1.1 Rhody Reviews is a software-as-a-service product operated by Own The Box Marketing LLC, a Rhode Island limited liability company with its principal place of business at 29 Hunters Ct, Saunderstown, RI 02874 (referred to in this Privacy Policy as "Rhody Reviews," "we," "us," or "our," solely for the purposes of this legal notice).
1.2 This Privacy Policy describes the categories of personal data Rhody Reviews collects, the purposes for which the data is processed, how the data is stored and protected, with whom the data is shared, how long the data is retained, the rights available to data subjects, and the procedures Rhody Reviews follows when a security incident affects personal data.
1.3 This Privacy Policy applies to the website at rhodyreviews.com, the Rhody Reviews web application and customer dashboard, the Rhody Reviews messaging infrastructure (SMS and email), and any related services that link to this Privacy Policy.
1.4 Rhody Reviews serves business customers located in the United States. The product is not directed to consumers outside the United States, and the product is not directed to children under thirteen (13) years of age.
2.1 Business owner data. When a business creates an account, Rhody Reviews collects the account holder's name, business name, business website, business email address, business mailing address (optional), business phone number (optional), authentication credentials, billing contact information, and payment-method metadata returned by Stripe (such as the last four digits of a payment card and the card brand). Rhody Reviews does not store full payment card numbers.
2.2 End-customer data uploaded by the business. To send review requests on the business's behalf, the business uploads contact records for past customers with whom the business has an established business relationship. These records typically include the past customer's first name, mobile phone number, email address, the approximate date of the past transaction, and an internal reference identifier supplied by the business.
2.3 Google Business Profile data. With the business's authorization through Google OAuth, Rhody Reviews accesses the business's own Google Business Profile metadata, the public review content posted to that profile, and (where the business has enabled the optional question-and-answer monitoring feature on the Pro tier) the public Q&A content on that profile. Rhody Reviews does not access any Google account data outside the business's own Google Business Profile.
2.4 Communications metadata. Rhody Reviews records the date, time, recipient phone number or email address, message body, delivery status, and opt-out status for every SMS and email message that Rhody Reviews sends through the platform. This record is retained as part of the audit log described in Section 6.
2.5 Usage data. Rhody Reviews collects standard web-application usage data including IP address, browser type, operating system, pages viewed, features used, and session duration, for the purposes of security, fraud prevention, and product improvement.
2.6 Sensitive categories not collected. Rhody Reviews does not knowingly collect health information, financial account credentials (other than payment-method metadata returned by Stripe), government identification numbers, biometric identifiers, precise geolocation, or information about racial or ethnic origin, religious beliefs, political opinions, sexual orientation, union membership, or other categories typically classified as sensitive personal information under applicable law.
2.7 Healthcare exclusion. Rhody Reviews is not designed for and does not accept customers in the healthcare provider category. Rhody Reviews does not maintain HIPAA-compliant infrastructure and does not enter into Business Associate Agreements.
3.1 Rhody Reviews processes the categories of personal data described in Section 2 for the following purposes:
(a) to create, authenticate, and maintain the business's account; (b) to send review-request messages on the business's behalf, by SMS or email, to the past customers identified by the business; (c) to monitor the business's own Google Business Profile, Yelp, and Facebook pages for new public reviews and (on the Pro tier) public questions; (d) to generate suggested reply drafts using artificial intelligence, which the business reviews and approves before any reply is posted publicly; (e) to display dashboards, analytics, and reports to the business; (f) to process payments and manage subscriptions; (g) to provide customer support; (h) to detect, prevent, and respond to security incidents, abuse, and fraud; (i) to comply with legal obligations including the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, the Federal Trade Commission's Trade Regulation Rule on the Use of Consumer Reviews and Testimonials (16 CFR Part 465), and applicable state laws; (j) to improve the product, subject to Section 4.
4.1 Rhody Reviews uses the Anthropic Claude family of artificial intelligence models to generate suggested reply drafts to public reviews and (on the Pro tier) suggested answers to public questions.
4.2 All artificial-intelligence-generated content is presented to the business as a draft for human review. The business is solely responsible for reviewing, editing, approving, or rejecting each draft before it is posted publicly. Rhody Reviews does not auto-post any artificial-intelligence-generated content. This is a permanent product policy.
4.3 The content sent to Anthropic for processing consists of the public review or question text, the business's prior reply patterns (where the business has elected to enable voice-tuning), and minimal context required to generate a relevant draft. End-customer personal contact information (phone numbers, email addresses, full names) is not sent to Anthropic.
