This Privacy Policy explains how ReviewKit (“ReviewKit”, the “Service”, “we”, “us”, or “our”) collects, uses, stores, and shares personal data.

ReviewKit is operated by Andy Shephard.

Contact: me@andyshephard.com
Jurisdiction: Czech Republic

For the purposes of the General Data Protection Regulation (“GDPR”), we are the controller of the personal data described in this Privacy Policy, unless stated otherwise. The Czech supervisory authority is the Úřad pro ochranu osobních údajů, the Czech Data Protection Authority.

1. Summary

ReviewKit helps users analyse publicly available product reviews, posts, and discussion threads.

We collect only the data needed to operate the Service, provide accounts and paid plans, enforce rate limits, store analyses for signed-in users, process payments, prevent abuse, and respond to support or legal requests.

We do not sell your personal data.
We do not use third-party advertising trackers.
We do not track your activity across unrelated websites.
We do not store your payment card number on our servers.
We do not store passwords; authentication is handled by Clerk.

2. Personal data we collect

Account data

For signed-in users, we collect and store:

email address;
Clerk-issued user ID;
account status;
account creation and update information;
login/session-related identifiers provided by Clerk where needed for account operation.

We use this data to create and maintain your account, identify you across sessions, provide saved analyses, manage access to paid features, and provide support.

Billing data

For paid users, we collect and store limited billing-related data, such as:

Stripe customer ID;
Stripe subscription ID, where applicable;
subscription status;
plan type;
billing period information;
payment status;
purchase or cancellation metadata.

Stripe processes payment details. We do not store your full payment card number on our servers.

Usage data

We collect usage data related to your use of the Service, including:

analyses you run;
product names or product URLs you submit;
generated themes, summaries, reports, and outputs;
number of analyses performed;
timestamps of analyses;
feature usage, such as exports or saved reports;
basic technical logs needed to operate, debug, and secure the Service.

For paid signed-in users, stored analyses are retained for 90 days after creation unless deleted earlier.

Free signed-in users may run analyses but those results are not retained in saved account records.

Rate-limit data

We use per-user daily counters to enforce free- and paid-tier rate limits on analysis runs and discovery requests.

Counters reset every 24–36 hours.

Support and communication data

If you contact us, we may process:

your email address;
your message;
information you choose to include;
metadata needed to respond to your request.

We use this data to respond to questions, support requests, cancellation questions, removal requests, legal notices, and security reports.

Public third-party content

ReviewKit processes publicly available reviews, posts, comments, ratings, metadata, and discussion threads from third-party sources, which may include:

App Store;
Google Play;
Trustpilot;
Reddit;
Hacker News;
similar public platforms.

This content may include usernames, display names, opinions, review text, timestamps, ratings, links, or other information made publicly available by the original poster or platform.

We process this content to provide product research, competitive analysis, summaries, and reports.

3. Data we do not intentionally collect

We do not intentionally collect:

passwords;
full payment card numbers;
government identification numbers;
precise location data;
sensitive personal data unless you choose to submit it;
children's data;
advertising identifiers for cross-site tracking.

You should not submit sensitive personal data, confidential information, trade secrets, or information you are not authorised to provide.

4. How we use personal data

We use personal data to:

provide, operate, and maintain the Service;
create and manage user accounts;
authenticate users through Clerk;
process payments and subscriptions through Stripe;
store account data and analyses through Supabase;
generate AI summaries and reports using Anthropic;
enforce free-tier limits and paid-plan access;
prevent fraud, abuse, scraping, excessive usage, and security incidents;
debug, monitor, secure, and improve the Service;
respond to support, legal, privacy, and removal requests;
comply with legal, tax, accounting, and regulatory obligations;
enforce our Terms of Service.

5. Legal bases for processing

Where GDPR applies, we rely on the following legal bases.

Contract

We process account data, usage data, billing data, and stored analyses where necessary to provide the Service, manage your account, provide paid features, and perform our Terms of Service.

