REVIEWPATH e.U. — COMPREHENSIVE PRIVACY POLICY
Global Master Policy v2.0 — April 2025
This single‑document policy is designed to satisfy the disclosure requirements of the EU General Data Protection Regulation (“GDPR”), the e‑Privacy Directive, national implementations (e.g., Austrian DSG, TKG 2021), the UK‑GDPR, the Swiss nFADP, major U.S. state privacy statutes (CPRA, VCDPA, ColoPA, CTDPA, UCPA), Brazil LGPD, Canada PIPEDA & Québec Bill 64, and ISO 27701/SOC‑2 audit artefacts.
ReviewPath e.U. is organised under Austrian law (Firmenbuchnr. FN 563212 t).
QUICK REFERENCE (“KEY POINTS”)
| Who we are | ReviewPath e.U. (Single‑owner enterprise) – Josefstädter Straße 11/10, 1080 Vienna, Austria • EU VAT ATU 78 123 456 • privacy@reviewpath.com |
| What we do | SaaS platform that captures, analyses and publishes customer feedback & ratings for B2C & B2B clients. |
| Data roles | Visitors & Account Users: ReviewPath = Controller • End‑Users/Reviewers: Customer = Controller, ReviewPath = Processor |
| Why we collect data | To run & secure the platform, provide AI insights, bill for services, comply with laws, and—if you consent—send occasional marketing. |
| Where data live | Primary hosting: AWS eu‑central‑1 (Frankfurt) • Encrypted backups: eu‑west‑1 (Dublin) • All subprocessors listed in § 5. |
| Your rights | Access, rectify, erase, port, restrict, object, withdraw consent, lodge complaint with Austrian DPA (https://www.dsb.gv.at). |
| Security highlights | ISO 27001 controls, AES‑256 at rest, TLS 1.3 in transit, MFA, zero‑trust, 24 × 7 SOC, incident‑response timeline ≤ 24 h. |
| Contact our DPO | Mag. Anna Lehner, CIPP/E—dpo@reviewpath.com • Tel +43 720 77 88 55 |
Scroll further for the full, legally binding text.
TABLE OF CONTENTS
- Definitions
- Scope & Roles
- Data We Collect
- Lawful Bases & Purposes
- Sub‑processors
- International Transfers & Safeguards
- Security Measures & Incident‑Response
- Retention & Disposal
- Cookies & Similar Technologies
- End‑User / Reviewer Data Workflow
- Individual Rights & How to Exercise Them
- Children’s Privacy
- Automated Decision‑Making
- Third‑party Links & Integrations
- Do‑Not‑Track & Global Privacy Control
- Regional Supplements
- Audit Rights & Version Control
- Contact & Complaints
1 Definitions
(Mirrors GDPR Art 4; see full text for 15 defined terms incl. “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub‑processor”, “Service”.)
2 Scope & Roles
| Context | ReviewPath e.U. role | Governing instrument |
|---|---|---|
| Website visitors, marketing recipients | Controller | This Policy |
| Customer admins & seats | Controller | T&C + this Policy |
| End‑Users/Reviewers | Processor | Data‑Processing Addendum (DPA, EU SCC 2021 Modules 2/3) |
3 Data We Collect
Comprehensive matrix: 16 data categories mapped to source, purpose, retention, optional/mandatory, lawful basis. (Examples: Account profile, billing, platform telemetry, AI‑derived sentiment vectors, support interactions, cookie identifiers.)
4 Lawful Bases & Purposes
Detailed table cross‑referencing GDPR Art 6, LGPD Art 7, CPRA §1798.140, incl. legitimate‑interest assessments (LIA) summaries (available on request).
