© 2026 GetReviews.ai | All rights reserved.
GetReviews.ai is in no way affiliated with Amazon, Inc. or any of its subsidiaries.
GetReviews Ventures, LLC — operating as GetReviews.ai
This Information Security Policy ("Policy") establishes the principles, requirements, and responsibilities governing the protection of information assets at GetReviews Ventures, LLC, operating as GetReviews.ai ("the Company"). The Company provides a software-as-a-service platform that enables e-commerce merchants to collect, manage, and analyze customer reviews across integrated online marketplaces and storefronts.
The purpose of this Policy is to:
This Policy applies to:
This Policy covers the complete data lifecycle, including collection, processing, storage, transmission, archival, and secure deletion.
The Company designates a Security Officer responsible for:
The Security Officer reports directly to executive leadership and has the authority to implement necessary security controls across the organization.
All personnel are responsible for:
This Policy is reviewed at a minimum annually and updated whenever any of the following occur:
All revisions are documented with version numbers and effective dates. Personnel are notified of material changes within 7 business days of publication.
The Company classifies all information assets into the following tiers, each carrying defined handling requirements:
| Classification | Description | Examples | Handling |
|---|---|---|---|
| Public | Approved for unrestricted distribution | Marketing materials, published blog posts | No restrictions |
| Internal | For Company use only; not for public release | Internal procedures, aggregate analytics | Restrict to authorized personnel |
| Confidential | Sensitive business or personal data requiring protection | Merchant account data, consumer personal data, API credentials | Encrypted at rest and in transit; access controls required |
| Highly Confidential | Most sensitive data; exposure could cause significant harm | Authentication secrets, encryption keys, unredacted payment data | Strict access controls; encrypted; audit-logged |
In the course of providing its Service, the Company processes the following categories of data:
The Company collects only the personal data necessary to provide the requested Service. We do not collect sensitive special categories of personal data (such as health, financial account, or biometric data) unless expressly required and disclosed. Data collection practices are reviewed periodically to ensure ongoing adherence to the principle of minimization.
Access to systems, databases, and data is granted on a need-to-know, least-privilege basis. Employees and contractors receive only the access required to perform their specific job functions. Access rights are formally requested, approved, and documented before provisioning.
Role-based access control (RBAC) is implemented across all production systems. Access roles and permissions are reviewed quarterly. Access is revoked immediately upon employee termination, contractor engagement end, or role change. Quarterly audits confirm that active access rights align with current job responsibilities.
Third parties requiring access to Company systems or data must:
All data transmitted between end users and the Company's platform, and between the Company's systems and third-party integrations, is encrypted using TLS 1.2 or higher. Transmission of personal or confidential data over unencrypted channels is prohibited.
All personal data and confidential data stored in Company systems is encrypted at rest using AES-256 or equivalent industry-standard encryption. Database backups are encrypted using the same standard. Encryption keys are managed through a dedicated key management process with access controls and rotation schedules.
Personal data is retained only as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law or contract. Retention periods by data category are defined in the Company's Data Retention Schedule. Upon expiration of the applicable retention period or upon receipt of a valid deletion request, data is securely deleted from all primary and backup systems in the ordinary course of business.
When data reaches the end of its retention period or must be deleted upon request, it is disposed of using methods appropriate to the sensitivity of the data. Electronic data is deleted in a manner that prevents recovery. Physical media containing sensitive data is destroyed using industry-accepted methods prior to disposal or repurposing.
Comprehensive audit logging is maintained for all access to systems containing personal or confidential data. Logs are:
Security alerts are triaged and investigated according to defined severity levels and response timeframes.