Legitimate interests

We process certain data for our legitimate interests, including:

securing the Service;
preventing abuse, fraud, and excessive usage;
debugging and maintaining the Service;
understanding basic product usage;
responding to support requests;
protecting our legal rights;
improving the Service.

We rely on legitimate interests only where those interests are not overridden by your rights and freedoms.

Legal obligation

We process and retain certain data where necessary to comply with legal, tax, accounting, consumer-protection, and regulatory obligations.

Consent

We rely on consent where required by law, such as for optional cookies, optional marketing emails, or other processing that legally requires consent.

At present, we do not use third-party advertising cookies or advertising trackers.

6. AI processing

ReviewKit uses Anthropic's Claude API to generate summaries, themes, and reports.

When you run an analysis, relevant review text, product information, prompts, and related context may be sent to Anthropic for processing.

Anthropic states that, by default, it does not use inputs or outputs from commercial products such as the Anthropic API to train its models.

AI outputs may be inaccurate, incomplete, outdated, or misleading. You should not submit sensitive personal data, confidential business information, trade secrets, or information you are not authorised to process through AI systems.

7. Cookies and similar technologies

ReviewKit does not use third-party advertising trackers.

ReviewKit does not track your activity across unrelated websites.

Authentication, security, payment, hosting, or infrastructure providers may use cookies, tokens, or similar technologies that are necessary to provide login, checkout, fraud prevention, security, or session functionality.

For anonymous rate limiting, we use a per-IP counter and do not set a cookie.

If we introduce non-essential analytics, advertising, or marketing cookies in the future, we will update this Privacy Policy and request consent where required by law.

8. Sub-processors and third-party providers

We use third-party providers to operate the Service. These providers process personal data on our behalf or as independent controllers, depending on the context.

Cloudflare

Cloudflare provides hosting, DNS, security, Workers, and container/scraper infrastructure.

Data processed may include IP addresses, request metadata, logs, publicly available source content, and technical data needed to provide and secure the Service.

Supabase

Supabase provides database hosting and storage.

Data stored in Supabase may include account data, billing metadata, usage data, stored analyses, product URLs, generated outputs, and related application data.

Clerk

Clerk provides authentication and account management.

Data processed may include your email address, user ID, login/session information, and authentication metadata.

Stripe

Stripe provides payment processing, subscription management, billing, customer portal functionality, and related payment services.

Data processed may include your email address, billing details, customer ID, subscription status, payment metadata, and tax-related information. Stripe processes payment card details. We do not store full card numbers on our servers.

Anthropic

Anthropic provides AI model processing through Claude.

Data processed may include prompts, product information, public review text, generated summaries, and related context needed to produce outputs.

Source platforms

ReviewKit fetches publicly available reviews, posts, comments, ratings, and metadata from third-party source platforms such as the App Store, Google Play, Trustpilot, Reddit, Hacker News, and similar sources.

These platforms have their own privacy policies, terms, and data practices.

Email and support providers

If we use email or support providers, they may process your email address, message content, and related metadata so we can send service messages or respond to requests.

9. International transfers

Some of our providers may process personal data outside the Czech Republic, the European Union, or the European Economic Area.

Where GDPR applies and personal data is transferred internationally, we rely on appropriate safeguards where required, such as adequacy decisions, standard contractual clauses, data processing agreements, or other lawful transfer mechanisms.

10. Retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy.

Account data

Account data is kept while your account is active.

If you delete your account, we will delete or anonymise associated account data within a reasonable period, except where retention is necessary for legal, tax, accounting, security, fraud-prevention, dispute-resolution, backup, or legitimate business purposes.

Billing data

Billing metadata is kept while your account is active and for as long as necessary to comply with tax, accounting, payment, chargeback, fraud-prevention, and legal obligations.

Stripe may retain payment and billing information according to its own legal and compliance obligations.