5 Sub‑processors
Full roster (live‑updated RSS feed available). Snapshot:
| # | Name | Country | Data categories | Purpose | DPA/SCC link |
|---|---|---|---|---|---|
| 1 | Amazon Web Services EMEA SARL | DE/IE | All hosting data | IaaS | https://aws.amazon.com/legal/data-protection/ |
| 2 | Google Cloud EMEA Ltd. | NL | Back‑ups, analytics | BaaS | https://cloud.google.com/terms/data-processing-addendum |
| 3 | Microsoft Ireland Operations Ltd (Azure OpenAI) | IE | LLM inference pseudonymised | AI‑PaaS | https://learn.microsoft.com/legal/gdpr |
| 4 | OpenAI LLC | US | Fallback LLM (hashed) | AI‑PaaS | https://openai.com/policies/data-processing-terms |
| 5 | Cloudflare Inc. | US/EU | IPs, TLS, logs | CDN/WAF | https://www.cloudflare.com/cloudflare-customer-dpa/ |
| 6 | Stripe Payments Europe Ltd. | IE | Billing tokens | Payments | https://stripe.com/legal/dpa |
| 7 | Twilio Inc. (SendGrid) | US | Email/SMS metadata | Messaging | https://www.twilio.com/legal/data-protection-addendum |
Customers are notified 30 days before onboarding a new sub‑processor (§ 5.4).
6 International Transfers & Safeguards
- Data residency commitment: primary storage inside the EEA.
- Transfers outside EEA protected by SCC 2021, UK Addendum, nFADP clauses; encryption & pseudonymisation per EDPB Recommendations 01/2020.
- Transfer‑Impact Assessment summary available under NDA.
7 Security Measures & Incident‑Response
- ISO 27001/27701 controls & SOC‑2 Type II (audit in progress).
- Technical measures: MFA, hardware keys, network micro‑segmentation, EBS encryption-by-default, Secrets Manager, SSO/SAML 2.0.
- Organisational: screened staff, least privilege, quarterly training.
- Incident timeline
- T0 detection → SOC triage
- ≤ 8 h containment & notification internally
- ≤ 24 h initial customer notice
- ≤ 72 h supervisory authority notification (if risk)
- 12 h cadence updates until resolved
- RCA report within 30 days.
8 Retention & Disposal
Tables cover each data set, legal obligations (e.g., Austrian BAO & UGB 7‑yr rule, §132 BAO), secure purge methods (NIST SP 800‑88).
9 Cookies & Similar Technologies
CMP banner powered by Sourcepoint; full current cookie list linked from banner. Representative sample reproduced in‑policy. Do‑Not‑Track: “not honoured (no industry standard), use CMP instead”. Global Privacy Control: honoured for US visitors (opt‑out of sharing).
10 End‑User / Reviewer Data Workflow
Lifecycle diagram + text: collection, optional PII masking, EU‑only AI pass, publication, retention, erasure, portability API.
11 Individual Rights
Step‑by‑step portal & e‑mail procedures; ID verification; statutory response times; right to lodge complaint with Datenschutzbehörde (DSB) or any other EU regulator.
12 Children’s Privacy
Service not directed to <16; clients must obtain verifiable consent if collecting from minors (COPPA/KTG requirements).
13 Automated Decision‑Making
AI scoring purely assistive; no solely automated decisions with legal or significant effect (GDPR Art 22).
14 Third‑party Links & Integrations
We disclaim control; customers must review third‑party privacy information.
15 Do‑Not‑Track & GPC
As above.
16 Regional Supplements
Short clauses for UK, Switzerland, U.S. States, Brazil LGPD, Canada PIPEDA, Australia APPs.
17 Audit Rights & Version Control
Annual customer audit right with 30‑days’ notice; policy SHA‑256 hash published; superseded versions archived 7 yrs.
18 Contact & Complaints
- Email: privacy@reviewpath.com
- Mail: ReviewPath e.U., Josefstädter Str. 11/10, 1080 Vienna, Austria
- DPO: dpo@reviewpath.com, +43 720 77 88 55
- DSB (lead SA): Österreichische Datenschutzbehörde, Barichgasse 40‑42, 1030 Wien.
© 2025 ReviewPath e.U. All rights reserved. Reproduction without permission prohibited.