Privacy Policy

ReviewMankey is an AI-powered review management platform operated by Dude Lemon LLC, a company registered in the United States. Our platform helps businesses monitor, respond to, and analyze customer reviews across multiple online platforms including Google Business Profile, Google Play Store, Apple App Store, Yelp, and TripAdvisor.

This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you visit our website at https://reviewmankey.com, use our web application, install our JavaScript tracking pixel, or otherwise interact with our services. It applies to all users of ReviewMankey, including account holders, team members invited to workspaces, end customers whose reviews are processed through our platform, and visitors to websites where our lead capture pixel is installed.

We are committed to protecting your privacy and handling your data responsibly. We do not sell your personal information. We process data only as necessary to deliver our services, comply with legal obligations, and improve the ReviewMankey platform.

This policy has been drafted to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the CAN-SPAM Act, the Google API Services User Data Policy, and other applicable privacy and data protection laws. Where specific regulations grant you additional rights, those rights are described in the relevant sections below.

For the purposes of GDPR, Dude Lemon LLC acts as the data controller for personal data collected through ReviewMankey. When you use ReviewMankey to process reviews or collect lead data from your own customers, you act as the data controller for that data, and Dude Lemon LLC acts as a data processor on your behalf. We have data processing agreements in place with all our subprocessors and are prepared to enter into data processing agreements with our customers upon request.

If you have questions about any part of this Privacy Policy before creating an account, we encourage you to visit our contact page so we can address your concerns. We believe in transparency and are happy to explain our data practices in more detail.

This policy is effective as of the "Last updated" date shown above and applies to all data collected from that date forward. For data collected before that date, the version of the policy in effect at the time of collection applies, unless you have been notified of and have accepted changes through continued use of the service.

By creating an account, connecting a review platform, or using any part of our service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please do not use ReviewMankey.

We collect several categories of information depending on how you interact with ReviewMankey. Below is an exhaustive enumeration of each data category, the specific data elements within it, and the circumstances under which each is collected.

2.1 Account and Profile Data

When you create an account, we collect your full name, email address, and password (stored in hashed form). If you sign up or log in using a third-party authentication provider, we receive your name, email address, and profile picture from that provider. When you join a workspace, we also store your role within that workspace (owner, admin, or member), your notification preferences, your timezone settings, your preferred language, and your date and time format preferences.

We also collect metadata about your account activity, including the date and time your account was created, your last login timestamp, the total number of logins, the IP addresses from which you have logged in, and the history of role changes within your workspaces. If you update your profile information, we retain a record of the change for auditing purposes, including the previous value, the new value, and the timestamp of the change.

2.2 Review and Business Data

When you connect a review platform (such as Google Business Profile, Google Play Store, Apple App Store, Yelp, or TripAdvisor), we retrieve and store review content including the reviewer's display name, review text, star rating, review date, any photos attached to the review, and your responses to those reviews. We also store business listing information such as your business name, address, category, phone number, operating hours, and listing URLs. For competitor monitoring features, we use the Google Places API to discover and store publicly available information about nearby competitor businesses.

Additionally, we collect and store review metadata such as the platform from which the review originated, the unique review identifier assigned by the source platform, the sync timestamp, whether the review has been responded to, the response status (draft, pending, published), and any internal tags or labels you apply to reviews. For businesses with multiple locations, we maintain a hierarchical mapping of locations to workspaces, allowing aggregate and location-level reporting.

2.3 AI Interaction Data

When you use our AI-powered features, we collect the review content and business context sent to our AI provider for processing, the AI-generated response drafts returned, any edits you make to those drafts before publishing, your approval or rejection of AI suggestions, and sentiment analysis results. This data is used to deliver the AI features you request and to improve the quality and relevance of AI-generated responses within your account.

We also track the following AI interaction metrics: the number of AI drafts generated per review, the number of drafts accepted versus rejected, the average number of edits made to AI drafts before publication, the time elapsed between draft generation and approval, and your configured tone and style preferences. These metrics help us measure the quality of AI outputs and improve the service. We do not use your individual review content to train any AI models.

2.4 Lead Capture and Pixel Data

If you install the ReviewMankey JavaScript pixel on your website, the pixel collects information about visitors to your site. This includes the visitor's IP address (which may be anonymized), browser type and version, device type, operating system, referring URL, pages visited on your site, time spent on pages, scroll depth, click events on tracked elements, and any form submissions that the visitor explicitly completes (such as contact forms or review request forms). The pixel does not collect passwords, payment card numbers, or sensitive personal data from form fields.

The pixel also collects technical data about the visitor's session, including the screen resolution, viewport size, connection type (where available via the Network Information API), the visitor's approximate geographic location derived from IP address (city and country level only), and a randomly generated visitor identifier stored in a first-party cookie. This visitor identifier is used to associate multiple page views with a single visit and does not contain any personally identifiable information.

2.5 Payment and Billing Data

When you subscribe to a paid plan, we collect your billing name, billing address, and the last four digits and expiration date of your payment card (for display purposes in your account). Full payment card numbers, CVVs, and complete card details are collected and processed exclusively by our payment processor, Stripe, and are never transmitted to or stored on our servers. We also store records of your subscription plan, billing cycle, invoice history, payment status, coupon or discount codes applied, trial period start and end dates, and any refund or credit history.

For tax compliance purposes, we may also collect your VAT identification number (for EU-based businesses), your tax-exempt status and supporting documentation references, and your country of establishment. This information is used to calculate applicable taxes and to generate compliant invoices.

2.6 Device and Usage Data

When you access ReviewMankey, we automatically collect technical information including your IP address, browser type and version, operating system, device type, screen resolution, language preference, and timezone. We also collect usage data such as the pages and features you access, the time and duration of your sessions, clickstream data, search queries within the application, feature toggle interactions, filter and sort selections, and error logs. This data helps us maintain platform reliability, diagnose technical issues, and understand how our features are used.

We collect performance metrics including page load times, time to interactive, API response latency experienced by your browser, and client-side error rates. These metrics are collected in aggregate and are used to monitor and improve the performance of our platform. We do not associate performance metrics with individual user identities unless investigating a specific technical issue you have reported.

2.7 Cookies and Similar Technologies

We use cookies, local storage, and similar technologies to maintain your authenticated session, remember your preferences, and collect usage analytics. For full details on cookie categories, their purposes, retention periods, and your choices, see the Cookies and Tracking Technologies section below.

2.8 Team Collaboration Data

If you use our team collaboration features, we collect and store comments you post on reviews, mentions of other team members using the @mention system, follower subscriptions on specific reviews or locations, assignment records (who assigned a review, to whom, and when), internal notes, status change history, and resolution timestamps. This data is visible to other members of your workspace based on their role and permissions.

We also maintain an activity audit log for each workspace that records key actions taken by team members, including logins, review responses published, assignments made, settings changed, integrations connected or disconnected, and team members added or removed. This audit log is accessible to workspace owners and admins and is retained for the duration of the workspace's active subscription plus the post-cancellation retention period.

2.9 Webhook and Integration Data

If you configure webhook integrations, we store the webhook endpoint URLs you provide, the event types you subscribe to, delivery logs (including HTTP status codes, response times, and timestamps), any authentication tokens or headers you configure for your webhook endpoints, and retry history for failed deliveries. Webhook authentication tokens are encrypted at rest in our encrypted databases.

2.10 Communication and Support Data

If you contact us through our contact page, we collect the information you provide in your message, including your name, email address, the subject of your inquiry, and the content of your communication. We retain support correspondence for as long as necessary to resolve your inquiry and for a reasonable period thereafter to maintain records of our communications. If you participate in feedback surveys or beta testing programs, we collect your responses, feature requests, and any other information you voluntarily provide.

We process your personal data for specific, explicit, and legitimate purposes. Below is a detailed breakdown of each processing purpose and the categories of data involved.

3.1 Service Delivery

We use your account data to authenticate you, manage your workspace, and enforce role-based access controls. We use your connected review platform credentials to retrieve reviews on your behalf, post your responses back to those platforms, and keep your review data synchronized. We use your business listing data to provide location-level reporting, competitor comparisons, and performance analytics.

Specifically, service delivery involves processing your OAuth tokens to maintain active connections with review platforms, scheduling periodic review sync operations, rendering your personalized dashboard with relevant metrics and charts, generating PDF and CSV reports when you request data exports, and routing notifications to the appropriate team members based on your configured rules and assignments.

3.2 AI Processing

We send review content and relevant business context to xAI's AI models to generate response draft suggestions and perform sentiment analysis. The AI processes the review text, your business category, your preferred response tone, and historical response patterns to produce relevant and contextual draft responses. We do not use your data to train AI models. See Section 7 for full details on AI data processing.

3.3 Email Communications

We use your email address to send transactional messages (account verification, password resets, workspace invitations), service notifications (new review alerts, assignment notifications, team mentions), periodic digest reports (daily or weekly review summaries), and billing communications (payment receipts, subscription changes, failed payment notices). We may also send product updates and feature announcements. See Section 9 for full details on email communications and your opt-out rights.

