  • Legal Hold Data: Retained indefinitely until hold is lifted

6.2 Data Deletion Procedures

When data is deleted:

  • We securely erase data from active databases and backups
  • Deletion is performed in accordance with industry standards (NIST 800-88)
  • Backup data is deleted within 90 days of the retention period ending
  • We maintain deletion logs for audit purposes

6.3 Exceptions

We may retain data beyond the standard retention periods when:

  • Required by law (tax, accounting, regulatory requirements)
  • Necessary for ongoing litigation or legal claims
  • Needed to enforce our agreements or protect our rights
  • Retained in anonymized or aggregated form for analytics

7. International Data Transfers

AionReviews is based in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

7.1 Data Transfer Mechanisms

For transfers from the EEA/UK/Switzerland to the United States, we rely on:

Standard Contractual Clauses (SCCs)

We use European Commission-approved Standard Contractual Clauses (also known as Model Clauses) to ensure adequate protection for personal data transferred outside the EEA.

Data Processing Agreements

Our agreements with third-party service providers include data protection clauses compliant with GDPR Article 28 requirements.

UK Extension to SCCs

For UK data subjects, we use the UK International Data Transfer Addendum to SCCs approved by the UK Information Commissioner's Office (ICO).

7.2 Data Storage Locations

Your data may be stored in the following regions:

  • Primary Storage: United States (AWS us-east-1 via Supabase)
  • Backups: United States (AWS multiple regions)
  • CDN Cache: Global edge locations (Vercel Edge Network)

7.3 Adequacy Decisions

We monitor and comply with any adequacy decisions made by the European Commission regarding data transfers to third countries. As of the last update to this policy, the EU-U.S. Data Privacy Framework provides an adequacy mechanism for certain transfers.

7.4 Safeguards

To protect data during international transfers, we implement:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls limiting data access to authorized personnel
  • Regular security audits and compliance certifications (SOC 2 Type II)
  • Contractual obligations with service providers to maintain data protection standards

Request SCCs or Transfer Documentation

If you require a copy of our Standard Contractual Clauses or other transfer documentation, contact privacy@aionreviews.com

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze usage, and provide personalized content. This section describes the types of cookies we use and how you can control them.

8.1 Types of Cookies We Use

Strictly Necessary Cookies

  • Purpose: Essential for website functionality and authentication
  • Examples: Session cookies, authentication tokens, security tokens
  • Duration: Session (deleted when you close your browser) or up to 7 days
  • Can be disabled: No (required for Services to function)

Preference Cookies

  • Purpose: Remember your settings and preferences
  • Examples: Language preferences, theme settings, dashboard layout
  • Duration: Up to 12 months
  • Can be disabled: Yes (via browser settings)

Analytics Cookies

  • Purpose: Understand how visitors use our website
  • Examples: Page views, feature usage, error tracking
  • Duration: Up to 24 months
  • Can be disabled: Yes (via cookie banner or browser settings)
  • Third Parties: We may use Google Analytics (with IP anonymization)

Marketing Cookies

  • Purpose: Deliver relevant advertisements and measure campaign effectiveness
  • Examples: Retargeting pixels, conversion tracking
  • Duration: Up to 12 months
  • Can be disabled: Yes (via cookie banner or browser settings)
  • Third Parties: May include Google Ads, Facebook Pixel

8.2 Cookie Details

Cookie NameTypePurposeDuration
sb-access-tokenNecessaryAuthentication (Supabase)7 days
sb-refresh-tokenNecessarySession refresh (Supabase)7 days
aion_themePreferenceUI theme preference12 months
_gaAnalyticsGoogle Analytics user ID24 months
cookie_consentNecessaryTracks cookie consent choices12 months

8.3 How to Control Cookies

Cookie Banner

When you first visit our website, a cookie banner allows you to accept or reject non-essential cookies. You can change your preferences at any time by clicking the "Cookie Settings" link in the footer.

Browser Settings

Most browsers allow you to:

  • View cookies stored on your device
  • Block all cookies or only third-party cookies
  • Delete cookies when you close your browser
  • Clear all stored cookies

Refer to your browser's help documentation for instructions. Note that blocking cookies may affect website functionality.

Opt-Out Links

8.4 Do Not Track (DNT)

Some browsers include a "Do Not Track" (DNT) feature. We respect DNT signals where technically feasible. However, there is currently no industry standard for DNT implementation, and our response may vary by browser.

8.5 Third-Party Cookies

Third-party services integrated into our platform (e.g., embedded videos, social media widgets) may set their own cookies. We do not control these cookies. Please review the privacy policies of these third parties:

9. Security Measures

We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction. However, no system is completely secure, and we cannot guarantee absolute security.

