ThankYouReview← Back to site

ThankYouReview Privacy Policy

Effective Date: April 23, 2026 Last Updated: April 25, 2026

1. Introduction

This Privacy Policy ("Policy") describes how ANTI-WEAR LLC, a Wyoming limited liability company, doing business as ThankYouReview ("ThankYouReview", "we", "us", or "our") collects, uses, discloses, and protects personal information when you use our website, web application, APIs, and related services (collectively, the "Service").

This Policy applies to two distinct groups:

  • Customers — the business owners, employees, and authorized users who create ThankYouReview accounts and use the Service to send review requests.
  • Recipients — the end consumers of our Customers' businesses who receive SMS review-request messages originating from the Service.

Different sections of this Policy apply to each group. Where relevant, we have labeled sections accordingly.

Our Role with Respect to Recipient Data. With respect to Recipient Data (as described in Section 3), ThankYouReview acts as a "service provider" as that term is defined under the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"), and as a "processor" under other US state comprehensive privacy laws. The Customer who uploads Recipient Data is the "business" or "controller". We process Recipient Data only at the Customer's instruction and for the purposes described in these documents. With respect to Customer Data, we act as the "business" or "controller".

By using the Service, you consent to the collection and use of information in accordance with this Policy. If you do not agree, do not use the Service.

This Policy is incorporated by reference into our Terms of Service and should be read together with our SMS Disclosure.

2. Information We Collect — Customers

When you sign up for or use the Service as a Customer, we collect:

2.1 Account Information

  • Full name
  • Business name
  • Email address
  • Password (stored as a salted hash — we never see your plain-text password)
  • Phone number (for account verification and urgent support contact)
  • Time zone and locale preferences

2.2 Billing Information

  • Billing address
  • Stripe customer ID and subscription ID (we do not store credit card numbers, CVVs, or bank account numbers — those are stored by Stripe, our PCI-compliant payment processor)
  • Billing history, invoice records, and refund history

2.3 Business Profile Information

  • Business category and industry
  • Google Business Profile URL or place ID
  • A2P 10DLC brand and campaign registration data (legal business name, Employer Identification Number (EIN) or equivalent tax ID, industry classification, website URL, business address, and authorized-signer contact information). This information is collected because US wireless carriers require it for A2P 10DLC brand registration, and we process it on your behalf as part of the Service. An EIN is a business identifier — it is not a Social Security Number and is not treated as sensitive personal information under CCPA/CPRA.
  • Custom review-request message templates you create

2.4 Usage and Technical Information

  • IP address, browser type, device type, operating system, and general geolocation (city-level, derived from IP)
  • Log data including pages visited, features used, timestamps, referrer URLs, and error events
  • Cookie and session identifiers (see Section 6)
  • Product-analytics events (e.g., button clicks, feature activations) — only if you have not opted out

2.5 Communications

  • Messages you send to our support team (email, in-app chat)
  • Responses to product surveys, churn surveys, and feedback requests
  • Any files, screenshots, or attachments you voluntarily send

2.6 Compliance and Audit Records

  • Records of your acceptance of our Terms, this Policy, and the SMS Disclosure, including timestamp and IP address
  • TCPA consent attestations you submit when uploading or adding Recipient contact information (required for our SMS compliance audit trail)

3. Information We Collect — Recipients

When you are a Recipient (an end consumer of a business that uses ThankYouReview), the Customer is the party that collected your information and asked us to process it on their behalf.

Information we process about Recipients is limited to:

  • Phone number (mobile)
  • First name (optional, if provided by the Customer)
  • Associated Customer / business
  • SMS delivery metadata — message timestamps, delivery status (queued, sent, delivered, failed, bounced), carrier response codes
  • Opt-out status and timestamp (if you reply STOP or use the opt-out link)
  • Message content (the review-request template the Customer adopted or composed, with mechanical substitution of name, business, and review link)

We do not collect from Recipients:

  • Email addresses
  • Payment information
  • Browsing history
  • Location beyond what is inherent to SMS routing

If you are a Recipient and want your data removed, the fastest method is to reply STOP to any message. You may also contact us at hello@thankyoureview.com and we will work with the sending Customer to resolve your request. See Section 10 for your rights.