3.4 Analytics and Product Improvement

We use aggregated and anonymized usage data to understand which features are most valuable, identify performance bottlenecks, prioritize product development, and measure the effectiveness of onboarding flows. We do not use personally identifiable information for analytics purposes when aggregated data is sufficient.

Our analytics processing includes measuring feature adoption rates across different plan tiers, identifying common user workflows and sequences, tracking conversion rates through onboarding steps, analyzing error frequency by feature area, and monitoring session duration and engagement patterns. All analytics dashboards used internally by our team display only aggregate counts and percentages — never individual user data.

3.5 Security and Fraud Prevention

We use IP addresses, device fingerprints, and access patterns to detect and prevent unauthorized access, identify potential security threats, enforce rate limits, and investigate suspicious account activity. We may temporarily log additional data during active security investigations.

Our security processing includes comparing login locations against your historical access patterns to detect anomalous logins, monitoring API request rates to prevent abuse, analyzing failed authentication attempts to identify brute force attacks, and flagging accounts that exhibit patterns consistent with credential stuffing or account takeover attempts. When suspicious activity is detected, we may temporarily restrict account access and notify you via email.

3.6 Legal Compliance

We process certain data as required to comply with applicable laws, respond to lawful government requests, enforce our Terms of Service, and protect the rights, property, or safety of Dude Lemon LLC, our users, or others.

Legal compliance processing includes maintaining billing records for tax and accounting obligations, preserving data in response to litigation hold notices, generating compliance reports required by data protection authorities, and fulfilling data subject access requests within the timeframes mandated by GDPR (30 days) and CCPA/CPRA (45 days).

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following bases. Each processing activity is mapped to its corresponding legal basis, and we maintain an internal record of processing activities as required by GDPR Article 30.

4.1 Performance of a Contract (GDPR Art. 6(1)(b))

We process your account data, review data, payment data, and connected platform data as necessary to perform the contract between you and Dude Lemon LLC — specifically, to provide the ReviewMankey service that you signed up for. Without this data, we cannot deliver the review management features you have subscribed to.

This legal basis covers: creating and managing your user account, authenticating your sessions, synchronizing reviews from connected platforms, generating AI-powered response drafts, sending transactional emails related to your account, processing subscription payments through Stripe, delivering webhook payloads to your configured endpoints, and enabling team collaboration features within your workspace. If you do not provide the data necessary for contract performance, we will be unable to provide the corresponding service features.

4.2 Legitimate Interest (GDPR Art. 6(1)(f))

We process usage data, device data, and aggregated analytics under our legitimate interest in maintaining a secure, reliable, and improving platform. We have conducted balancing tests to ensure that our legitimate interests do not override your fundamental rights. Our legitimate interests include preventing fraud and abuse, ensuring platform security, understanding product usage to improve our service, and sending you relevant product updates about features you use.

For each legitimate interest processing activity, we have documented: the specific legitimate interest pursued, the necessity of the processing for that interest, the impact on data subjects, the safeguards in place to protect data subject rights, and the outcome of the balancing test. You have the right to object to processing based on legitimate interests at any time. To exercise this right, please visit our contact page.

4.3 Consent (GDPR Art. 6(1)(a))

Where required by law, we obtain your explicit consent before processing certain data. This applies to marketing email communications, the placement of non-essential cookies, and the collection of data through the lead capture pixel on your website (where you are responsible for obtaining consent from your own website visitors). You may withdraw your consent at any time by updating your notification preferences, using the unsubscribe link in our emails, or visiting our contact page.

Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal. When you withdraw consent for a specific processing activity, we will cease that processing promptly, typically within 48 hours. We maintain records of consent grants and withdrawals, including the timestamp, the specific consent given, and the method by which consent was obtained or withdrawn.

4.4 Legal Obligation (GDPR Art. 6(1)(c))

We process certain data as necessary to comply with legal obligations, including tax and accounting requirements for billing records (retained for a minimum of 7 years), responding to valid legal process or government requests, maintaining records required by applicable data protection laws, and fulfilling our obligations under GDPR to respond to data subject access requests. Where we process data solely on the basis of legal obligation, we limit the processing to the minimum data necessary to satisfy the obligation.

We work with carefully selected third-party service providers to operate ReviewMankey. Each provider is contractually required to process your data only as necessary to provide their service to us and to maintain appropriate security measures. We have executed data processing agreements (DPAs) with each provider that include obligations regarding data confidentiality, security measures, subprocessor management, breach notification, and data deletion upon termination. Below is a list of our key service providers and how your data interacts with each.

5.1 Amazon Web Services (AWS)

Our application infrastructure runs on AWS cloud infrastructure, and our primary encrypted databases are hosted on AWS managed services. All data stored in our databases resides within AWS data centers in the United States. AWS provides encryption at rest for our storage and encryption in transit for all data moving between our services. We also use AWS email delivery services to send transactional and notification emails on your behalf.

AWS maintains SOC 1, SOC 2, and SOC 3 compliance certifications, ISO 27001 certification, and is PCI DSS Level 1 compliant. AWS participates in the EU-US Data Privacy Framework for cross-border data transfers. The data we store on AWS includes your account information, review data, AI interaction history, team collaboration data, billing records, and application logs. AWS does not access your data except as necessary to maintain the infrastructure and as directed by us.

5.2 Google APIs

We use Google OAuth to connect your Google Business Profile account and Google Play Store developer account. We use the Google Business Profile API to retrieve and respond to reviews, and the Google Places API to discover competitor businesses near your locations. Google receives your OAuth authorization grants and the API requests we make on your behalf. See Section 6 for our specific Google API data usage disclosures required by the Google API Services User Data Policy.

5.3 Apple App Store Connect API

We use the Apple App Store Connect API to retrieve app reviews and ratings for apps you manage. We access this data using API keys that you provide, and we store the review data in our encrypted databases to power your dashboard, notifications, and response workflows. Apple receives the API requests we make using your credentials. We do not share your Apple API keys with any other third party.

5.4 Yelp and TripAdvisor APIs

We connect to Yelp and TripAdvisor using their respective APIs to retrieve reviews for your business listings. The data retrieved includes review text, ratings, reviewer display names, and review dates. This data is stored in our encrypted databases and used to power your review management workflows. Yelp and TripAdvisor receive the API requests we make on your behalf, including your business identifiers on those platforms.

5.5 xAI

We use xAI's AI models to generate review response drafts and perform sentiment analysis. Review content and business context are sent to xAI's API for processing. xAI does not use data sent through its API to train its models. xAI receives only the minimum data necessary to generate the requested output: the review text, your business name and category, and your response tone preferences. xAI does not receive your email address, account credentials, payment information, or any data beyond what is needed for the specific AI processing task. See Section 7 for full details.

5.6 Stripe

We use Stripe to process all subscription payments, manage billing, and handle payment card data. Stripe is a PCI DSS Level 1 certified payment processor. Stripe receives your full payment card details (directly from your browser, never through our servers), your billing name and address, your email address (for receipt delivery), and transaction amounts. Stripe maintains SOC 1 and SOC 2 compliance certifications and participates in the EU-US Data Privacy Framework. See Section 8 for full details on payment data handling.

5.7 Cloudflare

We use Cloudflare for DNS management, content delivery (CDN), DDoS protection, and web application firewall (WAF) services. When you access ReviewMankey, your requests pass through Cloudflare's network, which may temporarily process your IP address and request headers to provide security and performance services. Cloudflare operates a global network of data centers, and your requests may be routed through the data center closest to your location. Cloudflare maintains ISO 27001 certification, SOC 2 Type II compliance, and participates in the EU-US Data Privacy Framework.

5.8 Sentry

We use Sentry for error monitoring and application performance tracking. When an error occurs in our application, Sentry may receive technical data including the error message, stack trace, the URL where the error occurred, your browser type, operating system, and a randomly generated session identifier. Sentry does not receive your name, email address, or review content unless that data happens to appear in an error message. We review Sentry configurations regularly to minimize the personal data captured in error reports. Sentry maintains SOC 2 Type II compliance and processes data in accordance with its data processing addendum.

ReviewMankey's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. This section provides the specific disclosures required by that policy.

6.1 What Google Data We Access

When you connect your Google Business Profile, we request access to your business listing information (name, address, category, phone number, hours), your reviews and review responses, and your location-level metrics where available. When you connect a Google Play Store developer account, we access your app reviews, ratings, and developer responses. We also use the Google Places API (which does not require user OAuth) to search for publicly available business information for competitor discovery features.

The specific Google OAuth scopes we request are limited to those necessary to provide the review management features of ReviewMankey. We do not request access to Gmail, Google Drive, Google Calendar, Google Contacts, or any other Google service beyond those explicitly described above. If Google introduces new API scopes or modifies existing ones, we will update this policy and may request your re-authorization.

6.2 How We Use Google Data

We use Google data exclusively to provide you with the ReviewMankey review management features you signed up for. This includes displaying your reviews in your dashboard, sending you notifications about new reviews, generating AI-powered response suggestions, producing analytics and reports about your review performance, and allowing you to respond to reviews directly from within ReviewMankey.

