Privacy Policy

1. Data controller

The data controller is faiReview S.r.l., registered office in Lecce (Italy), VAT IT05444420755, operations in Milan (Italy).

For any request regarding personal data processing or to exercise your rights under the GDPR, contact faiReview at [email protected].

2. Scope of application

This Policy applies to personal data processing carried out by faiReview as data controller (for example Site visitor data, contact requests, Client account registration, billing and support) and also describes processing carried out by faiReview as data processor on behalf of business Clients using the Platform.

For personal data processed through the Platform on behalf of Clients (for example feedback, reviews and end-user data), the Client generally acts as data controller and faiReview as data processor under Article 28 GDPR. In such cases, the Client’s privacy notice to its own customers prevails regarding purposes and legal bases; faiReview processes such data solely according to the Client’s instructions and the Terms & Conditions of Service.

3. Types of personal data processed

Depending on your relationship with faiReview, the following categories of personal data may be processed:

• Identification and contact data: name, surname, email, phone, company name, business location.
• Account and authentication data: login credentials, OAuth tokens and Google identifiers linked to the Google Business Profile authorised by the Client.
• Platform usage data: access logs, IP address, browser and device type, pages and features used, operation timestamps.
• Feedback and review data: NPS scores, internal comments, review text, ratings, public review author information (information made public by third-party platforms), replies and related metadata.
• Billing and payment data: subscribed plan, amounts, transaction history; card payment data is processed directly by the payment provider and not stored by faiReview.
• Contact form data from the Site: name, email, business, message and processing consent.
• Site analytics data: aggregated and anonymous visit statistics collected via Google Analytics only with consent (see Cookie Policy).

4. Purposes, legal basis and retention

Personal data is processed for the purposes below, on the corresponding legal bases and for the retention periods indicated, or where not specified, for as long as necessary to fulfil the purpose and in any case within legal limits.

• Provision of the Service and account management (Art. 6(1)(b) GDPR, contract performance): for the duration of the contractual relationship and up to 24 months thereafter for administrative purposes.
• Customer support and operational communications (Art. 6(1)(b) and (f) GDPR): for the duration of the relationship and up to 24 months after termination.
• Billing, accounting and tax compliance (Art. 6(1)(c) GDPR, legal obligation): 10 years, unless different terms apply under tax law.
• Security, abuse prevention and legal protection (Art. 6(1)(f) GDPR, legitimate interest): up to 24 months from collection, unless longer retention is required for disputes.
• Direct marketing to business Clients, where applicable (Art. 6(1)(f) GDPR or consent): until objection or consent withdrawal.
• Contact form requests on the Site (Art. 6(1)(b) or (a) GDPR): up to 24 months from the request, unless a contractual relationship is established.
• Anonymous Site statistics (Art. 6(1)(a) GDPR, consent): as indicated in the Cookie Policy.
• Processing on behalf of the Client via the Platform (Art. 28 GDPR): according to the Client’s instructions and for the duration of the contract, unless different legal obligations apply.

5. GDPR roles: Controller and Processor

faiReview processes personal data in a dual capacity, depending on context:

As data controller for: Client registration and account data, billing data, communications with faiReview, Site Contact form data, Site browsing data (with consent where required) and marketing to Clients.

As data processor (Art. 28 GDPR) for: personal data entered or generated by the Client and its end users through the Platform (feedback, reviews, contacts collected with consent, authorised Google Business Profile data). In such cases, faiReview processes data solely on behalf of the Client, according to documented instructions and the Terms & Conditions of Service.

Upon request from business Clients, faiReview provides information necessary to demonstrate GDPR compliance and allows reasonable audits, subject to confidentiality and security constraints.

6. Google Business Profile and Google services

The Platform allows the Client to connect their Google Business Profile via OAuth 2.0 authentication, with express authorisation. Depending on the authorised scope, faiReview may access data such as Google Business account identifiers, location information, review text and ratings, existing replies and access tokens required for integration.

Use of data obtained via Google APIs is limited to the purposes stated in this Policy and complies with the Google API Services User Data Policy, including Limited Use requirements: Google data is not sold, used for advertising, shared with third parties for purposes other than providing the Service, or used to train general AI models unrelated to the Service.

The Client may revoke faiReview’s access to their Google Business Profile at any time from Google settings or the Platform. Upon revocation, faiReview stops accessing Google data and deletes or anonymises tokens and related data, except where legal retention obligations apply.

For more information on Google’s data processing: policies.google.com/privacy.

