Last Updated: April 24, 2026

PRIVACY POLICY — RATEVY.PRO

Effective Date: April 24, 2026
Last Updated: April 24, 2026
Data Controller: Ratevy, operated by Sergii Kovalskyi, private individual, Poland
Operating under: Polish unregistered business activity law (działalność nierejestrowana, Art. 5, Prawo przedsiębiorców)
Contact: privacy@ratevy.pro

1. WHO WE ARE AND HOW TO CONTACT US

Ratevy ("we," "us," "our") operates the SaaS platform at ratevy.pro.

Data Controller:
Ratevy, operated by Sergii Kovalskyi
Legal status: Private individual (osoba fizyczna) conducting unregistered business activity under Art. 5 of the Polish Entrepreneurs' Law (Prawo przedsiębiorców), Poland
Tax ID (NIP): N/A — pending JDG registration
Address: Klobucka 8b/125, 02-699, Warsaw, Poland

Data Controller Contact:
Email: privacy@ratevy.pro
Response time: within 30 days of receipt

For users in the European Union: you have the right to lodge a complaint with your national supervisory authority. In Poland, this is the Urząd Ochrony Danych Osobowych (UODO) at ul. Stawki 2, 00-193 Warszawa (uodo.gov.pl).

2. SCOPE OF THIS POLICY

This Privacy Policy explains:

What personal data we collect and why
How we use and protect it
Who we share it with
How long we keep it
Your rights as a data subject

This Policy applies to all users of ratevy.pro, including users in the United States, Canada, the European Union, and Poland.

3. WHAT DATA WE COLLECT AND WHY

3.1 Data You Provide Directly

Data	Purpose	Legal Basis (GDPR)
Name	Account identification	Contract performance
Email address	Account login, reports, notifications	Contract performance
Password (hashed with Bcrypt)	Account security	Contract performance
Business name and address	Service delivery	Contract performance
Google Maps URL / Place ID	Fetching your reviews	Contract performance
Phone number (optional, Pro plan)	SMS alert delivery	Consent

3.2 Data Collected via Google OAuth

When you connect your Google Business Profile, we receive:

Your Google account name and email
Access to your Google Business Profile locations
OAuth refresh token (used to fetch reviews on your behalf)

The refresh token is encrypted using AES-256 (Fernet) before storage.
We do NOT receive or store your Google account password.

3.3 Data Collected Automatically

Data	Purpose
IP address	Security, fraud prevention, rate limiting
Browser type and version	Service compatibility
Pages visited and timestamps	Usage analytics, debugging
Session cookies	Authentication (JWT, HttpOnly)

3.4 Payment Data

Payment is processed entirely by Stripe, Inc. We do NOT store your credit card number, CVV, or full payment details. We receive from Stripe:

Stripe Customer ID
Stripe Subscription ID
Last 4 digits of card (for display only)
Payment status

3.5 What We DO NOT Collect or Store

This is our core privacy commitment:

Data	Our Handling
Raw review texts from your customers	NOT stored. Processed in memory, then discarded.
Names of your review authors	NOT stored. Stripped before AI processing.
Photos of review authors	NOT accessed or stored.
Personal data of your end customers	NOT stored. Zero retention.

Technical proof: Our database contains no table columns for storing review author names or review texts. This is a deliberate architectural decision, not a policy promise.

4. HOW WE USE ARTIFICIAL INTELLIGENCE

4.1 AI Processing Flow

Step 1: Fetch reviews from Google Business Profile API
Step 2: Strip author names (anonymization)
Step 3: Send anonymized review texts to Google Gemini API
Step 4: Receive AI analysis results (JSON)
Step 5: Store ONLY aggregated results (sentiment %, issue tags, counts)
Step 6: Discard original review data — not saved anywhere

4.2 AI Model Usage

We use Google Gemini 1.5 Flash for analysis. We do not:

Use your data to train our own AI models
Use your customers' data to train any public AI models
Share your business data with other Ratevy customers

Google's use of data submitted to Gemini API is governed by Google's API Terms of Service and Privacy Policy.

4.3 AI-Generated Content

AI-suggested responses are generated for your review and approval. You are solely responsible for any content you choose to publish.

5. HOW WE SHARE YOUR DATA

We do not sell your personal data. We share data only with the following processors, under binding data processing agreements:

Current Services

Processor	Purpose	Location	Data Shared
Google LLC	Google Business Profile API, Gemini AI, OAuth	USA (EU SCCs apply)	Anonymized review texts, OAuth tokens
Stripe, Inc.	Payment processing	USA (EU SCCs apply)	Email, billing info
time4vps UAB	VPS hosting	Lithuania (EU)	All data hosted here
ImprovMX	Inbound email routing	France (EU)	Incoming email addresses and content

Planned Services

The following services are planned for future use and will be activated upon product launch. This policy will be updated before activation.

Processor	Purpose	Location	Data Shared
Resend, Inc.	Transactional email	USA (EU SCCs apply)	Email address, report content
Twilio, Inc.	SMS notifications (Pro plan)	USA (EU SCCs apply)	Phone number, alert text
Telegram Messenger Inc.	Bot notifications (EU market)	UAE/USA	User ID, alert text

No other third parties receive your personal data unless required by law.

5.1 Legal Disclosure

We may disclose your data if required by law, court order, or governmental authority. We will notify you of such requests unless prohibited by law.