We do not use Google data for any purpose unrelated to the core review management features of ReviewMankey. Specifically, we do not use Google data to build user profiles for advertising, to train machine learning models, to create competitive intelligence reports for third parties, to generate aggregated industry benchmarks that include your identifiable data, or to provide data to any third party for purposes other than delivering the ReviewMankey service. Google data is isolated from any marketing or analytics systems and is accessible only through authenticated ReviewMankey application interfaces.

6.3 Limited Use Compliance

In accordance with Google's Limited Use requirements, we limit our use of Google user data to providing and improving the user-facing features that are visible and prominent in ReviewMankey's interface. We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising. We do not allow humans to read Google user data unless we have your affirmative consent for specific messages, it is necessary for security purposes (such as investigating abuse), it is necessary to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymized.

6.4 Google Data Transfers

We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features (such as sending review content to our AI provider for response generation), with your explicit consent, as necessary for security or legal compliance, or in connection with a merger or acquisition where the successor entity is bound by these same restrictions. We do not transfer Google user data to any third party for advertising purposes.

6.5 Revoking Google Access

You can revoke ReviewMankey's access to your Google data at any time by disconnecting your Google account within the ReviewMankey application settings, or by visiting your Google Account's third-party app permissions page at myaccount.google.com/permissions. When you revoke access, we will stop syncing new data from Google and will retain previously synced data in accordance with our standard retention policy described in Section 14. You may request deletion of all previously synced Google data by visiting our contact page.

7.1 How AI Is Used

ReviewMankey uses xAI's AI models to provide two core AI features: response draft generation and sentiment analysis. When you request an AI-generated response draft for a review, we send the review text, your business name and category, your preferred response tone, and relevant context to xAI's API. xAI processes this information and returns a suggested response draft that you can review, edit, and approve before it is posted.

For sentiment analysis, we send the review text to xAI's API to classify the overall sentiment (positive, neutral, or negative), identify key themes and topics mentioned in the review, and extract actionable insights. The results are displayed in your dashboard and used to power analytics features.

7.2 What Data Is Sent to the AI

The data sent to xAI's API for processing includes the full text of the review being analyzed or responded to, your business name and category (to provide context for the response), your configured response tone and style preferences, and in some cases, examples of your previously approved responses (to help the AI match your communication style). We do not send your account credentials, payment information, email address, or other personal account data to the AI provider.

To be explicit about what is not sent to xAI: your password, email address, billing information, IP address, device information, team member details, workspace settings, webhook configurations, lead capture data, and any data from other users in your workspace are never transmitted to xAI. The data boundary is strictly limited to the review content and business context needed for the specific AI task being performed.

7.3 AI Training and Data Retention

xAI does not use data sent through its commercial API to train its AI models. Your review data and AI-generated responses are processed by xAI in real time and are not retained by xAI beyond the duration needed to process each individual request, in accordance with xAI's data processing agreements. We store the AI-generated response drafts and sentiment analysis results in our own encrypted databases so they are available in your dashboard, but xAI does not maintain a separate copy of your data.

7.4 Human Review of AI Outputs

All AI-generated response drafts are presented to you for review before they are published. ReviewMankey does not automatically post AI-generated responses without your explicit approval. You always have the ability to edit, approve, or reject any AI-generated content before it is sent to a review platform.

7.5 AI Data Minimization

We practice strict data minimization when sending data to xAI. Before each API request, our application strips any data that is not directly relevant to the AI processing task. For response generation, we send only the review text, business name, business category, response tone preference, and optionally a small sample of your previous responses for style matching. For sentiment analysis, we send only the review text. We do not send batch data, historical data sets, or any data beyond what is needed for the individual request being processed.

We regularly audit the data payloads sent to xAI to ensure compliance with our data minimization policy. If we identify any instances where more data than necessary is being transmitted, we immediately update our application to remove the excess data from future requests.

7.6 AI Provider Changes

If we change our AI provider or add additional AI providers in the future, we will update this Privacy Policy to reflect the new provider's identity and data handling practices. We will ensure that any new AI provider meets the same data protection standards described in this section, including the requirement that your data not be used for model training and that data is not retained beyond the processing duration. Material changes to our AI data processing practices will be communicated to you in advance through the notification methods described in Section 34. We will provide at least 30 days' notice before any change to our AI provider takes effect, giving you the opportunity to review the new provider's data practices and, if you disagree, to cancel your subscription.

8.1 Automated Processing Activities

ReviewMankey uses automated processing in several areas of the platform. Sentiment analysis automatically classifies reviews as positive, neutral, or negative based on the review text. Priority scoring automatically ranks reviews by urgency based on factors such as star rating, review length, and identified themes. Notification routing automatically determines which team members should be alerted about new reviews based on your configured rules.

None of these automated processing activities produce legal effects or similarly significant effects on you as defined by GDPR Article 22. Sentiment analysis and priority scoring are informational tools that assist your decision-making but do not make decisions on your behalf. AI-generated response drafts are suggestions that require your explicit approval before any action is taken.

8.2 No Solely Automated Decisions with Legal Effects

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. All significant decisions regarding your account (such as account suspension or termination) involve human review. Billing decisions (such as subscription downgrades due to failed payments) follow predetermined rules that you agreed to in our Terms of Service and are not based on profiling.

8.3 Profiling

We do not engage in profiling as defined by GDPR Article 4(4) for the purpose of making automated decisions that produce legal effects. The analytics and scoring features within ReviewMankey are designed to help you manage your reviews more efficiently and do not constitute profiling of you as an individual. We do not build behavioral profiles of our users for marketing, credit scoring, insurance underwriting, or any purpose other than delivering the features of the ReviewMankey platform.

The sentiment analysis we perform on reviews is a classification of the review content (which is typically authored by your customers, not by you) and does not constitute profiling of you or your business for any purpose that produces legal or similarly significant effects.

8.4 Your Rights Regarding Automated Processing

Even though our automated processing does not fall within the scope of GDPR Article 22 restrictions, you have the right to request human review of any automated classification or scoring applied to your data, the right to express your point of view regarding automated outputs, and the right to contest the results of automated processing. To exercise these rights, please visit our contact page. We will respond to requests regarding automated processing within 30 days.

9.1 Payment Processing

All payment processing for ReviewMankey is handled by Stripe, Inc. Stripe is a PCI DSS Level 1 certified payment processor, which is the highest level of certification available in the payment card industry. When you enter your payment card information, it is transmitted directly to Stripe's servers using their client-side libraries. Your full card number, CVV, and complete card details never touch our servers.

Stripe's PCI DSS Level 1 certification means that Stripe undergoes annual on-site assessments by a qualified security assessor, maintains comprehensive security controls including encryption, access controls, network monitoring, and vulnerability management, and is subject to regular penetration testing and security audits. By using Stripe, we ensure that your payment data is handled to the highest industry standard without requiring us to store sensitive cardholder data ourselves.

9.2 What We Store

On our servers, we store only the information necessary to display your billing details and manage your subscription. This includes your Stripe customer ID, the last four digits of your payment card, the card brand (Visa, Mastercard, etc.), the card expiration date, your billing name and address, your subscription plan and billing cycle, invoice history and payment dates, and the status of each payment (succeeded, failed, refunded). We do not store full card numbers, CVVs, or any data that would allow us to directly charge your card outside of Stripe's secure systems.

9.3 Stripe's Privacy Practices

Stripe processes your payment data according to its own privacy policy, available at stripe.com/privacy. We encourage you to review Stripe's privacy policy to understand how they handle your payment data. Stripe may retain your payment data as required by applicable financial regulations and payment network rules, even after you delete your ReviewMankey account.

9.4 Refunds and Disputes

If you request a refund or initiate a payment dispute, Stripe processes the refund or dispute on our behalf. We receive notification of the refund or dispute status and update our records accordingly. Dispute-related data (including the reason for the dispute and any evidence submitted) is processed by Stripe in accordance with payment network rules. We retain records of refunds and disputes for a minimum of 7 years as required by financial regulations.

9.5 Tax Information

For users in jurisdictions that require tax collection (such as VAT in the EU or sales tax in certain US states), we collect the minimum tax-related information necessary to generate compliant invoices. This may include your country of establishment, your VAT identification number, and your tax-exempt status. This information is used solely for tax calculation and invoice generation purposes and is retained for the legally required period (typically 7 years).

9.6 Free Trial and Plan Changes

During your free trial period, we do not collect payment card information. If you choose to subscribe to a paid plan after your trial, Stripe will collect your payment information at that time. When you change plans (upgrade or downgrade), we update your subscription record and Stripe adjusts the billing amount accordingly. Prorated charges or credits are calculated by Stripe and reflected in your next invoice. You can view your complete billing history in your account settings at any time.