9.1 Technical Security Measures

Encryption

  • In Transit: TLS 1.3 encryption for all data transmitted over networks
  • At Rest: AES-256 encryption for data stored in databases
  • Backups: Encrypted backups with separate encryption keys

Access Controls

  • Row-Level Security (RLS) in Supabase to isolate organization data
  • Role-based access control (RBAC) with least privilege principle
  • Multi-factor authentication (MFA) available for all accounts
  • Automatic session timeout after 30 minutes of inactivity

Network Security

  • Web Application Firewall (WAF) to protect against attacks
  • DDoS protection via Vercel Edge Network
  • IP allowlisting available for enterprise customers
  • Rate limiting to prevent abuse

Application Security

  • Input validation and sanitization to prevent injection attacks
  • Cross-Site Request Forgery (CSRF) protection
  • Cross-Site Scripting (XSS) prevention
  • SQL injection prevention via parameterized queries
  • Secure password hashing using bcrypt (Supabase Auth)

9.2 Organizational Security Measures

Employee Training

  • Annual security and privacy training for all employees
  • HIPAA training for employees handling PHI
  • Phishing awareness and social engineering prevention

Access Management

  • Background checks for employees with access to customer data
  • Principle of least privilege for system access
  • Immediate access revocation upon employee departure
  • Quarterly access reviews and audits

Incident Response

  • 24/7 security monitoring and alerting
  • Documented incident response plan
  • Regular security drills and tabletop exercises
  • Breach notification procedures compliant with GDPR and HIPAA

9.3 Compliance and Certifications

  • SOC 2 Type II: Annual third-party audit of security controls (in progress)
  • GDPR Compliance: Data protection by design and by default
  • HIPAA Compliance: Administrative, physical, and technical safeguards
  • Infrastructure Partners: All partners (Supabase, Vercel, Twilio) maintain SOC 2 compliance

9.4 Vulnerability Management

  • Regular security assessments and penetration testing
  • Automated vulnerability scanning of dependencies
  • Responsible disclosure program for security researchers
  • Rapid patching of identified vulnerabilities

9.5 Your Security Responsibilities

To help protect your account:

  • Use a strong, unique password and enable multi-factor authentication (MFA)
  • Do not share your login credentials with others
  • Log out of your account when using shared devices
  • Report suspicious activity immediately to security@aionreviews.com
  • Keep your contact information up to date

Report a Security Issue

If you discover a security vulnerability, please report it responsibly to: security@aionreviews.com

We appreciate responsible disclosure and will acknowledge your report within 48 hours.

10. Children's Privacy

AionReviews is a business-to-business (B2B) platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18.

COPPA Compliance

The Children's Online Privacy Protection Act (COPPA) requires parental consent for collection of personal information from children under 13. Our Services:

  • Are not directed to children under 13
  • Do not knowingly collect information from children under 13
  • Do not sell information of children under 13

Customer Submissions

While our direct customers are businesses, reviews may occasionally be submitted by individuals under 18 through our review portal. If you are a parent or guardian and believe your child has provided personal information through a review submission, please contact us immediately.

If We Discover Underage Information

If we learn that we have collected personal information from a child under 18 without appropriate consent, we will delete that information as quickly as possible. If you believe we may have inadvertently collected information from a child, contact us at: privacy@aionreviews.com

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons.

How We Notify You

  • Material Changes: We will notify you by email at least 30 days before material changes take effect. Material changes include new data collection practices, expanded data sharing, or reduced rights.
  • Non-Material Changes: We will update the "Last Updated" date at the top of this policy. We encourage you to review this policy periodically.
  • In-App Notice: We may also display a notice within the platform when you next log in.

Continued Use

Your continued use of the Services after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree to the updated policy, you must discontinue use of the Services and may request account deletion.

Version History

We maintain a version history of this Privacy Policy. Upon request, we can provide previous versions for your review.

  • Version 1.0 - January 6, 2026 (Current)

12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below.

General Privacy Inquiries

Email: privacy@aionreviews.com

Phone: +1 (555) 123-4567

Response Time: Within 48 hours

HIPAA Compliance

Email: hipaa@aionreviews.com

Phone: +1 (555) 123-4567 (Hotline)

Officer: Chief Security Officer

Security Issues

Email: security@aionreviews.com

PGP Key: Available upon request

Response Time: Within 48 hours

Data Protection Officer (DPO)

Email: dpo@aionreviews.com

For: GDPR requests, EU data subjects

Mailing Address

AionReviews, Inc.

Attn: Privacy Department

123 Tech Boulevard, Suite 456

San Francisco, CA 94102

United States

EU Representative (GDPR Article 27)

For data subjects in the European Union, you may contact our EU representative:

[EU Representative Name]

[Address Line 1]

[City, Postal Code]

[EU Member State]

Email: eurep@aionreviews.com

Supervisory Authorities

If you are located in the EEA/UK and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority:

Thank you for trusting AionReviews

We are committed to protecting your privacy and maintaining the security of your data.

This Privacy Policy is effective as of January 6, 2026