6. DATA RETENTION

Data Type	Retention Period
Account data (email, name)	Duration of account + 30 days after deletion
Google OAuth refresh token	Duration of account + immediate deletion on disconnect
Payment records	7 years (tax/accounting legal requirement)
Analysis results (aggregated)	12 months from creation, or until account deletion
Audit logs	12 months
Raw review data	Zero days — never stored
Server access logs (IP)	30 days

Upon account deletion, all personal data is permanently removed within 30 days, except payment records retained for legal compliance.

7. DATA SECURITY

We implement the following security measures:

Encryption in transit: TLS 1.3 for all connections
Encryption at rest: OAuth refresh tokens encrypted with AES-256 (Fernet)
Password hashing: Bcrypt with salt
Authentication: JWT tokens stored in HttpOnly cookies (not localStorage)
API security: Rate limiting on all endpoints
Database: No raw personal data in review-related tables
Hosting: EU-based servers (Lithuania) via time4vps

7.1 Data Breach Notification

In the event of a personal data breach, we will:

Notify affected users within 72 hours of becoming aware (GDPR Art. 33/34)
Notify the relevant supervisory authority if required
Document the breach and our response in our internal records

8. COOKIES AND TRACKING

For full details, see our Cookie Policy at ratevy.pro/cookies.html.

Summary:

Cookie	Type	Purpose	Duration
`session_token`	Essential	Authentication (JWT)	Session / 30 days
`csrf_token`	Essential	Security	Session
`_ga`	Analytics (optional)	Usage analytics	2 years

We do not use advertising or retargeting cookies. The only analytics we may use is privacy-friendly aggregate traffic analysis (e.g., no individual tracking).

9. YOUR RIGHTS

9.1 Rights for All Users

Regardless of your location, you have the right to:

Access: Request a copy of your personal data
Correction: Request correction of inaccurate data
Deletion: Request deletion of your account and all associated data
Portability: Receive your data in a machine-readable format (JSON/CSV)
Objection: Object to processing based on legitimate interests

To exercise any right: Email privacy@ratevy.pro with subject "Data Rights Request." We will respond within 30 days.

9.2 Additional Rights for EU/EEA Users (GDPR)

You have the additional right to:

Restriction of processing: Request we limit processing of your data
Withdraw consent: Withdraw any consent you have given at any time
Lodge a complaint: With your national supervisory authority

Poland — supervisory authority:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa
Website: uodo.gov.pl

9.3 Additional Rights for California Users (CCPA/CPRA)

California residents have the right to:

Know what personal data is collected and how it is used
Delete personal data (subject to exceptions)
Opt out of the "sale" of personal data — We do not sell personal data
Non-discrimination for exercising privacy rights

To submit a CCPA request: Email privacy@ratevy.pro with subject "CCPA Request."

9.4 Additional Rights for Canadian Users (PIPEDA/Law 25)

Canadian users have rights under PIPEDA and applicable provincial laws, including rights of access and correction. Contact privacy@ratevy.pro for any requests.

10. LEGAL BASIS FOR PROCESSING (GDPR — EU/POLAND USERS)

Processing Activity	Legal Basis
Account creation and management	Art. 6(1)(b) — Contract performance
Service delivery (review analysis)	Art. 6(1)(b) — Contract performance
Payment processing	Art. 6(1)(b) — Contract and Art. 6(1)(c) — Legal obligation
Sending transactional emails	Art. 6(1)(b) — Contract performance
SMS notifications	Art. 6(1)(a) — Consent
Security and fraud prevention	Art. 6(1)(f) — Legitimate interest
Usage analytics	Art. 6(1)(f) — Legitimate interest
Tax record retention	Art. 6(1)(c) — Legal obligation

11. INTERNATIONAL DATA TRANSFERS

Our hosting is in the EU (Lithuania). However, some of our service providers (Google, Stripe, Resend, Twilio) are based in the United States.

For transfers of EU personal data to the USA, we rely on:

Standard Contractual Clauses (SCCs) adopted by the European Commission
Each provider's Data Processing Agreement (DPA)

By using the Service, you acknowledge that your data may be transferred to and processed in countries outside the EU/EEA. We take reasonable steps to ensure adequate protection in all cases.

12. CHILDREN'S PRIVACY

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact privacy@ratevy.pro and we will delete it promptly.

13. PRIVACY BY DESIGN

Our platform is built with privacy as a core architectural principle:

Data minimization: We collect only what is necessary to provide the Service
Purpose limitation: Data is used only for the stated purpose
Storage limitation: Review author data is never persisted
Technical enforcement: Database schema contains no fields for storing raw review data — making it architecturally impossible to retain this data even unintentionally

This approach is compliant with GDPR Article 25 (Data Protection by Design and by Default).

14. RECORDS OF PROCESSING ACTIVITIES (ROPA)

As required by GDPR Article 30, we maintain an internal Record of Processing Activities. This document is available to supervisory authorities upon request.

15. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. For material changes, we will:

Send an email notification at least 14 days before the change takes effect
Display a prominent notice on the dashboard

The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance.

16. CONTACT

For any privacy-related questions, requests, or complaints:

Ratevy — Data Controller
Operated by: Sergii Kovalskyi
Legal status: Private individual (osoba fizyczna), Poland
Address: Klobucka 8b/125, 02-699, Warsaw, Poland
Email: privacy@ratevy.pro
Website: ratevy.pro
Response time: within 30 days

Note on legal entity transition: This service is currently operated by a private individual under Polish unregistered activity law (działalność nierejestrowana). Upon registration of a sole proprietorship (JDG), this policy will be updated with NIP and business registration details. Users will be notified of any such change.

← Back to Home

Version 1.0 | Effective: April 24, 2026 | Last Updated: April 24, 2026 | Questions? Contact us