10.1 Transactional Emails

We send transactional emails that are necessary for the operation of your account. These include account verification and welcome emails, password reset requests, workspace invitation notifications, payment receipts and billing notifications, failed payment alerts, and subscription change confirmations. Transactional emails cannot be opted out of while your account is active, as they are essential to delivering the service.

10.2 Service Notifications

We send service notification emails to alert you about activity within your ReviewMankey workspace. These include new review alerts, review assignment notifications, team member mentions and comments, review response status updates, and periodic digest reports (daily or weekly summaries of your review activity). You can customize which notification emails you receive and how frequently you receive digest reports through your notification preferences in the application settings.

10.3 Review Request Emails

If you use ReviewMankey's review request feature, we send emails on your behalf to your customers inviting them to leave a review. These emails are sent from our cloud infrastructure but are clearly identified as coming from your business. You are responsible for ensuring that you have appropriate consent or a legitimate business relationship with the recipients of review request emails. You must also ensure that your use of the review request feature complies with CAN-SPAM, GDPR, and any other applicable anti-spam and privacy regulations in the recipient's jurisdiction.

10.4 Marketing Communications

We may occasionally send product update emails, feature announcements, and tips for getting more value from ReviewMankey. These marketing communications are always clearly distinguishable from transactional messages and include a prominent unsubscribe link. We will never send marketing emails to users who have not opted in or who have opted out.

10.5 CAN-SPAM Compliance

All emails sent by ReviewMankey comply with the CAN-SPAM Act. Every marketing email includes a clear and conspicuous unsubscribe mechanism, our physical mailing address, accurate "From" and "Subject" headers, and an honest identification of the message as an advertisement where applicable. We honor all unsubscribe requests within 10 business days. We do not use deceptive subject lines or misleading header information.

10.6 Email Infrastructure

All emails from ReviewMankey are sent through AWS cloud email delivery services. The email infrastructure processes the recipient email address, email content, and delivery metadata (timestamps, delivery status, bounce and complaint records) to deliver emails and maintain our sender reputation. We monitor bounce rates and complaint rates to maintain healthy email delivery practices and promptly remove invalid or complaining addresses from our mailing lists.

11.1 What the Pixel Is

ReviewMankey offers a JavaScript tracking pixel that you can install on your business website. The pixel is a small piece of JavaScript code that loads asynchronously and collects visitor interaction data to help you understand how visitors engage with your website and to capture leads for review request follow-ups.

11.2 What the Pixel Collects

When installed, the pixel collects the visitor's IP address (which may be used for approximate geolocation at the city level and is then anonymized for storage), browser type and version, device type and operating system, referring URL (how the visitor arrived at your site), pages viewed and time spent on each page, and any form submissions the visitor explicitly completes on your site (such as name, email, phone number entered into contact or booking forms). The pixel does not collect payment card information, passwords, social security numbers, or other sensitive data from form fields, even if such fields are present on the page.

11.3 Your Responsibility as a Pixel User

If you install the ReviewMankey pixel on your website, you are the data controller for the information collected from your website visitors. You are responsible for providing adequate privacy disclosures to your visitors about the use of the ReviewMankey pixel, obtaining any consent required by applicable law (such as GDPR cookie consent) before the pixel is activated, ensuring your use of the pixel complies with all applicable privacy laws in your jurisdiction, and including the ReviewMankey pixel in your website's cookie policy or privacy policy.

We provide you with documentation and sample privacy policy language that you can adapt for your website to disclose the use of the ReviewMankey pixel. However, you are ultimately responsible for ensuring that your privacy disclosures are accurate and compliant with the laws of your jurisdiction and the jurisdictions of your website visitors.

11.4 Data Retention for Pixel Data

Lead capture data collected through the ReviewMankey pixel is retained in your workspace for as long as your account is active, subject to the same retention and deletion policies described in Section 18. You can delete individual lead records at any time from your ReviewMankey dashboard. When you cancel your account, pixel data follows the same 90-day recovery period and subsequent deletion process as all other workspace data.

11.5 Opt-Out for Website Visitors

Visitors to websites where the ReviewMankey pixel is installed can prevent data collection by using browser settings that block third-party JavaScript, using privacy-focused browser extensions that block tracking scripts, enabling Do Not Track in their browser (see our Do Not Track section below), or contacting the website owner directly to request data deletion. Website owners using the ReviewMankey pixel can delete individual lead records from their ReviewMankey dashboard at any time.

11.6 Pixel and GDPR Compliance

If you operate a website that serves users in the EEA or UK, you must obtain explicit consent from visitors before the ReviewMankey pixel is activated, in compliance with the ePrivacy Directive and GDPR. This typically means implementing a cookie consent banner or similar mechanism that blocks the pixel from loading until the visitor has affirmatively consented. The ReviewMankey pixel can be configured to load only after consent is granted by integrating it with your existing consent management platform (CMP). We provide documentation on how to implement this conditional loading.

12.1 We Do Not Sell Your Data

Dude Lemon LLC does not sell, rent, or trade your personal information to third parties for their marketing purposes. We have never sold user data and have no plans to do so. This applies to all categories of data we collect, including account data, review data, payment data, and pixel data. For the purposes of the CCPA/CPRA, we confirm that we do not "sell" or "share" (as those terms are defined under the CCPA/CPRA) your personal information.

12.2 Service Providers and Data Processors

We share data with third-party service providers only as necessary to operate ReviewMankey. These providers are contractually bound to use your data only for the purposes of providing their service to us and are required to maintain appropriate security measures. Our key service providers are listed in Section 5. We do not share more data with any provider than is necessary for them to perform their function.

12.3 Workspace Members

When you use ReviewMankey as part of a workspace, your name, email address, role, and activity within the workspace (such as comments, assignments, and response history) are visible to other members of your workspace in accordance with their role-based permissions. Workspace owners and admins may have broader visibility into team activity for management purposes.

12.4 Webhook Integrations

If you configure webhook integrations, ReviewMankey will send event data to the external URLs you specify. The data included in webhook payloads depends on the event types you subscribe to and may include review content, response data, and notification details. You are responsible for the security and privacy practices of the external services that receive your webhook data.

12.5 Legal Requirements

We may disclose your personal data if required to do so by law, in response to a valid subpoena, court order, or government request, to protect the rights, property, or safety of Dude Lemon LLC, our users, or the public, to enforce our Terms of Service, or to detect, prevent, or address fraud, security, or technical issues. When we receive a legal request for user data, we will notify the affected user before disclosing data unless we are legally prohibited from doing so (for example, by a court-issued gag order). We will challenge legal requests that we believe are overbroad or lack proper legal basis.

12.6 Business Transfers

If Dude Lemon LLC is involved in a merger, acquisition, bankruptcy, or sale of all or a portion of its assets, your personal data may be transferred as part of that transaction. In such a case, we will notify you via email or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy. The acquiring entity will be bound by the same data protection obligations described in this policy until a new privacy policy is communicated to you.

In the event of a business transfer, we will ensure that: you receive at least 30 days' notice before the transfer occurs, the successor entity agrees to honor existing data protection commitments, you have the opportunity to request deletion of your data before the transfer if you do not wish to continue under the new entity, and the transfer complies with all applicable data protection laws including GDPR transfer requirements.

13.1 Where Your Data Is Stored

ReviewMankey is operated by Dude Lemon LLC from the United States. Our primary encrypted databases and cloud infrastructure are hosted on Amazon Web Services in the United States. When you use ReviewMankey, your data is transferred to and stored in the United States, regardless of your location.

13.2 EU and UK Users

If you are located in the European Economic Area (EEA) or United Kingdom, the transfer of your personal data to the United States involves a transfer to a country that may not provide the same level of data protection as your home country. We rely on appropriate safeguards for these transfers, including standard contractual clauses (SCCs) approved by the European Commission in our agreements with data processors, the data processing agreements provided by our service providers (AWS, Stripe, Cloudflare, xAI, and Sentry each maintain their own transfer mechanisms), and your explicit consent to the transfer when you create an account and agree to this Privacy Policy.

13.3 Cloudflare Network

Because we use Cloudflare as our CDN and DNS provider, your requests to ReviewMankey may be routed through Cloudflare data centers worldwide. This means your IP address and request data may be temporarily processed in a Cloudflare data center located outside your home country. Cloudflare processes this data in accordance with its own privacy policy and data processing addendum. The data processed by Cloudflare at edge locations is transient and is not permanently stored outside the United States.

13.4 Other Service Provider Locations

xAI processes data through API endpoints that may be hosted in the United States. Stripe processes payment data in data centers located in the United States, with potential processing in other locations as described in Stripe's privacy policy. Sentry processes error monitoring data in the United States. In all cases, data transfers to these providers are governed by the data processing agreements we have in place with each provider, which include appropriate safeguards for cross-border transfers.

13.5 Your Consent to International Transfers

By creating a ReviewMankey account and using our services, you acknowledge and consent to the transfer of your personal data to the United States and other countries where our service providers operate. If you are located in a jurisdiction that restricts cross-border data transfers, the legal bases for these transfers are described in Section 14 (Cross-Border Data Transfer Mechanisms). If you do not consent to the international transfer of your data, you should not use ReviewMankey, as the service cannot be provided without these transfers.

