Reputafy

Reputafy / Legal

Privacy Policy

Last updated 11 May 2026

This Privacy Policy explains how VelocityNet LLC ("Reputafy", "we", "us") collects, uses, shares and protects personal data when you visit reputafy.com, sign up for an account, or use the Reputafy platform. It also describes our handling of data received from Google APIs.

1. Introduction and scope

VelocityNet LLC ("VelocityNet") is a limited liability company organized under the laws of the State of Delaware, United States. It operates the Reputafy service. Amine is our official email coordinator and the primary contact for all privacy, security, legal and operational matters. You can reach him at amine@reputafy.com.

This Policy applies to (i) the reputafy.com marketing website, (ii) the Reputafy application available at app.reputafy.com and any white-label domains we host on behalf of agency Customers, and (iii) the integrations Reputafy operates with third-party platforms such as Google Business Profile.

Reputafy is a B2B service. We do not knowingly offer the Service to individuals under the age of 18.

2. Data Controller and Data Processor roles

Under the EU General Data Protection Regulation (GDPR) and the UK GDPR, Reputafy acts in two distinct roles:

  • Data Controller — for personal data we collect directly, such as account, billing and marketing data for our website visitors, prospects and Customer administrators.
  • Data Processor under GDPR Article 28 — for Customer Content, including review data, reply data and end-user identifiers ingested from connected third-party platforms on behalf of our Customers. Each Customer is the Data Controller for their Customer Content. Our processing terms with Customers are set out in our Data Processing Addendum.

3. Information we collect

3.1 Account data

When you sign up, we collect your name, work email address, company name, role, and an account password (stored as a salted hash).

3.2 Billing data

Subscription billing is processed by Stripe, Inc. Card numbers, CVCs and bank details are sent directly to Stripe and never stored on Reputafy servers. We retain the billing email, invoicing address, VAT/tax identifier, and a payment-method token from Stripe.

3.3 Usage data

We collect logs and operational telemetry necessary to run the Service: IP address, user agent, device type, page URLs, timestamps, feature usage events, and error traces.

3.4 Customer Content

Customer Content is data ingested or generated through the Service, including reviews, ratings, reply text, location metadata, sentiment labels, and AI-drafted replies. Customer Content is processed under the Customer's instructions and the DPA.

3.5 Communications data

Support emails, chat transcripts, demo recordings (with consent), and notes from sales conversations.

4. Information received from Google APIs

Reputafy is built on official Google APIs. We do not scrape Google properties. The following disclosures are mandatory under the Google API Services User Data Policy.

When you connect a Google Business Profile location to Reputafy, we use Google APIs to access the following data from your Google account: business profile information, location metadata, reviews and review replies, questions and answers, and posts associated with the locations you explicitly authorize.
Reputafy's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We do not use Google user data to train, develop, or improve generalized or non-personalized AI/ML models. Any AI features (such as suggested replies) operate only on the specific Customer's data, on a per-request basis, and outputs are not retained for model training.
We do not sell, rent, or transfer Google user data to third parties for advertising, credit-worthiness assessment, or any unrelated purpose.
We do not allow humans to read Google user data unless: (a) we have obtained the user's affirmative agreement to view specific messages; (b) it is necessary for security purposes such as investigating abuse; (c) it is necessary to comply with applicable law; or (d) the data is aggregated and used for internal operations in compliance with applicable privacy and other jurisdictional legal requirements.

See our Google API Services User Data Disclosure for the full list of OAuth scopes we request and the purpose of each.

5. How we use information

We process personal data on the following lawful bases under GDPR Article 6:

  • Contract (Art. 6(1)(b)) — to provide the Service to our Customers, manage accounts, process payments, and operate integrations the Customer has connected.
  • Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent fraud and abuse, run product analytics, improve features, and run B2B prospecting consistent with European recital 47.
  • Consent (Art. 6(1)(a)) — for non-essential cookies and direct marketing emails to individuals who are not already customers.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and lawful information requests.