Stored analyses

Stored analyses for paid signed-in users expire 90 days after creation, unless deleted earlier.

Anonymous rate-limit counters

Anonymous per-IP rate-limit counters are reset after 36 hours.

Logs and security data

Technical logs, security logs, and abuse-prevention data are kept for a limited period necessary to maintain, secure, debug, and protect the Service, unless longer retention is required for investigation, legal, or security purposes.

Anonymised aggregate data

We may retain anonymised aggregate counts and statistics for capacity planning, product analytics, security, and business purposes. Anonymised data does not identify you.

11. Account deletion

You may delete your account through the Account page where this feature is available, or by contacting us at:

me@andyshephard.com

When you delete your account, associated rows are removed from our active database, except where we need to retain limited information for legal, tax, accounting, security, fraud-prevention, backup, dispute-resolution, or legitimate business purposes.

Deletion may permanently remove saved analyses, reports, exports, and settings.

Some residual copies may remain in backups or logs for a limited period before being overwritten or deleted.

12. Your rights

Where GDPR or similar privacy laws apply, you may have the right to:

access the personal data we hold about you;
request correction of inaccurate data;
request deletion of your data;
request restriction of processing;
object to processing based on legitimate interests;
request data portability;
withdraw consent where processing is based on consent;
lodge a complaint with a supervisory authority.

The European Commission explains that GDPR gives individuals rights over their personal data and applies across the EU.

To exercise your rights, contact:

me@andyshephard.com

We may need to verify your identity before responding.

If you are in the Czech Republic, you may contact the Czech Data Protection Authority, Úřad pro ochranu osobních údajů.

13. Security

We use reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.

These measures may include access controls, authentication providers, secure hosting, encryption in transit, database access restrictions, provider security controls, logging, and abuse prevention.

No online service is completely secure, and we cannot guarantee absolute security.

14. Children

ReviewKit is not directed to children under 13.

We do not knowingly collect personal data from children under 13.

If you believe a child has provided personal data to us, contact us at me@andyshephard.com, and we will take appropriate steps to delete it.

Depending on your jurisdiction, higher age thresholds or parental-consent rules may apply.

15. Marketing communications

We may send service-related emails, such as account, billing, security, product, or legal notices.

We will only send marketing emails where permitted by law. Where consent is required, we will ask for consent first.

You may unsubscribe from marketing emails at any time. You may still receive essential service, billing, legal, or security emails.

16. Do Not Track

ReviewKit does not currently respond to browser “Do Not Track” signals.

Because we do not use third-party advertising trackers or track your activity across unrelated websites, this does not affect how we provide the Service.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes, we will post the updated version here and, where you have an account, notify you by email or through the Service.

The updated Privacy Policy will take effect on the date stated at the top.

18. Contact

For privacy questions, data-subject requests, deletion requests, legal notices, or complaints, contact:

Andy Shephard
Email: me@andyshephard.com
Jurisdiction: Czech Republic

This Privacy Policy explains how ReviewKit (“ReviewKit”, the “Service”, “we”, “us”, or “our”) collects, uses, stores, and shares personal data.

ReviewKit is operated by Andy Shephard.

Contact: me@andyshephard.com
Jurisdiction: Czech Republic

1. Summary

ReviewKit helps users analyse publicly available product reviews, posts, and discussion threads.

We do not sell your personal data.
We do not use third-party advertising trackers.
We do not track your activity across unrelated websites.
We do not store your payment card number on our servers.
We do not store passwords; authentication is handled by Clerk.

2. Personal data we collect

Account data

For signed-in users, we collect and store:

email address;
Clerk-issued user ID;
account status;
account creation and update information;
login/session-related identifiers provided by Clerk where needed for account operation.

We use this data to create and maintain your account, identify you across sessions, provide saved analyses, manage access to paid features, and provide support.

Billing data

For paid users, we collect and store limited billing-related data, such as:

Stripe customer ID;
Stripe subscription ID, where applicable;
subscription status;
plan type;
billing period information;
payment status;
purchase or cancellation metadata.