14.1 Standard Contractual Clauses (SCCs)

For transfers of personal data from the EEA to countries that have not received an adequacy decision from the European Commission, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914). We incorporate the appropriate module of SCCs into our data processing agreements with subprocessors who process EEA personal data outside the EEA.

We have completed transfer impact assessments for each cross-border data transfer to evaluate whether the laws and practices of the destination country provide adequate protection for the transferred data. These assessments consider the legal framework of the destination country, the nature of the data transferred, and the supplementary measures we have implemented to protect the data.

14.2 Adequacy Decisions

Where the European Commission has issued an adequacy decision for a country (recognizing that the country provides an adequate level of data protection), we may rely on that adequacy decision as the basis for transferring data to processors in that country. We monitor changes to adequacy decisions and update our transfer mechanisms accordingly.

14.3 EU-US Data Privacy Framework

Several of our key service providers, including AWS, Stripe, and Cloudflare, participate in the EU-US Data Privacy Framework, which provides an adequacy basis for transfers of personal data from the EU to participating US organizations. We verify our providers' participation in the framework and monitor for any changes to their certification status.

14.4 Supplementary Measures

In addition to the legal transfer mechanisms described above, we implement supplementary technical and organizational measures to protect data during cross-border transfers. These include:

• Encryption in transit using TLS 1.2 or higher for all data transfers
• Encryption at rest (AES-256) for all stored data in our encrypted databases
• Access controls that limit who can access personal data to authorized personnel only
• Pseudonymization of personal data where technically feasible
• Regular security assessments of our transfer mechanisms and subprocessor practices
• Contractual obligations requiring subprocessors to resist government access requests that lack proper legal basis
• Monitoring of legal developments in destination countries that could affect the protection of transferred data

We review our supplementary measures periodically and update them as necessary to address evolving risks and regulatory guidance. If we determine that a destination country's legal framework no longer provides adequate protection for transferred data despite our supplementary measures, we will take appropriate steps, which may include relocating data processing to a country with adequate protections or suspending transfers to the affected jurisdiction.

15.1 Current Subprocessors

A complete list of our current subprocessors is provided in Section 5 of this policy. Each subprocessor has been vetted through our vendor assessment process, which evaluates their security practices, data protection measures, compliance certifications, and track record of handling personal data.

15.2 Subprocessor Changes

We will notify you at least 30 days before engaging a new subprocessor or making material changes to an existing subprocessor arrangement. Notifications will be provided via email to the workspace owner's email address and via a notice in the ReviewMankey application. The notification will include the name of the new subprocessor, the nature of the processing they will perform, the categories of data they will access, and their relevant compliance certifications.

15.3 Objection Rights

If you object to a new subprocessor, you may notify us within the 30-day notice period by visiting our contact page. We will work with you in good faith to find a resolution. If we cannot resolve your objection, you may terminate your subscription without penalty, and we will refund any prepaid fees for the unused portion of your subscription period.

15.4 Subprocessor Oversight

We conduct periodic reviews of our subprocessors' security and data protection practices, including reviewing their compliance certifications, audit reports, and data processing agreements. We require each subprocessor to notify us promptly of any security incidents that may affect the data we have entrusted to them. If a subprocessor fails to meet its data protection obligations, we will take appropriate steps, which may include terminating our relationship with that subprocessor and migrating to an alternative provider.

15.5 Subprocessor Assessment Criteria

Before engaging any new subprocessor, we evaluate them against the following criteria:

• Industry-recognized security certifications (SOC 2, ISO 27001, PCI DSS where applicable)
• Data encryption practices (at rest and in transit)
• Access control and authentication mechanisms
• Data breach notification procedures and track record
• Cross-border data transfer mechanisms and compliance with GDPR transfer requirements
• Data retention and deletion capabilities
• Sub-subprocessor management practices
• Business continuity and disaster recovery plans
• Willingness to execute a data processing agreement that meets GDPR requirements

We document the results of each subprocessor assessment and maintain these records as part of our GDPR Article 30 record of processing activities. Assessments are renewed at least annually or when there are material changes to the subprocessor's services or data handling practices.

16.1 Encryption

All data transmitted between your browser and ReviewMankey is encrypted using TLS 1.2 or higher. Our encrypted databases use AES-256 encryption at rest. Backups are encrypted using the same standard. API keys, OAuth tokens, and other sensitive credentials stored in our databases are encrypted at the application level using strong encryption algorithms before being written to storage.

We enforce HTTPS for all connections to ReviewMankey and use HTTP Strict Transport Security (HSTS) headers to prevent protocol downgrade attacks. Our TLS configuration is regularly reviewed to disable weak cipher suites and protocols. We support only modern, secure cipher suites and disable legacy protocols such as TLS 1.0 and TLS 1.1.

16.2 Access Controls

Access to our production cloud infrastructure is restricted to authorized personnel using multi-factor authentication and key-based access. We follow the principle of least privilege, granting team members only the minimum access required for their role. Database access is restricted to application services and authorized administrators. Role-based access controls within the ReviewMankey application ensure that workspace members can only access data appropriate to their assigned role (owner, admin, or member).

We maintain a formal access management policy that includes onboarding and offboarding procedures, periodic access reviews (at least quarterly), and immediate revocation of access upon personnel departure. All administrative access is logged and auditable.

16.3 Network Security

Our infrastructure is protected by Cloudflare's web application firewall (WAF) and DDoS mitigation services. We use network security groups and access control lists to restrict traffic to our servers. Our application implements rate limiting, input validation, and protection against common web vulnerabilities including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).

16.4 Monitoring and Incident Response

We use Sentry for real-time error monitoring and alerting. We monitor our infrastructure for unusual activity, unauthorized access attempts, and performance anomalies. In the event of a security incident that affects your personal data, we will notify affected users and relevant supervisory authorities within the timeframes required by applicable law (72 hours under GDPR where feasible). Our incident response process includes containment, investigation, remediation, and post-incident review.

16.5 Password Security

User passwords are hashed using industry-standard one-way hashing algorithms with unique salts for each password. We never store passwords in plain text. Our password requirements enforce minimum length and complexity standards to reduce the risk of credential-based attacks. We also check passwords against known breached password databases to prevent the use of compromised credentials.

16.6 Vulnerability Management

We maintain a vulnerability management program that includes regular dependency updates, automated vulnerability scanning of our application dependencies, and prompt patching of critical security vulnerabilities. We monitor security advisories for all third-party libraries and frameworks used in our application and apply security patches in a timely manner.

16.7 Data Segregation

We implement logical data segregation to ensure that each workspace's data is isolated from other workspaces. A user in one workspace cannot access the review data, team collaboration data, or analytics of another workspace unless they are an authorized member of both workspaces. Our access control layer enforces this segregation at every API endpoint and data query. We periodically audit our data segregation controls to verify their effectiveness.

16.8 Secure Development Practices

Our development team follows secure coding practices, including code review for all changes to the application, automated security linting and static analysis, input validation and output encoding to prevent injection attacks, and regular security training for all team members who write or review code. We maintain a responsible disclosure policy for security researchers who identify vulnerabilities in our application.

16.9 No Guarantee

While we implement and maintain commercially reasonable security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your data. If you become aware of any unauthorized access to your account, please contact us immediately through our contact page.

17.1 GDPR Breach Notification (72-Hour Rule)

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals in the EEA or UK, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Article 33. The notification will include the nature of the breach, the approximate number of data subjects and records affected, the likely consequences of the breach, and the measures taken or proposed to mitigate the breach.

Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify the affected data subjects without undue delay, as required by GDPR Article 34, unless the data was encrypted or otherwise rendered unintelligible to unauthorized parties, we have taken subsequent measures that ensure the high risk is no longer likely to materialize, or individual notification would involve disproportionate effort, in which case we will issue a public communication.

17.2 US State Breach Notification

We comply with all applicable US state data breach notification laws. While requirements vary by state, we generally notify affected individuals and state attorneys general within the timeframes required by the laws of the state where the affected individual resides. For California residents, we comply with the notification requirements of California Civil Code Section 1798.82. For other states, we follow the specific notification timelines and content requirements of each applicable state law.

17.3 Notification Methods

Breach notifications to affected users will be sent via email to the email address associated with your ReviewMankey account. If email notification is not feasible (for example, if we do not have a current email address), we will use alternative methods such as prominent website notices or direct mail as required by applicable law.

17.4 Breach Notification Content

Our breach notifications will include a description of the nature of the breach in plain language, the categories and approximate number of records affected, the name and contact details of our point of contact for further information, a description of the likely consequences of the breach, a description of the measures we have taken or propose to take to address the breach and mitigate its effects, and recommendations for steps you can take to protect yourself (such as changing your password).

