Reviewbird

Data Protection Agreement

Effective Date: March 13, 2026 Last Updated: March 13, 2026

This Data Protection Agreement ("DPA") forms part of the Terms of Service between Clif Griffin Development Inc, doing business as Reviewbird ("Data Processor," "we," "us"), and the merchant using our Service ("Data Controller," "you"). This DPA governs the processing of personal data by Reviewbird on your behalf.

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection laws including the GDPR.
  • Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
  • Data Subject: An individual whose personal data is processed under this DPA (e.g., your customers).
  • Sub-processor: A third party engaged by Reviewbird to process personal data on your behalf.

2. Scope of Data Processing

Data Categories Processed

  • Customer names and email addresses
  • Order identifiers and product details
  • Review content (ratings, text, media)
  • IP addresses (for fraud prevention)

Data Subjects

  • Customers of the merchant who place orders or submit reviews

Processing Purposes

  • Sending review request emails on behalf of the merchant
  • Collecting, storing, and displaying customer reviews
  • Providing review analytics and reporting
  • Fraud detection and prevention

Legal Basis

We process personal data as a Data Processor on your behalf. As the Data Controller, you are responsible for establishing the legal basis for processing (e.g., legitimate interest, consent) under applicable laws.

3. Data Processor Obligations

Reviewbird shall:

  • Process personal data only on your documented instructions and for the purposes described in this DPA
  • Ensure that personnel authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist you in fulfilling your obligations to respond to data subject rights requests
  • Make available all information necessary to demonstrate compliance with this DPA
  • Not engage additional sub-processors without your prior notification

4. Data Retention and Deletion

  • Order data: Automatically purged 90 days after sync. This ensures only data necessary for active review requests is retained.
  • Review data: Retained for the duration of your account. Upon account termination, review data enters a 60-day soft-delete period before permanent deletion.
  • Customer PII associated with GDPR requests: Redacted within 30 days of receiving a valid erasure request through Shopify GDPR webhooks or direct request.
  • Audit logs: Retained for 12 months, then automatically purged.

You may request data deletion at any time by contacting [email protected].

5. Security Measures

Reviewbird implements the following technical and organizational measures to protect personal data:

Technical Measures

  • Encryption at rest: Customer PII is encrypted using AES-256-GCM encryption with per-record keys
  • Blind indexing: Searchable encrypted fields use HMAC-SHA256 blind indexes, ensuring PII is never stored in plaintext for search purposes
  • Encryption in transit: All data in transit is protected using TLS 1.2 or higher
  • Access controls: Role-based access controls with principle of least privilege
  • Audit logging: All access to and modifications of customer personal data are recorded in immutable audit logs

Organizational Measures

  • Staff with access to personal data are trained on data protection obligations
  • Access to production systems is restricted and monitored
  • Regular security reviews of infrastructure and application code

6. Breach Notification

In the event of a personal data breach:

  • Reviewbird will notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
  • Reviewbird will cooperate with you and take reasonable steps to mitigate the effects of the breach

7. Data Subject Rights

Reviewbird will assist you in responding to data subject requests, including:

  • Access requests: We can provide exports of personal data held for a specific data subject
  • Deletion requests: We process deletion/redaction requests received through Shopify GDPR webhooks automatically. Manual requests can be submitted to [email protected]
  • Portability requests: We can provide data in structured, machine-readable formats (JSON, CSV)
  • Rectification requests: We can correct personal data upon your instruction

We will respond to data subject rights requests within 30 days.

8. Sub-processors

We use the following categories of sub-processors:

  • Cloud infrastructure providers: For hosting, storage, and compute services
  • Email delivery services: For sending review request and notification emails
  • Payment processors: Shopify Billing and Stripe for billing operations

We will notify you before engaging new sub-processors or replacing existing ones, giving you the opportunity to object. A current list of sub-processors is available upon request.

9. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Transfers to countries with an adequacy decision from the European Commission
  • Other legally recognized transfer mechanisms as applicable

10. Term and Termination

  • This DPA is effective for the duration of your use of the Reviewbird Service.
  • Upon termination, Reviewbird will delete or return all personal data processed on your behalf, subject to the retention periods described in Section 4.
  • Provisions of this DPA that by their nature should survive termination (including confidentiality, liability, and data deletion obligations) will remain in effect.

11. Liability

Liability under this DPA is subject to the limitations set forth in our Terms of Service.

12. Contact

For questions about this DPA or to exercise your rights:

Email: [email protected]