4. How We Use Information

4.1 To provide the Service (contract performance):

  • Create and maintain your account
  • Process payments and subscriptions through Stripe
  • Register your brand and campaign with US wireless carriers (A2P 10DLC)
  • Route SMS messages through our messaging provider
  • Display dashboards, reports, and activity history
  • Send transactional emails (receipts, password resets, A2P status updates, activation nudges, delivery alerts)

4.2 To operate and improve the Service (legitimate interest):

  • Monitor performance, diagnose bugs, and prevent abuse
  • Rate-limit to prevent spam and protect messaging reputation
  • Analyze aggregated, de-identified usage patterns to prioritize features
  • Detect and prevent fraud, account takeover, and TCPA violations

4.3 To communicate with you (legitimate interest / consent):

  • Respond to support requests
  • Send product updates, tips, and announcements (you can opt out of non-essential email at any time)
  • Send surveys, including churn exit surveys when you cancel

4.4 To comply with law (legal obligation):

  • Respond to lawful subpoenas, court orders, and government requests
  • Maintain TCPA consent records, A2P registration records, and carrier-required audit logs
  • Retain financial records as required by tax law

4.5 We do NOT:

  • Sell personal information to third parties
  • "Share" personal information for cross-context behavioral advertising (as those terms are defined under California law)
  • Use Recipient phone numbers for any purpose other than delivering messages our Customers have asked us to send
  • Rent, trade, or broker Customer or Recipient data
  • Use personal information to train any artificial intelligence or machine-learning foundation model. Our outbound SMS pipeline contains no generative AI — it performs only deterministic variable substitution into Customer-selected templates. Our review-reply assistant (described in Section 4.6) does use a third-party large language model to draft suggested replies to inbound public reviews, but the model provider is contractually prohibited from training on our data, and no Recipient phone numbers, contact lists, or Customer Account credentials are sent to the model.

4.6 AI-Drafted Replies to Public Reviews. As an optional feature, the Service can suggest reply drafts to public reviews left on a Customer's Google Business Profile. To generate a draft, the Service sends the following to our AI sub-processor (Anthropic, PBC — see Section 5): the public review text, the public review rating, the reviewer's public display name (as shown on Google), the Customer's business name, and the Customer's brand-voice settings (tone, sign-off, optional signature phrase). We do not send Recipient phone numbers, Customer email addresses, billing data, or any non-public information. Drafts are generated on demand, returned to the Customer for review, and the Customer decides whether to publish each reply. The AI provider operates under a zero-retention, no-training data-processing agreement: prompts and outputs are not used to train or fine-tune any model and are not retained beyond operational logging windows required for abuse monitoring. If a Customer enables the optional auto-publish feature for a given star rating, drafts are still generated by the same AI pipeline and the Customer remains the publisher of record (see Terms of Service Section 6A).

4.7 Google API Services User Data — Limited Use. ThankYouReview's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, when a Customer connects their Google Business Profile to the Service, we access Google API data solely to (a) display the Customer's reviews inside their ThankYouReview dashboard, (b) generate AI-assisted reply drafts at the Customer's request as described in Section 4.6, and (c) post replies the Customer has explicitly approved (or pre-authorized via auto-reply settings) back to Google on the Customer's behalf. We do not use Google user data for serving advertisements, do not transfer it to third parties for any purpose other than the sub-processors listed in Section 5 (each of whom is bound by Limited Use-equivalent restrictions or operates under our written instruction), do not allow humans to read it except (i) with the Customer's affirmative agreement for support purposes, (ii) for security investigations, abuse, or fraud, or (iii) to comply with applicable law, and do not sell, rent, or disclose it. Google user data is encrypted in transit and at rest and is deleted in accordance with Section 7.