17.5 Internal Breach Response Process

Upon discovering or being notified of a potential data breach, our response process follows these stages: (1) immediate containment to stop the breach and prevent further data loss, (2) assessment to determine the scope, severity, and categories of data affected, (3) notification to affected individuals and authorities within the required timeframes, (4) remediation to address the root cause and prevent recurrence, and (5) post-incident review to document lessons learned and update our security measures accordingly.

We maintain a breach response team that includes designated personnel responsible for technical investigation, legal assessment, communications, and customer support. This team conducts regular tabletop exercises to practice breach response procedures and ensure that all team members understand their roles and responsibilities during a security incident.

17.6 Subprocessor Breach Obligations

Our data processing agreements with subprocessors require them to notify us of any security breach affecting our data without undue delay, and in any event within 48 hours of becoming aware of the breach. This allows us to meet our own 72-hour GDPR notification obligation. Subprocessors are also required to cooperate with our investigation, provide reasonable assistance in mitigating the effects of the breach, and implement corrective measures to prevent recurrence.

18.1 Active Account Data

We retain your personal data for as long as your account is active and as necessary to provide you with our services. Your account data, review data, AI interaction history, team collaboration data, and webhook configurations are maintained continuously while your subscription is active. Data is synchronized with connected review platforms at regular intervals and is kept up to date throughout the active lifecycle of your account.

18.2 After Account Cancellation

When you cancel your subscription, your account enters an inactive state. We retain your data for 90 days after cancellation to allow you to reactivate your account and recover your data if you change your mind. After the 90-day recovery period, we begin the process of deleting your personal data from our active systems. Deletion from active systems is typically completed within 30 days after the recovery period ends. Deleted data may persist in encrypted backups for up to an additional 90 days before those backups are rotated and the data is permanently removed.

18.3 Billing Records

We retain billing records (invoices, payment history, and subscription records) for a minimum of 7 years after the last transaction, as required by tax and accounting regulations. These records include your billing name, billing address, transaction amounts, and dates, but do not include full payment card numbers.

18.4 Usage Logs

Server access logs, error logs, and security audit logs are retained for 12 months and then automatically purged. These logs may contain IP addresses, user agent strings, and request URLs. Security incident logs may be retained for longer periods if they are relevant to an ongoing investigation or legal proceeding.

18.5 Retention Summary by Data Category

Below is a summary of retention periods by data category:

• Account profile data — Duration of active account + 90 days post-cancellation + 30 days for deletion processing
• Review and business data — Duration of active account + 90 days post-cancellation + 30 days for deletion processing
• AI interaction data — Duration of active account + 90 days post-cancellation + 30 days for deletion processing
• Team collaboration data — Duration of active account + 90 days post-cancellation + 30 days for deletion processing
• Lead capture/pixel data — Duration of active account + 90 days post-cancellation + 30 days for deletion processing
• Billing records — 7 years from last transaction (legal obligation)
• Server access logs — 12 months, then automatically purged
• Error monitoring logs (Sentry) — 90 days (managed by Sentry's retention policy)
• Support correspondence — 3 years from resolution date
• Encrypted backups — Up to 90 days after data deletion from active systems

18.6 Right to Delete

You can request deletion of your personal data at any time by visiting our contact page or by using the account deletion feature in your account settings. When you request deletion, we will delete or anonymize your personal data from our active systems within 30 days, remove your data from our service provider systems where technically feasible, retain only the minimum billing records required by law, and confirm the completion of your deletion request via email.

18.7 Data Export

Before deleting your account, you can export your data using the data export feature in your account settings. The export includes your account profile, review data, response history, AI-generated drafts, analytics data, and team collaboration records in a machine-readable format (JSON or CSV). We recommend exporting your data before requesting account deletion, as the deletion process is irreversible once initiated.

19.1 GDPR Rights (EEA and UK Users)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access (Art. 15) — You can request a copy of the personal data we hold about you. We will provide this in a commonly used electronic format within 30 days. To exercise this right, visit our contact page with the subject line "Data Access Request."
• Right to rectification (Art. 16) — You can request that we correct inaccurate personal data or complete incomplete data. You can update most account information directly in your ReviewMankey settings. For data you cannot update yourself, visit our contact page.
• Right to erasure (Art. 17) — You can request that we delete your personal data, subject to certain exceptions (such as legal retention requirements). You can initiate deletion through your account settings or by visiting our contact page.
• Right to restriction (Art. 18) — You can request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful but you oppose erasure.
• Right to data portability (Art. 20) — You can request your personal data in a structured, commonly used, machine-readable format. Use the data export feature in your account settings to download your data in JSON or CSV format.
• Right to object (Art. 21) — You can object to the processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent (Art. 7(3)) — Where we process data based on your consent, you can withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint (Art. 77) — You have the right to lodge a complaint with a supervisory authority in your EU member state. See Section 27 for supervisory authority contact information.
• Right not to be subject to automated decision-making (Art. 22) — You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. See Section 8 for details on our automated processing practices.

19.2 CCPA/CPRA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:

• Right to know — You can request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share your data.
• Right to delete — You can request that we delete the personal information we have collected from you, subject to certain exceptions.
• Right to correct — You can request that we correct inaccurate personal information.
• Right to opt out of sale or sharing — We do not sell or share your personal information for cross-context behavioral advertising, so this right does not apply in practice. However, we honor it nonetheless.
• Right to limit use of sensitive personal information — We do not use sensitive personal information for purposes beyond what is necessary to provide ReviewMankey, so this right does not apply in practice. However, we honor it nonetheless.
• Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge different prices, provide different quality of service, or retaliate in any way for exercising your rights.

California residents may designate an authorized agent to exercise their rights on their behalf. If you use an authorized agent, we may require the agent to provide proof of written authorization from you and may require you to verify your identity directly with us.

19.3 CCPA/CPRA Categories Disclosure

In the preceding 12 months, Dude Lemon LLC has collected the following categories of personal information as defined by the CCPA/CPRA:

• Identifiers — such as name, email address, IP address, and account identifiers
• Commercial information — such as subscription plan, billing history, and transaction records
• Internet or electronic network activity — such as browsing history within ReviewMankey, feature usage, and interaction data
• Geolocation data — approximate location derived from IP address (city and country level)
• Professional or employment-related information — such as business name, business category, and role within a workspace
• Inferences — such as sentiment analysis results and review priority scores derived from review content

We have not collected categories of sensitive personal information as defined by the CPRA. We do not collect social security numbers, driver's license numbers, financial account numbers with access credentials, precise geolocation, racial or ethnic origin data, religious beliefs, genetic data, biometric data, health information, or sexual orientation data.

19.3 How to Exercise Your Rights

To exercise any of the rights described above, you can visit our contact page with the subject line "Privacy Rights Request." Please include your full name, the email address associated with your ReviewMankey account, a description of the right you wish to exercise, and any additional information that will help us locate your data and fulfill your request.

19.4 How to Exercise Your Rights — Step by Step

Follow these steps to exercise any of your privacy rights:

• Step 1: Visit our contact page and select "Privacy Rights Request" as the subject.
• Step 2: Provide your full name and the email address associated with your ReviewMankey account so we can locate your records.
• Step 3: Clearly state which right you are exercising (e.g., "Right to access," "Right to delete," "Right to data portability").
• Step 4: If applicable, provide any additional details that will help us fulfill your request (e.g., specific data categories, specific date ranges).
• Step 5: Submit the request. You will receive an acknowledgment within 3 business days.
• Step 6: We will verify your identity by sending a confirmation link to the email address on file for your account. Click the link to verify your request.
• Step 7: Once verified, we will process your request and provide a substantive response within the applicable legal timeframe (30 days for GDPR, 45 days for CCPA/CPRA).

19.5 Verification and Response Time

We will verify your identity before processing your request by confirming your email address and, if necessary, asking you to verify additional account details. We will respond to your request within 30 days for GDPR requests (or 45 days for CCPA/CPRA requests), or within the timeframe required by applicable law. If we need additional time, we will notify you of the extension and the reason for it. There is no fee for exercising your privacy rights, though we reserve the right to charge a reasonable fee for manifestly unfounded or excessive requests as permitted by GDPR Article 12(5).

19.6 Appeals Process

If we deny your privacy rights request in whole or in part, we will provide you with a written explanation of the reasons for the denial and information about your right to appeal. If you disagree with our decision, you may submit an appeal by visiting our contact page with the subject line "Privacy Rights Appeal." We will review your appeal and respond within 30 days. If your appeal is denied, we will inform you of your right to lodge a complaint with the relevant supervisory authority (for GDPR) or the state attorney general (for CCPA/CPRA).

Under California Civil Code Section 1798.83, also known as the "Shine the Light" law, California residents who provide personal information to a business for personal, family, or household purposes have the right to request, once per calendar year, information about whether the business has disclosed their personal information to any third parties for the third parties' direct marketing purposes.

As stated in this Privacy Policy, Dude Lemon LLC does not disclose personal information to third parties for their direct marketing purposes. We have never done so and have no plans to do so. Therefore, no such disclosure has occurred.

If you are a California resident and would like to make a Shine the Light request, please visit our contact page with the subject line "California Shine the Light Request." Please include your name, mailing address, and a statement confirming that you are a California resident.