Stripe processes payment details. We do not store your full payment card number on our servers.

Usage data

We collect usage data related to your use of the Service, including:

analyses you run;
product names or product URLs you submit;
generated themes, summaries, reports, and outputs;
number of analyses performed;
timestamps of analyses;
feature usage, such as exports or saved reports;
basic technical logs needed to operate, debug, and secure the Service.

For paid signed-in users, stored analyses are retained for 90 days after creation unless deleted earlier.

Free signed-in users may run analyses but those results are not retained in saved account records.

Rate-limit data

We use per-user daily counters to enforce free- and paid-tier rate limits on analysis runs and discovery requests.

Counters reset every 24–36 hours.

Support and communication data

If you contact us, we may process:

your email address;
your message;
information you choose to include;
metadata needed to respond to your request.

We use this data to respond to questions, support requests, cancellation questions, removal requests, legal notices, and security reports.

Public third-party content

ReviewKit processes publicly available reviews, posts, comments, ratings, metadata, and discussion threads from third-party sources, which may include:

App Store;
Google Play;
Trustpilot;
Reddit;
Hacker News;
similar public platforms.

This content may include usernames, display names, opinions, review text, timestamps, ratings, links, or other information made publicly available by the original poster or platform.

We process this content to provide product research, competitive analysis, summaries, and reports.

3. Data we do not intentionally collect

We do not intentionally collect:

passwords;
full payment card numbers;
government identification numbers;
precise location data;
sensitive personal data unless you choose to submit it;
children's data;
advertising identifiers for cross-site tracking.

You should not submit sensitive personal data, confidential information, trade secrets, or information you are not authorised to provide.

4. How we use personal data

We use personal data to:

provide, operate, and maintain the Service;
create and manage user accounts;
authenticate users through Clerk;
process payments and subscriptions through Stripe;
store account data and analyses through Supabase;
generate AI summaries and reports using Anthropic;
enforce free-tier limits and paid-plan access;
prevent fraud, abuse, scraping, excessive usage, and security incidents;
debug, monitor, secure, and improve the Service;
respond to support, legal, privacy, and removal requests;
comply with legal, tax, accounting, and regulatory obligations;
enforce our Terms of Service.

5. Legal bases for processing

Where GDPR applies, we rely on the following legal bases.

Contract

We process account data, usage data, billing data, and stored analyses where necessary to provide the Service, manage your account, provide paid features, and perform our Terms of Service.

Legitimate interests

We process certain data for our legitimate interests, including:

securing the Service;
preventing abuse, fraud, and excessive usage;
debugging and maintaining the Service;
understanding basic product usage;
responding to support requests;
protecting our legal rights;
improving the Service.

We rely on legitimate interests only where those interests are not overridden by your rights and freedoms.

Legal obligation

We process and retain certain data where necessary to comply with legal, tax, accounting, consumer-protection, and regulatory obligations.

Consent

We rely on consent where required by law, such as for optional cookies, optional marketing emails, or other processing that legally requires consent.

At present, we do not use third-party advertising cookies or advertising trackers.

6. AI processing

ReviewKit uses Anthropic's Claude API to generate summaries, themes, and reports.

When you run an analysis, relevant review text, product information, prompts, and related context may be sent to Anthropic for processing.

Anthropic states that, by default, it does not use inputs or outputs from commercial products such as the Anthropic API to train its models.

7. Cookies and similar technologies

ReviewKit does not use third-party advertising trackers.

ReviewKit does not track your activity across unrelated websites.

For anonymous rate limiting, we use a per-IP counter and do not set a cookie.

If we introduce non-essential analytics, advertising, or marketing cookies in the future, we will update this Privacy Policy and request consent where required by law.

8. Sub-processors and third-party providers

We use third-party providers to operate the Service. These providers process personal data on our behalf or as independent controllers, depending on the context.