5. Subprocessors — Who We Share Data With

We engage the following vendors ("Subprocessors") to help deliver the Service. Each is contractually required to protect data at least as well as we do.

SubprocessorPurposeData ProcessedLocation
Supabase (Supabase, Inc.)Database, authentication, file storageAll Customer data, Recipient data, session dataUnited States
Vercel (Vercel, Inc.)Application hosting, edge networkRequest logs, IP addresses, session dataUnited States (global edge)
Stripe (Stripe, Inc.)Payment processing, subscription billingBilling information, payment card data (we don't see it)United States
Twilio (Twilio Inc.)SMS delivery, A2P 10DLC registrationRecipient phone numbers, message content, delivery metadata, brand/campaign registration dataUnited States
Postmark (ActiveCampaign, LLC)Transactional email deliveryCustomer email address, email contentUnited States
Sentry (Functional Software, Inc.)Error monitoring and debuggingError stack traces, limited request metadata, IP addressUnited States
UptimeRobot (Stichting UptimeRobot)Uptime and health-check monitoringHealth endpoint ping results onlyNetherlands
Inngest (Inngest Inc.)Background job schedulingJob payloads (may include user IDs and message IDs, not content)United States
Google (Alphabet Inc. / Google LLC)Google Places lookup, Google Business Profile review read/reply, OAuthCustomer-entered place IDs and business URLs; OAuth tokens; public review content; Customer-authored reply textUnited States
Anthropic (Anthropic, PBC)Generating AI-drafted reply suggestions for public reviewsPublic review text + rating + reviewer display name; Customer business name; Customer brand-voice settingsUnited States

We may update this list from time to time. Material changes to our subprocessor list will be reflected here and, for significant changes, communicated by email.

Beyond Subprocessors, we may disclose information when:

  • Required by law — in response to a valid subpoena, warrant, court order, or government investigation.
  • To protect rights and safety — to investigate fraud, security issues, TCPA violations, or threats to our rights, property, or safety or that of Customers, Recipients, or the public.
  • With your consent — when you explicitly direct us to share information (e.g., integrating a third-party app).
  • In a business transfer — in connection with a merger, acquisition, financing, or sale of all or substantially all of our assets, subject to confidentiality commitments and notice to you.

We do not disclose data to data brokers, advertisers, or analytics networks that would use the data for their own purposes.

5.1 Google OAuth Tokens and Connected Account Data

When a Customer connects a Google Business Profile to the Service via Google OAuth, Google issues us a short-lived access token and a long-lived refresh token scoped to the permissions the Customer expressly granted (read reviews, reply to reviews, identify the connected account). We:

  • Store the access and refresh tokens in our encrypted production database, scoped to the Customer's organization and accessible only to that organization's authorized users via row-level security policies;
  • Use the tokens solely to perform the actions described in Section 4.6 and Section 4.7;
  • Never share, sell, or transfer the tokens to any third party outside the sub-processors listed in Section 5;
  • Refresh tokens automatically when they expire and rotate them upon a security event;
  • Revoke and delete the tokens, plus any cached Google review content, within thirty (30) days when the Customer (a) disconnects the Google integration from Settings, (b) closes their account, or (c) revokes our access from https://myaccount.google.com/permissions. Cached review content may persist in encrypted backups for up to thirty-five (35) days before backup rotation overwrites it (see Section 7).

If you are a Customer and want to immediately disconnect ThankYouReview from your Google account, the fastest method is to revoke our access via Google's third-party app permissions page linked above.

6. Cookies and Tracking

We use a minimal set of cookies and similar technologies:

  • Strictly necessary cookies — session authentication, CSRF protection, load balancing. These cannot be disabled without breaking the Service.
  • Functional cookies — your preferences (language, dashboard view). You can clear these in your browser at any time.
  • Analytics — we use privacy-respecting product analytics on the logged-in app only, with no cross-site tracking. If we ever add third-party analytics with cross-site tracking, we will update this Policy and offer an opt-out.