Under Nevada Revised Statutes Chapter 603A, Nevada residents have the right to opt out of the sale of certain covered information that a website operator has collected or will collect about the consumer. As stated in this Privacy Policy, Dude Lemon LLC does not sell your personal information, including "covered information" as defined under Nevada law. We do not exchange your personal information for monetary consideration with third parties.

"Covered information" under Nevada law includes your first and last name, a home or other physical address that includes the name of a street and the name of a city or town, an email address, a telephone number, a social security number, an identifier that allows a specific person to be contacted physically or online, and any other information concerning a person collected online and maintained in a personally identifiable form in combination with any of the above identifiers.

If you are a Nevada resident and would like to submit an opt-out request, even though we do not sell your data, you may do so by visiting our contact page with the subject line "Nevada Opt-Out Request." We will respond to verified requests within 60 days as required by Nevada law. If we need additional time, we will notify you and provide a response within 90 days.

ReviewMankey is a business-to-business SaaS platform designed for use by businesses and their authorized representatives. Our service is not directed at individuals under the age of 18, and we do not knowingly collect personal information from anyone under 18 years of age.

If you are under 18, you may not create a ReviewMankey account, use our services, or provide any personal information to us. If you are a parent or guardian and believe that your child under 18 has provided personal information to ReviewMankey, please visit our contact page and we will promptly delete that information from our systems.

If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take immediate steps to delete that information from our servers. We do not knowingly collect, use, or disclose personal information from children under the age of 13 as defined by the Children's Online Privacy Protection Act (COPPA), or under the age of 16 as defined by GDPR for certain EU member states.

Our lead capture pixel is intended for use on business websites and should not be installed on websites directed at children. If you install the ReviewMankey pixel on a website that is directed at or frequently visited by children, you are responsible for ensuring compliance with COPPA and other applicable child privacy laws, which may require obtaining verifiable parental consent before collecting data from children.

23.1 What Cookies We Use

ReviewMankey uses the following categories of cookies and similar technologies:

• Essential cookies — These are required for the basic functioning of our application. They include session cookies that maintain your authenticated state, CSRF protection tokens, and cookies that remember your language and timezone preferences. These cookies cannot be disabled without breaking core functionality. Retention: session duration or up to 30 days for persistent session cookies.
• Functional cookies — These remember your preferences and settings within the application, such as your preferred dashboard layout, notification preferences, and recently accessed locations. These enhance your experience but are not strictly required. Retention: up to 1 year.
• Analytics cookies — We use analytics to understand how users interact with our application, which features are most used, and where users encounter difficulties. Analytics data is aggregated and does not identify individual users by name or email. Retention: up to 1 year.

23.2 No Third-Party Advertising Cookies

ReviewMankey does not use third-party advertising cookies, retargeting pixels, or interest-based advertising trackers within our application. We do not share cookie data with advertising networks or data brokers. We do not participate in real-time bidding, cookie syncing, or any other mechanism that shares your browsing behavior with advertisers.

23.3 Local Storage

In addition to cookies, we use browser local storage to persist application state (such as sidebar collapse state, filter selections, and draft responses in progress) across page navigations. Local storage data remains on your device and is not transmitted to our servers unless you explicitly save or submit the data.

23.4 Cookie Duration Summary

Below is a summary of cookie retention periods by category:

• Session authentication cookie — Expires when you close your browser, or up to 30 days if you select "Remember me"
• CSRF protection token — Session duration
• Language and timezone preference — 1 year
• Dashboard layout preferences — 1 year
• Cookie consent preferences — 1 year
• Analytics identifier — 1 year (only if you have consented to analytics cookies)

23.5 Managing Cookies

You can manage or delete cookies through your browser settings. Most browsers allow you to block or delete cookies, but doing so may prevent you from logging in or using certain features of ReviewMankey. For instructions on managing cookies in your specific browser, visit your browser's help documentation. Please note that deleting cookies will require you to log in again and may reset your application preferences.

Below are links to cookie management instructions for common browsers: Chrome (Settings > Privacy and Security > Cookies), Firefox (Settings > Privacy & Security > Cookies), Safari (Preferences > Privacy), Edge (Settings > Cookies and site permissions). For mobile browsers, cookie management is typically found in the browser's settings under the Privacy or Security section.

24.1 Consent for Non-Essential Cookies

For users in jurisdictions that require consent for non-essential cookies (including the EEA and UK under the ePrivacy Directive), we present a cookie consent banner on your first visit to ReviewMankey. This banner allows you to accept or reject non-essential cookies (functional and analytics categories) before they are placed on your device. Essential cookies are placed without consent as they are strictly necessary for the functioning of the service.

24.2 Granular Consent Controls

Our cookie consent mechanism provides granular controls that allow you to accept or reject each category of non-essential cookies independently. You are not required to accept all non-essential cookies as a bundle. Your consent preferences are stored in a first-party cookie and are respected across subsequent visits.

24.3 Changing Your Consent

You can change your cookie consent preferences at any time by accessing the cookie settings through the link in the footer of our website. When you withdraw consent for a category of cookies, we will stop placing new cookies in that category and will delete existing cookies in that category from your browser. Note that deleting certain functional cookies may reset some of your application preferences.

24.4 Consent Records

We maintain records of cookie consent for compliance purposes. These records include the timestamp of consent, the categories of cookies consented to, the version of the consent notice presented, and the method by which consent was given. Consent records are retained for 3 years from the date of consent, or until you withdraw or update your consent, whichever comes first. This record-keeping enables us to demonstrate compliance with the ePrivacy Directive and GDPR requirements for valid consent.

Some web browsers transmit "Do Not Track" (DNT) signals to the websites and online services that users visit. There is currently no universally accepted standard for how online services should respond to DNT signals. However, ReviewMankey respects DNT signals as follows:

When we detect a DNT signal from your browser, we treat it as a signal to disable non-essential analytics cookies. Essential cookies (required for authentication and core functionality) will still be placed, as they are necessary to provide the service. We will not place functional or analytics cookies if a DNT signal is detected, unless you have explicitly opted in through our cookie consent mechanism.

For the ReviewMankey lead capture pixel installed on third-party websites, the pixel respects DNT signals by not collecting analytics data from visitors whose browsers send a DNT signal. Website owners who install the ReviewMankey pixel should inform their visitors about this behavior in their privacy policies.

ReviewMankey may contain links to third-party websites and services that are not owned or controlled by Dude Lemon LLC. These links may appear in review content displayed in your dashboard (such as links included by reviewers), in documentation and help articles that reference external resources, in integration setup guides that link to third-party service provider websites, and in this Privacy Policy where we link to the privacy policies of our service providers.

We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to review the privacy policy of every website you visit. The inclusion of a link to a third-party website does not imply endorsement of that website by Dude Lemon LLC.

If you navigate to a third-party website from ReviewMankey, this Privacy Policy no longer applies. Your interactions with that website are governed by that website's own privacy policy and terms of service.

Specifically, the following third-party websites are linked from within ReviewMankey or this Privacy Policy, and each has its own privacy practices:

• Google (including Google Business Profile, Google Play Store, Google Places, and Google Account settings) — governed by Google's Privacy Policy
• Apple (App Store Connect) — governed by Apple's Privacy Policy
• Yelp — governed by Yelp's Privacy Policy
• TripAdvisor — governed by TripAdvisor's Privacy Policy
• Stripe — governed by Stripe's Privacy Policy at stripe.com/privacy
• Cloudflare — governed by Cloudflare's Privacy Policy
• xAI — governed by xAI's Privacy Policy
• Sentry — governed by Sentry's Privacy Policy
• EU supervisory authority websites — governed by each authority's own policies

We make reasonable efforts to link only to reputable websites, but we have no control over the content or privacy practices of third-party sites and expressly disclaim any responsibility for them.

ReviewMankey may include links to our social media profiles on platforms such as LinkedIn, X (formerly Twitter), and others. These links direct you to our profiles on those platforms, which are governed by the respective platform's privacy policies.

We do not embed social media widgets, share buttons, or social login features that would allow third-party social media platforms to collect data about your use of ReviewMankey. Our authentication system uses direct OAuth connections with review platforms (such as Google) as described in this policy, not social media platform login features. We do not use Facebook Pixel, Twitter Pixel, LinkedIn Insight Tag, or any other social media tracking technology within the ReviewMankey application.

If you interact with our social media profiles on third-party platforms (for example, by liking, sharing, or commenting on our posts), that interaction is governed by the platform's privacy policy, not by this Privacy Policy. We may collect aggregate metrics about engagement with our social media content (such as view counts and engagement rates) but do not collect or store personal information about individual users who interact with our social media profiles.

We recommend reviewing the privacy policies of any social media platform before interacting with content there. Each platform has its own data collection and sharing practices that are independent of and not controlled by Dude Lemon LLC.