4.4 Rhody Reviews relies on Anthropic's published data-use commitments, which prohibit the use of customer inputs to train Anthropic's general models. The business should consult Anthropic's privacy policy at anthropic.com for the current commitments applicable to data processed by Claude.
5.1 Personal data is stored in a managed PostgreSQL database operated by Supabase Inc., hosted in the AWS us-east-1 region in the United States.
5.2 Per-tenant isolation is enforced at the database layer through PostgreSQL Row-Level Security policies, in addition to application-layer scoping. Each business's data is isolated from every other business's data by default; cross-tenant access is blocked at the database level.
5.3 Google OAuth refresh tokens are encrypted at rest in Supabase Vault and are used only to access the issuing business's own Google Business Profile.
5.4 Data in transit is encrypted using industry-standard TLS.
5.5 Authentication is provided by Supabase Auth and uses industry-standard password hashing and session management practices.
5.6 Rhody Reviews maintains an audit log of administrative actions, message sends, consent capture events, opt-out events, and review-reply approvals, as described in Section 6.
6.1 Account and customer data. Personal data described in Sections 2.1 and 2.2 is retained for the duration of the business's active subscription, plus a reasonable wind-down period of up to ninety (90) days after cancellation to permit data export and account-recovery requests.
6.2 Audit log. The audit log described in Section 5.6 is retained for a minimum of four (4) years from the date of the logged event. This retention period is set to satisfy the four-year statute of limitations applicable to claims under the Telephone Consumer Protection Act.
6.3 Backups. Database backups are retained on a rolling basis for up to thirty-five (35) days, consistent with Supabase's standard backup configuration.
6.4 Communications metadata. Communications metadata described in Section 2.4 is retained as part of the audit log under Section 6.2.
6.5 Anonymized aggregates. After the retention periods above, Rhody Reviews may retain anonymized aggregate statistics that cannot reasonably be linked to an identifiable individual, for the purposes of product analytics and benchmarking.
7.1 Rhody Reviews relies on the following third-party data processors. Each processor is contractually obligated to process personal data only as instructed by Rhody Reviews and consistent with its own published privacy commitments.
(a) Supabase Inc. -- database, authentication, and storage. https://supabase.com/privacy (b) Stripe, Inc. -- payment processing and subscription management. https://stripe.com/privacy (c) Twilio Inc. -- SMS delivery, including 10DLC registered campaign infrastructure. https://www.twilio.com/legal/privacy (d) Sendinblue SAS d/b/a Brevo -- transactional and outbound email delivery. https://www.brevo.com/legal/privacypolicy/ (e) Anthropic PBC -- artificial intelligence draft generation. https://www.anthropic.com/legal/privacy (f) Google LLC -- Google Business Profile API access, through customer-authorized OAuth. https://policies.google.com/privacy
7.2 The list above represents the principal data processors as of the effective date of this Privacy Policy. The list may change as the product evolves. Rhody Reviews will update this Privacy Policy when material changes are made.
8.1 Rhody Reviews does not sell personal data and does not share personal data with third parties for the third party's own marketing purposes.
8.2 Rhody Reviews may disclose personal data when required to do so by valid legal process, by lawful request from a governmental authority, to enforce its Terms of Service, to investigate or prevent fraud or abuse, to protect the rights, property, or safety of Rhody Reviews, its customers, or others, or in connection with a merger, acquisition, or sale of all or substantially all of the assets of Own The Box Marketing LLC, subject to the requirement that the successor entity assume the obligations of this Privacy Policy.
8.3 Mobile opt-in and SMS consent data. Mobile phone numbers, SMS opt-in information, and SMS consent records are never sold, rented, leased, or shared with any third party for that third party's own marketing or promotional purposes. This information is used only to deliver the review-request and follow-up text messages the recipient consented to receive, and to maintain the consent and opt-out audit records required by law. Rhody Reviews shares this information only with the SMS infrastructure provider (Twilio) strictly as necessary to deliver those messages, as described in Section 7.
8.4 No third party receives mobile opt-in or SMS consent information from Rhody Reviews for its own use. Text-message traffic carries no promotional or marketing content; every message relates only to a recent service the recipient received from the sending business.
9.1 Rights of the business account holder. The business account holder may, at any time:
(a) access the personal data Rhody Reviews holds about the business and the account holder; (b) request correction of inaccurate personal data; (c) request deletion of the account and associated personal data, subject to the audit-log retention requirement in Section 6.2; (d) export account data in a machine-readable format; (e) opt out of non-transactional marketing communications from Rhody Reviews.