We do not use advertising cookies, retargeting pixels, or cross-site fingerprinting.

Most browsers accept cookies automatically. You can set your browser to refuse cookies or to alert you when cookies are being sent. Blocking strictly-necessary cookies will prevent login.

We honor the Global Privacy Control (GPC) signal as a valid opt-out of "sale" and "sharing" under California law — though, as noted, we do not sell or share in the first place.

7. Data Retention

We retain personal information only as long as necessary to deliver the Service and meet legal obligations:

  • Customer Account Data — retained for the life of your account, and up to 90 days after account deletion for dispute resolution and fraud prevention. After that, most data is permanently deleted or irreversibly de-identified.
  • Recipient Contact Records — retained while the sending Customer remains active. Deleted within 90 days of the Customer closing their account, unless an overriding legal obligation applies (e.g., an active consent dispute or subpoena).
  • Message Delivery Logs — retained for 12 months for troubleshooting, carrier dispute resolution, and spam reports.
  • Google OAuth Tokens — retained while the Google integration remains connected. Deleted within 30 days of disconnection, account closure, or revocation by the Customer at https://myaccount.google.com/permissions. Tokens are also revoked with Google upon deletion where technically feasible.
  • Cached Google Review Content & Reply History — retained while the Google integration remains connected, plus 90 days for audit and dispute resolution. Public review text and reply text the Customer published may be retained longer in aggregated, de-identified form for product analytics.
  • AI Reply-Draft Prompts and Outputs — operational logs of AI prompts and the resulting drafts are retained for up to 30 days for abuse monitoring and quality review, then deleted. Anthropic does not retain prompts or outputs to train its models.
  • TCPA Consent & Attestation Records — retained for four (4) years from collection, to match the federal TCPA statute of limitations. This retention is required to defend consent claims.
  • Opt-Out Records (STOP requests) — retained indefinitely, because we must honor opt-outs permanently even after account deletion.
  • Billing & Financial Records — retained for seven (7) years to comply with US tax and accounting law.
  • Security, Audit, and Error Logs — retained for 12 months then rotated out.

Backups. Encrypted backups may retain data beyond these windows for up to 35 days (our database point-in-time recovery window) before being overwritten. We cannot selectively delete individual records from encrypted backups; records are removed when the backup cycle naturally rotates.

8. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

  • TLS encryption in transit for all connections
  • Encryption at rest for our databases
  • Role-based access controls with row-level security policies
  • Multi-factor authentication on admin accounts
  • Secret rotation for API keys and service tokens
  • Least-privilege service accounts for Subprocessors
  • Centralized error monitoring via Sentry
  • Automated uptime and health monitoring
  • Regular dependency and vulnerability patching

No system is 100% secure. If we become aware of a security incident affecting your personal information, we will notify affected individuals and, where required, regulators in accordance with applicable state breach notification laws — generally without unreasonable delay.

9. Children

The Service is intended for business users aged 18 and over. We do not knowingly collect personal information from children under 13 (or under 16 where local law imposes a higher age), and our Customers represent and warrant in the Terms that they will not send review requests to anyone they know to be under 18. If you believe a child has provided us with personal information, contact us at hello@thankyoureview.com and we will promptly delete it.

10. Your Privacy Rights

Depending on where you live, you may have some or all of the following rights:

  • Right to Know / Access — confirm whether we process your data and request a copy.
  • Right to Correct — request correction of inaccurate data.
  • Right to Delete — request deletion, subject to legal retention requirements (Section 7).
  • Right to Opt Out of Sale or Sharing — we do not sell or share, but you can confirm this.
  • Right to Limit Use of Sensitive Personal Information — we do not use sensitive categories in ways that would trigger this right, but you can exercise it defensively.
  • Right to Portability — receive your data in a portable format.
  • Right to Non-Discrimination — we will not deny service or charge different prices for exercising these rights.