In accordance with GDPR Article 35, we conduct Data Protection Impact Assessments (DPIAs) when introducing new processing activities that are likely to result in a high risk to the rights and freedoms of individuals. DPIAs are an integral part of our product development process and are completed before any high-risk processing activity begins.

We have conducted DPIAs for the following processing activities: the use of AI models for review content analysis and response generation, the collection of visitor data through the lead capture pixel, cross-border data transfers to the United States, and the processing of business review data that may contain personal information about reviewers.

Each DPIA includes a systematic description of the processing operations, an assessment of the necessity and proportionality of the processing, an assessment of the risks to the rights and freedoms of data subjects, and the measures we have implemented to mitigate those risks. DPIAs are reviewed and updated when there are material changes to the relevant processing activities.

If a DPIA indicates that a processing activity would result in a high risk that we cannot mitigate through reasonable measures, we will consult with the relevant supervisory authority before proceeding with the processing, as required by GDPR Article 36.

28.1 DPIA Methodology

Our DPIA methodology follows the guidelines published by the European Data Protection Board (EDPB) and includes the following steps: (1) identifying the need for a DPIA based on the nature, scope, context, and purposes of the processing, (2) describing the processing operations and their purposes in detail, (3) assessing the necessity and proportionality of the processing in relation to its purpose, (4) identifying and assessing the risks to the rights and freedoms of data subjects, (5) identifying measures to mitigate those risks, and (6) documenting the assessment and its outcomes.

We involve our privacy lead and relevant technical team members in each DPIA. Where a processing activity involves data from multiple jurisdictions, we consider the requirements of each relevant data protection law. We retain DPIA documentation for the duration of the processing activity plus 3 years, and make DPIAs available to supervisory authorities upon request.

We maintain business continuity and disaster recovery plans to ensure that your data remains available and protected even in the event of infrastructure failures, natural disasters, or other disruptive events.

Our disaster recovery strategy includes regular automated backups of all encrypted databases, with backups stored in encrypted form in geographically separated locations within our cloud infrastructure provider's network. We test our backup restoration procedures periodically to verify that backups can be successfully restored within our target recovery time.

In the event of a major outage or disaster, our recovery plan prioritizes: first, restoring platform availability so you can access your dashboard and review data; second, resuming review synchronization with connected platforms; third, restoring AI processing and notification delivery; and fourth, restoring analytics and reporting features. We aim to restore core functionality within hours of a major disruption.

Our cloud infrastructure provider (AWS) provides built-in redundancy, with data replicated across multiple storage systems within the same region. This protects against hardware failures and ensures high availability of your data during normal operations.

29.1 Data Integrity and Verification

We implement automated integrity checks to verify that data is not corrupted during storage or transmission. Our backup procedures include verification steps to confirm that backup data is complete and can be successfully restored. We maintain monitoring systems that alert us to any anomalies in data integrity, enabling rapid detection and correction of any issues.

29.2 Service Level Commitments

While we do not guarantee 100% uptime, we design our infrastructure for high availability and aim to minimize service disruptions. In the event of planned maintenance that may affect service availability, we will notify you in advance through the ReviewMankey application or via email. Our cloud infrastructure provider (AWS) provides a Service Level Agreement (SLA) for their managed services, which contributes to the overall reliability of the ReviewMankey platform.

While Dude Lemon LLC is not legally required to appoint a Data Protection Officer (DPO) under GDPR Article 37 (as we are not a public authority, our core activities do not involve large-scale systematic monitoring of individuals, and our core activities do not involve large-scale processing of special categories of data), we have designated a privacy lead who is responsible for overseeing our data protection compliance.

Our privacy lead is responsible for monitoring compliance with GDPR and other applicable data protection laws, advising on data protection impact assessments, serving as the point of contact for data subjects and supervisory authorities, training team members on data protection best practices, and reviewing and updating this Privacy Policy.

To reach our privacy lead with data protection inquiries, please visit our contact page with the subject line "Data Protection Inquiry." We aim to respond to all data protection inquiries within 5 business days.

If you are located in the European Economic Area or United Kingdom and believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the data protection supervisory authority in your country. While we encourage you to contact us first so we can address your concerns directly, we respect your right to approach your supervisory authority at any time.

Below are some of the key supervisory authorities in the EU and UK:

• France — Commission Nationale de l'Informatique et des Libertes (CNIL) — cnil.fr
• Germany — Each German state has its own supervisory authority. A list is available through the Federal Commissioner for Data Protection (BfDI) — bfdi.bund.de
• Ireland — Data Protection Commission (DPC) — dataprotection.ie
• Netherlands — Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl
• Spain — Agencia Espanola de Proteccion de Datos (AEPD) — aepd.es
• Italy — Garante per la protezione dei dati personali — garanteprivacy.it
• United Kingdom — Information Commissioner's Office (ICO) — ico.org.uk

For a complete list of EU/EEA supervisory authorities, visit the European Data Protection Board (EDPB) website at edpb.europa.eu.

If you are located outside the EU/EEA and UK, you may have the right to lodge complaints with your local data protection authority. We recommend checking with your national or regional data protection authority for guidance on filing a complaint in your jurisdiction.

We take all complaints seriously and will cooperate with supervisory authorities and data protection regulators to resolve any concerns about our data practices. If a supervisory authority determines that we have violated applicable data protection law, we will take prompt corrective action to address the violation and prevent recurrence.

We are committed to making this Privacy Policy accessible to all users, including those with disabilities. This policy is published as a standard web page that is compatible with screen readers, assistive technologies, and browser accessibility features.

Our privacy policy page follows web accessibility best practices, including:

• Semantic HTML structure with proper heading hierarchy (H1, H2, H3) for screen reader navigation
• Sufficient color contrast between text and background colors that meets WCAG 2.1 Level AA standards
• Keyboard-navigable table of contents for quick access to specific sections
• Responsive design that adapts to different screen sizes and zoom levels up to 200%
• Descriptive link text that makes sense out of context for screen reader users
• No content that relies solely on color to convey information
• Readable font sizes with adequate line spacing for comfortable reading

If you have difficulty accessing or understanding any part of this Privacy Policy due to a disability or accessibility barrier, please visit our contact page and we will provide the information in an alternative format that is accessible to you. We will respond to accessibility-related requests within 5 business days.

This Privacy Policy is published in English. While we may provide translations of this policy in other languages for your convenience, the English-language version is the authoritative and legally binding version. In the event of any discrepancy between the English version and a translated version, the English version shall prevail.

If you need assistance understanding this Privacy Policy in a language other than English, please visit our contact page and we will do our best to accommodate your request.

We recognize that our users come from diverse linguistic backgrounds and we are committed to making our privacy practices understandable to all users. If there is sufficient demand for a translation in a particular language, we will consider providing an official translated version. Any such translations will be clearly marked as convenience translations with a reference to the authoritative English version.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the "Last updated" date at the top of this page.

For material changes that significantly affect how we collect, use, or share your personal data, we will provide prominent notice before the changes take effect. This notice may include an email notification to the address associated with your account, a banner or notification within the ReviewMankey application, or a prominent announcement on our website. We consider the following types of changes to be material: adding new categories of personal data collected, introducing new processing purposes, engaging new categories of third-party processors, changing our data retention periods, modifying cross-border data transfer mechanisms, and changes that reduce or alter your privacy rights.

For non-material changes (such as clarifications, formatting updates, or corrections to typographical errors), we will update the policy without separate notification beyond updating the "Last updated" date.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of ReviewMankey after a change to this policy constitutes your acceptance of the updated terms. If you do not agree with a material change, you may close your account by visiting our contact page. We will honor the previous version of the policy for any data collected before the change took effect, where doing so is legally required.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Contact: Visit our contact page
• Company: Dude Lemon LLC
• Website: https://reviewmankey.com

For privacy-specific inquiries, please use the subject line "Privacy Inquiry" so we can route your request to the appropriate team member. We aim to respond to all privacy-related inquiries within 5 business days.

For data subject access requests (DSARs), please use the subject line "Privacy Rights Request" and include: your full name, the email address associated with your account, the specific right you wish to exercise, and any relevant details that will help us locate and process your data. We will acknowledge receipt of your request within 3 business days and provide a substantive response within the timeframes required by applicable law.

If you are located in the European Economic Area and believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. While we encourage you to contact us first so we can address your concerns directly, we respect your right to approach your supervisory authority at any time. See Section 31 for supervisory authority contact information.

35.1 Response Times by Inquiry Type

We aim to respond to different types of inquiries within the following timeframes:

• General privacy questions — Within 5 business days
• Data subject access requests (GDPR) — Within 30 calendar days (extendable by up to 60 additional days for complex requests)
• Consumer rights requests (CCPA/CPRA) — Within 45 calendar days (extendable by up to 45 additional days)
• Data deletion requests — Acknowledged within 3 business days, completed within 30 calendar days
• Subprocessor objections — Within the 30-day notification period
• Security incident reports — Within 24 hours
• Accessibility requests — Within 5 business days

If we are unable to meet these response times due to the complexity of your request or a high volume of requests, we will notify you of the delay and provide an estimated completion date.