Cloudflare

Cloudflare provides hosting, DNS, security, Workers, and container/scraper infrastructure.

Data processed may include IP addresses, request metadata, logs, publicly available source content, and technical data needed to provide and secure the Service.

Supabase

Supabase provides database hosting and storage.

Data stored in Supabase may include account data, billing metadata, usage data, stored analyses, product URLs, generated outputs, and related application data.

Clerk

Clerk provides authentication and account management.

Data processed may include your email address, user ID, login/session information, and authentication metadata.

Stripe

Stripe provides payment processing, subscription management, billing, customer portal functionality, and related payment services.

Anthropic

Anthropic provides AI model processing through Claude.

Data processed may include prompts, product information, public review text, generated summaries, and related context needed to produce outputs.

Source platforms

These platforms have their own privacy policies, terms, and data practices.

Email and support providers

If we use email or support providers, they may process your email address, message content, and related metadata so we can send service messages or respond to requests.

9. International transfers

Some of our providers may process personal data outside the Czech Republic, the European Union, or the European Economic Area.

10. Retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy.

Account data

Account data is kept while your account is active.

Billing data

Billing metadata is kept while your account is active and for as long as necessary to comply with tax, accounting, payment, chargeback, fraud-prevention, and legal obligations.

Stripe may retain payment and billing information according to its own legal and compliance obligations.

Stored analyses

Stored analyses for paid signed-in users expire 90 days after creation, unless deleted earlier.

Anonymous rate-limit counters

Anonymous per-IP rate-limit counters are reset after 36 hours.

Logs and security data

Anonymised aggregate data

We may retain anonymised aggregate counts and statistics for capacity planning, product analytics, security, and business purposes. Anonymised data does not identify you.

11. Account deletion

You may delete your account through the Account page where this feature is available, or by contacting us at:

me@andyshephard.com

Deletion may permanently remove saved analyses, reports, exports, and settings.

Some residual copies may remain in backups or logs for a limited period before being overwritten or deleted.

12. Your rights

Where GDPR or similar privacy laws apply, you may have the right to:

access the personal data we hold about you;
request correction of inaccurate data;
request deletion of your data;
request restriction of processing;
object to processing based on legitimate interests;
request data portability;
withdraw consent where processing is based on consent;
lodge a complaint with a supervisory authority.

The European Commission explains that GDPR gives individuals rights over their personal data and applies across the EU.

To exercise your rights, contact:

me@andyshephard.com

We may need to verify your identity before responding.

If you are in the Czech Republic, you may contact the Czech Data Protection Authority, Úřad pro ochranu osobních údajů.

13. Security

We use reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.

These measures may include access controls, authentication providers, secure hosting, encryption in transit, database access restrictions, provider security controls, logging, and abuse prevention.

No online service is completely secure, and we cannot guarantee absolute security.

14. Children

ReviewKit is not directed to children under 13.

We do not knowingly collect personal data from children under 13.

If you believe a child has provided personal data to us, contact us at me@andyshephard.com, and we will take appropriate steps to delete it.

Depending on your jurisdiction, higher age thresholds or parental-consent rules may apply.

15. Marketing communications

We may send service-related emails, such as account, billing, security, product, or legal notices.

We will only send marketing emails where permitted by law. Where consent is required, we will ask for consent first.

You may unsubscribe from marketing emails at any time. You may still receive essential service, billing, legal, or security emails.

16. Do Not Track

ReviewKit does not currently respond to browser “Do Not Track” signals.

Because we do not use third-party advertising trackers or track your activity across unrelated websites, this does not affect how we provide the Service.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes, we will post the updated version here and, where you have an account, notify you by email or through the Service.

The updated Privacy Policy will take effect on the date stated at the top.

18. Contact

For privacy questions, data-subject requests, deletion requests, legal notices, or complaints, contact:

Andy Shephard
Email: me@andyshephard.com
Jurisdiction: Czech Republic