6. AI and automated processing

Reputafy offers AI features that generate suggested replies to reviews and classify sentiment and topics. These features are powered by large language models hosted by Anthropic and OpenAI, accessed via enterprise endpoints with zero data-retention configured by contract.

For each AI request we send only the minimum data needed: the review text, the location's brand-voice settings, and a small set of operator-defined examples. We do not send credentials, billing data, or unrelated Customer Content.

Customer Content is never used to train shared or generalized AI models. Brand-voice settings are scoped per tenant and never cross-pollinated. None of our AI subprocessors retain the data we send them beyond the time required to return a response.

7. Sharing of information

We share personal data with categories of recipients listed below. The current list of named subprocessors is published at /legal/subprocessors and we notify Customers 30 days in advance of any new subprocessor.

  • Subprocessors — hosting, AI providers, transactional email, customer support tooling, and product analytics.
  • Payment processors — Stripe, for subscription billing.
  • Professional advisers — accountants, auditors and legal counsel under confidentiality.
  • Law enforcement and regulators — only where we are legally compelled to disclose, and we challenge requests we believe to be overbroad.
  • Successor entities — in the event of a merger, acquisition, or asset sale, with notice to affected Customers.

8. International data transfers

Reputafy hosts production data in the European Union by default (Frankfurt and Paris). Some subprocessors are based in the United States. Where personal data leaves the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and, where applicable, the EU-US Data Privacy Framework. We carry out transfer impact assessments and apply supplementary measures including end-to-end encryption.

9. Data retention

  • Account data — retained for the lifetime of the account, deleted within 30 days of termination unless we are required to keep it for tax or accounting purposes.
  • Customer Content (including review data)— retained per the Customer's instruction in the DPA. Customers can export and delete at any time.
  • Operational logs — retained for up to 12 months for security, debugging and audit.
  • Backups — production backups are encrypted and rotated within 90 days.

10. Your rights

Depending on where you live, you have rights under the GDPR, the UK GDPR, the California Consumer Privacy Act, and equivalent laws — including the right to access, correct, delete, restrict, port and object to the processing of your personal data, as well as the right to withdraw consent and lodge a complaint with a supervisory authority.

Customers can exercise their rights directly inside Reputafy or by emailing amine@reputafy.com. End-users whose data is processed on behalf of a Customer should contact the Customer first; we will assist the Customer in responding.

11. How to revoke access to Google data

You can disconnect Reputafy from your Google account at any time:

  • Inside Reputafy — go to Settings → Connected accounts → Google Business Profile, and click Disconnect. We immediately revoke our access token and stop polling for new data from that account.
  • Inside your Google account — visit myaccount.google.com/permissions, find Reputafy in the list of third-party apps, and click Remove access.

After disconnection, Reputafy retains historical review data previously ingested for the duration set by the Customer in the DPA, and deletes it on Customer instruction.

12. Security measures

We protect data with industry-standard controls:

  • Encryption at rest with AES-256 and at transit with TLS 1.2 or higher.
  • Single-tenant logical isolation per Customer workspace.
  • Role-based access control with mandatory multi-factor authentication for all Reputafy staff.
  • Centralized audit logging of administrative actions.
  • Annual third-party penetration testing and continuous vulnerability management.
  • Background checks and confidentiality agreements for all staff.

See our Security overview for details and our vulnerability disclosure program.

13. Children's privacy

Reputafy is a B2B service and is not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact amine@reputafy.com and we will delete it.

14. Changes to this policy

We may update this Policy from time to time. For material changes, we notify Customer administrators by email and display an in-app banner at least 30 days before the change takes effect. The "Last updated" date above always reflects the current version.

15. Contact and official email coordinator

All privacy, security, legal and data-protection enquiries are handled by Amine, our official email coordinator, at amine@reputafy.com. He is also our primary contact for any Google API Services compliance question.

EU and UK representative (Art. 27 GDPR): a representative will be appointed before any active solicitation of EU or UK Customers. In the meantime, EU and UK data subjects can exercise their rights directly through amine@reputafy.comand we will respond within statutory time limits.

Data Protection Officer: amine@reputafy.com