The Company maintains a formal Incident Response Plan (IRP) covering detection, containment, eradication, recovery, and post-incident review. The IRP is tested at minimum annually through tabletop exercises or simulated drills. Lessons learned from exercises and actual incidents are incorporated into plan updates.
| Severity | Description | Target Response Time |
|---|---|---|
| Critical | Confirmed unauthorized access to personal data; active system compromise | Immediate — within 1 hour |
| High | Ransomware; significant service disruption; credential compromise | Within 4 hours |
| Medium | Policy violations; unsuccessful intrusion attempts; account anomalies | Within 24 hours |
| Low | Minor anomalies without data exposure risk; informational findings | Within 5 business days |
In the event of a personal data breach, the Company will:
Incident records and post-incident reports are documented and retained for a minimum of three years.
Prior to engaging any vendor or service provider that will access, process, store, or transmit Company or customer data, the Company conducts security due diligence. This review includes assessment of the vendor's security posture, certifications, and data handling practices. Vendors must execute a Data Processing Agreement (DPA) or equivalent data protection contract before any data is shared.
Vendor relationships involving access to personal or confidential data are reviewed at minimum annually. The review confirms that the vendor's security practices remain adequate and that their access remains necessary. Vendors who fail to meet required standards are remediated or offboarded.
The Company may engage sub-processors to support delivery of its Service. All sub-processors are contractually bound to data protection obligations equivalent to those applicable to the Company. A list of sub-processors is available to merchants upon written request directed to support@getreviews.ai.
Privacy considerations are incorporated into system design, product development, and data processing decisions from the outset. The Company's Privacy Policy, available at https://getreviews.ai/privacy, describes in detail the types of personal data collected, the purposes for which it is processed, and the rights available to individuals.
The Company supports the following individual rights in accordance with applicable privacy law, including GDPR and CCPA/CPRA:
Requests to exercise any of the above rights may be submitted to support@getreviews.ai. The Company responds to all verified requests within 30 days, or sooner as required by applicable law.
The Company's Service is not directed at children under the age of 13. The Company does not knowingly collect personal data from children under 13. If the Company becomes aware that personal data from a child under 13 has been collected without verifiable parental consent, it will take prompt steps to delete such data from its systems.
Where personal data is transferred outside the European Economic Area (EEA) or Switzerland to a jurisdiction not recognized by the European Commission as providing an adequate level of data protection, the Company ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms. The Company's Data Processing Addendum, available at https://getreviews.ai/dpa, governs such transfers for merchant data subject to GDPR.
The Company uses cookies and similar tracking technologies (including web beacons and pixel tags) on its website and platform. Three categories of cookies are deployed:
Users may manage cookie preferences through their browser settings. The Company's full Cookie Policy is incorporated within the Privacy Policy at https://getreviews.ai/privacy.
The Company operates as a cloud-native organization. Production systems are hosted in data centers operated by reputable cloud infrastructure providers that maintain the following physical controls:
For Company office and remote work environments, a Clean Desk Policy is in effect. Employees are prohibited from storing personal or confidential data on unmanaged personal devices or unauthorized cloud storage services. Laptops and mobile devices used for Company work are subject to device management and must use full-disk encryption.
The Company maintains Business Continuity and Disaster Recovery (BCDR) plans to ensure the protection and availability of data and services in the event of system failure, natural disaster, or other disruption. Key controls include:
The Company maintains compliance with all applicable data protection laws and regulations. Applicable frameworks include, but are not limited to:
The Company's Security Officer monitors regulatory developments and updates policies and practices accordingly. Compliance is an ongoing program, not a one-time exercise.
Where the Company acts as a data processor on behalf of merchants, the terms of the Data Processing Addendum (DPA) at https://getreviews.ai/dpa govern such processing and are incorporated by reference into the Company's Terms of Service.
Compliance with this Policy is mandatory for all personnel and covered third parties. Violations are taken seriously and are subject to:
Personnel who become aware of a suspected policy violation are obligated to report it to the Security Officer promptly. Reports may be made confidentially. Retaliation against individuals who report security concerns in good faith is prohibited.
This Policy should be read in conjunction with the following Company documents, all of which are publicly available at https://getreviews.ai:
© 2026 GetReviews.ai | All rights reserved.
GetReviews.ai is in no way affiliated with Amazon, Inc. or any of its subsidiaries.