How to exercise these rights:

  • If you are a Customer: email hello@thankyoureview.com from the email address on your account. We will verify your identity (usually by replying from the account email) and respond within 45 days, extendable to 90 days where the request is complex.
  • If you are a Recipient: reply STOP to any message to opt out immediately. To request deletion of your information from a specific business's contact list, contact the business directly — they are the data controller. For escalations, email hello@thankyoureview.com with the business name and the phone number in question; we will coordinate with the Customer.

We may decline requests that are manifestly unfounded, excessive, or that we cannot verify. Where we decline, we will tell you why.

Appeal. If we deny your request, you may appeal by replying to our denial email within thirty (30) days and briefly stating why you believe the denial was incorrect. We will respond to appeals within sixty (60) days of receipt. If your appeal is denied, we will inform you of your right to complain to your state attorney general or, in applicable states, to the relevant privacy enforcement authority.

You may appoint an authorized agent to submit a request on your behalf. We may require proof of authorization.

11. California-Specific Disclosures (CCPA / CPRA)

This section supplements Section 10 for California residents.

Categories of personal information collected in the past 12 months:

  • Identifiers (name, email, phone number, IP address, account ID, Google OAuth subject identifier for connected Customer accounts)
  • Customer records (billing address, payment processor identifiers)
  • Commercial information (subscription history, feature usage)
  • Internet / network activity (log data, cookies, device data)
  • Geolocation (city-level from IP only)
  • Professional or employment info (business role, business name)
  • Public-facing user-generated content from Google (public review text, public reviewer display names, star ratings, and Customer reply text — all already public on the Customer's Google Business Profile)
  • Inferences (aggregate behavioral segments used only to improve the Service)

Sources: directly from you, from Subprocessors who provide data back to us (e.g., Twilio delivery status), from Customers (for Recipient data), and automatically from your device.

Business purposes: as described in Section 4.

"Sale" or "Sharing": we do not sell or share personal information. We have not done so in the past 12 months.

Sensitive personal information: we do not collect government-issued identifiers (such as Social Security Numbers), precise geolocation, racial or ethnic data, religious beliefs, union membership, genetic data, biometric identifiers for identification, health, sex life, or sexual orientation data. A2P registration data includes an Employer Identification Number (EIN) for the Customer's business entity — this is a business identifier issued for federal tax filing and is not classified as sensitive personal information under CCPA/CPRA.

Retention: see Section 7.

California residents may exercise all rights described in Section 10, including the appeal process.

12. International Users

The Service is currently operated from and primarily intended for users in the United States. If you access the Service from outside the US, you understand that your information will be transferred to, stored, and processed in the US. US data protection laws may differ from those of your jurisdiction.

We currently do not target users in the European Economic Area, United Kingdom, or Switzerland. If we expand to those markets, we will add a GDPR / UK-GDPR / FADP addendum, designate an EU representative if required, and implement Standard Contractual Clauses for international transfers.

13. Do Not Track

Our Service does not respond to Do Not Track (DNT) signals. We do honor the Global Privacy Control (GPC) signal (see Section 6).

14. Changes to This Policy

We may update this Policy from time to time. When we do:

  • We will update the "Last Updated" date at the top.
  • For material changes (e.g., new categories of data, new purposes, new Subprocessors with meaningfully different data practices), we will provide at least 30 days' advance notice by email to account owners and/or a prominent in-app notice.
  • Your continued use of the Service after the effective date of the updated Policy constitutes acceptance.

If you object to changes, your remedy is to close your account before the effective date.

15. Contact

Questions, requests, or complaints about this Policy or our data practices:

ANTI-WEAR LLC, d/b/a ThankYouReview Email: hello@thankyoureview.com Mailing address: 30 N Gould St, Ste N, Sheridan, WY 82801

Questions about this document? Email hello@thankyoureview.com.