9.2 Rights of end customers (the past customers contacted by Rhody Reviews on the business's behalf). End customers may, at any time:
(a) opt out of SMS messages by replying STOP to any SMS sent through Rhody Reviews, which immediately and permanently halts further SMS to that number through any client of Rhody Reviews using the same outbound number, and propagates through Rhody Reviews's audit log within 24 hours; (b) opt out of email messages by clicking the unsubscribe link in the footer of any email sent through Rhody Reviews; (c) contact Rhody Reviews directly at [email protected] to request access to, correction of, or deletion of the personal data Rhody Reviews holds about the end customer.
9.3 California residents. Residents of California have the rights afforded by the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including the right to know the categories and specific pieces of personal information collected, the right to delete, the right to correct, the right to opt out of the sale or sharing of personal information (which Rhody Reviews does not engage in), the right to limit the use of sensitive personal information (which Rhody Reviews does not collect), and the right to be free from discrimination for exercising these rights. To exercise these rights, contact [email protected].
9.4 Residents of other states with similar privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as their laws come into effect) have analogous rights and may contact [email protected] to exercise them.
9.5 European Economic Area, United Kingdom, and Swiss residents. Rhody Reviews does not target customers in the European Economic Area, the United Kingdom, or Switzerland. To the extent personal data of an EEA, UK, or Swiss resident is incidentally processed (for example, an end customer of a US-based business who happens to reside in Europe), Rhody Reviews will, on request, honor the rights of access, rectification, erasure, restriction, portability, and objection consistent with the principles of the EU General Data Protection Regulation and the UK GDPR.
9.6 Response timing. Rhody Reviews will respond to verifiable rights requests within forty-five (45) days, with one possible forty-five (45) day extension where reasonably required.
10.1 The rhodyreviews.com marketing website uses only strictly necessary cookies and does not deploy third-party advertising or cross-site tracking cookies.
10.2 The authenticated Rhody Reviews dashboard uses session cookies necessary to maintain the business account holder's signed-in state. These cookies are first-party, are not shared with any third party, and are deleted when the account holder signs out or the session expires.
10.3 The Rhody Reviews embeddable review widget, which businesses may install on their own websites under the Starter or Pro tier, does not set tracking cookies on the end customer's browser.
11.1 Rhody Reviews is a business-to-business product directed at small businesses. The product is not directed to children under thirteen (13) years of age, and Rhody Reviews does not knowingly collect personal data from children under thirteen.
11.2 If Rhody Reviews becomes aware that personal data of a child under thirteen has been collected, Rhody Reviews will delete that data promptly.
11.3 Rhody Reviews instructs business customers not to upload contact records for individuals known to be under thirteen years of age.
12.1 If Rhody Reviews becomes aware of a security incident that has resulted in, or is reasonably likely to have resulted in, unauthorized access to or acquisition of personal data, Rhody Reviews will investigate the incident, take steps to contain and remediate it, and notify affected business customers without unreasonable delay and in no event later than seventy-two (72) hours after Rhody Reviews has confirmed the incident, except where law enforcement requests a delay or where notification within that window would impede the investigation.
12.2 The business customer is responsible for notifying affected end customers and applicable regulators, consistent with applicable law and the customer's own privacy commitments to its customers. Rhody Reviews will provide reasonable cooperation and the information the business customer needs to make those notifications.
12.3 Rhody Reviews maintains an incident response procedure that defines roles, communications, evidence preservation, and post-incident review.
13.1 Rhody Reviews processes personal data exclusively in the United States. Personal data is not intentionally transferred outside the United States.
14.1 Rhody Reviews may update this Privacy Policy from time to time. When material changes are made, Rhody Reviews will update the effective date at the top of this Privacy Policy and provide notice to the business account holder by email or through the dashboard at least thirty (30) days before the changes take effect.
14.2 Continued use of the service after the effective date of a material change constitutes acceptance of the updated Privacy Policy.
15.1 Privacy questions and requests: [email protected]
15.2 Legal notices, including notices required by this Privacy Policy or by applicable law: Own The Box Marketing LLC Attn: Legal Notices -- Rhody Reviews 29 Hunters Ct Saunderstown, RI 02874 [email protected]
15.3 General product support: [email protected]
End of Privacy Policy.
Version 1.0 / Effective June 10, 2026 / Own The Box Marketing LLC.