7. Recipients and sub-processors

Personal data may be shared with parties that process data on behalf of faiReview (processors / sub-processors), strictly as necessary to provide the Service:

• Google Cloud Platform (Google Ireland Limited / Google LLC): hosting, cloud infrastructure, databases and related services.
• Payment providers: transaction and subscription processing (e.g. Stripe or equivalent), PCI DSS compliant.
• Google Ireland Limited: Google Analytics 4 on the Site, only with consent and in anonymous mode.
• Google LLC: Google Business Profile API and OAuth services, within limits authorised by the Client.
• Technical service providers: transactional email, infrastructure monitoring, IT support, bound by contractual confidentiality and data protection obligations.
• Professional advisors, judicial or administrative authorities, where required by law.

8. Transfers to third countries

faiReview prioritises processing and storage of data within the European Union, using Google Cloud Platform infrastructure with datacenters in EU regions.

Some sub-processors (including Google LLC, based in the United States) may process data on behalf of faiReview. Such transfers take place in compliance with the GDPR, on the basis of adequacy decisions where applicable, or through appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary measures where necessary.

Updated information on transfer mechanisms adopted by Google Cloud is available in official Google Cloud documentation and the Cloud Data Processing Addendum.

9. Cloud infrastructure, security and compliance

The Service is fully hosted on Google Cloud Platform (GCP), with resources allocated in datacenters located in the European Union. The architecture is designed to ensure data residency in Europe and compliance with privacy by design and by default principles.

faiReview implements appropriate technical and organisational measures to protect personal data, including, by way of example, encryption in transit (TLS/HTTPS) and at rest, role-based access control, secure authentication, environment segregation (production, staging), periodic backups, monitoring and logging, internal security policies, training of authorised personnel and incident management procedures.

The GCP infrastructure benefits from the provider’s security certifications and standards, including ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018 and SOC 2, as documented by Google Cloud. faiReview configures GCP services in compliance with applicable data protection requirements.

In the event of a personal data breach posing a risk to the rights and freedoms of data subjects, faiReview adopts measures required by the GDPR, including, where applicable, notification to the supervisory authority within 72 hours and communication to data subjects, as well as timely notification to the Client when faiReview acts as data processor.

10. Data subject rights

Under Articles 15–22 of the GDPR, you have the right to:

• access your personal data and obtain a copy;
• request rectification of inaccurate data or completion of incomplete data;
• request erasure of data (“right to be forgotten”), where applicable;
• request restriction of processing, where applicable;
• object to processing based on legitimate interest, where applicable;
• withdraw consent at any time, without affecting the lawfulness of prior processing;
• receive data in a structured format and transmit it to another controller (portability), where applicable.

11. How to exercise your rights

To exercise the rights above, write to [email protected], stating the subject of your request and providing sufficient information to identify you.

End users who left feedback through a business Client’s Platform may contact the Client (data controller) to exercise their rights. faiReview, as processor, will assist the Client in responding to requests, within technical limits.

faiReview responds to requests within one month of receipt, extendable by a further two months in complex cases, with prior notice to the data subject. Exercising rights is free of charge, except for manifestly unfounded or excessive requests.

12. Complaint to the supervisory authority

You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, garanteprivacy.it) or the supervisory authority of the EU Member State where you habitually reside, work or where the alleged infringement occurred, if you believe your personal data processing violates the GDPR.

13. Cookies and similar technologies

The Site uses cookies and similar technologies as described in the Cookie Policy available at www.faireview.app. Google Analytics is enabled only with the user’s consent and in anonymous mode. The Platform may use session technologies and local storage strictly necessary for Service operation.

14. Minors

The Service is intended for professionals and businesses. faiReview does not knowingly collect personal data from minors under 16 through the Platform. If non-compliant processing becomes known, faiReview will promptly delete such data.

15. Changes to this Policy

faiReview may update this Policy for regulatory changes, Service modifications or operational needs. The date of the last update is shown at the top of this page.

For material changes, faiReview will inform data subjects by appropriate means (for example email to registered Clients or in-Platform notice). We recommend checking this page periodically.

16. Governing law and jurisdiction

This Policy is governed by Italian law, excluding conflict-of-law rules.

Any dispute arising from this Policy or related thereto shall be subject to the exclusive jurisdiction of the Court of Lecce (Italy), without prejudice to mandatory consumer protection under Italian Legislative Decree 206/2005 (Consumer Code).

17. Prevailing language version

This Policy may be translated into other languages for convenience. In case of discrepancy, contradiction or different meaning between the Italian version and any translation, the Italian version alone shall prevail and is legally binding.