Review Insight AI
Home

Data Processing Agreement

Last updated: November 28, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer" or "Data Controller") and Review Insight AI ("Processor," "we," "us," or "our").

Legal Entity:

Company legal nameCompany address line 1Company address line 2

This DPA governs how we process personal data on behalf of customers in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Data Controller" means the Customer who determines the purposes and means of processing personal data
  • "Data Processor" means NextGen Marketing and Automation LLC, which processes personal data on behalf of the Customer
  • "Data Subject" means the individual to whom personal data relates
  • "Processing" means any operation performed on personal data (collection, storage, use, disclosure, etc.)
  • "Sub-processor" means any third party appointed by the Processor to process personal data

3. Scope and Roles

3.1 Scope of Processing

The Processor will process personal data on behalf of the Customer solely for the purpose of providing the Review Insight AI service, which includes:

  • Collecting publicly available guest reviews from booking platforms
  • Analyzing review data using AI to generate insights
  • Storing property information and user account data
  • Sending analysis reports and service notifications

3.2 Data Controller Obligations

The Customer, as Data Controller, is responsible for:

  • Ensuring lawful basis for processing personal data
  • Complying with all applicable data protection laws
  • Providing necessary notices to data subjects
  • Obtaining any required consents from data subjects

3.3 Data Processor Obligations

We, as Data Processor, will:

  • Process personal data only on documented instructions from the Customer
  • Ensure confidentiality of personal data
  • Implement appropriate technical and organizational security measures
  • Assist the Customer in responding to data subject requests
  • Notify the Customer of any personal data breaches
  • Delete or return personal data upon termination of services

4. Types of Personal Data Processed

The following categories of personal data may be processed:

  • Customer Account Data: Name, email address, password (hashed), organization name
  • Property Data: Hotel property names, addresses, booking platform identifiers
  • Billing Data: Processed through our payment processor (Stripe) - we do not store full payment card details
  • Usage Data: IP addresses, browser information, activity logs
  • Review Data: Publicly available guest reviews (may contain personal data such as reviewer names, which we do not control)

5. Data Subject Rights

We will assist the Customer in fulfilling data subject requests, including:

  • Right of Access: Provide data subjects with access to their personal data
  • Right to Rectification: Correct inaccurate personal data
  • Right to Erasure: Delete personal data when required
  • Right to Restriction: Limit processing of personal data
  • Right to Data Portability: Provide data in a machine-readable format
  • Right to Object: Stop processing personal data in certain circumstances

If we receive a data subject request directly, we will promptly forward it to the Customer. The Customer is responsible for responding to data subject requests.

6. Security Measures

We implement industry-standard technical and organizational security measures to protect personal data, including:

  • Encryption: Data encrypted in transit (TLS) and at rest
  • Access Controls: Role-based access controls and authentication
  • Security Monitoring: Regular security audits and vulnerability assessments
  • Incident Response: Documented data breach notification procedures
  • Staff Training: Regular security awareness training for personnel
  • Physical Security: Secure data centers with restricted access

7. Sub-processors

The Customer authorizes us to engage the following sub-processors:

Current Sub-processors:

  • Railway Corp. - Hosting infrastructure and database
    Location: United States
  • Stripe, Inc. - Payment processing
    Location: United States
  • Mailgun Technologies, Inc. - Email delivery
    Location: United States

Note: We use AI services for analyzing publicly available review data only. No personal customer data is transmitted to AI service providers.

We will notify the Customer of any changes to sub-processors with at least 30 days' notice. The Customer may object to a new sub-processor on reasonable grounds within 30 days of notification.

8. International Data Transfers

Personal data may be transferred to and processed in the United States and other countries where our sub-processors operate. We ensure that appropriate safeguards are in place for such transfers, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Additional security measures to protect transferred data

9. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the Customer without undue delay and no later than 72 hours after becoming aware
  • Provide details of the nature of the breach, affected data, and likely consequences
  • Describe measures taken or proposed to address the breach
  • Cooperate with the Customer in any required notifications to supervisory authorities or data subjects

10. Data Retention and Deletion

We will retain personal data only for as long as necessary to provide the Service or as required by law.

Upon termination of the Service or upon Customer request, we will:

  • Delete or return all personal data within 30 days
  • Delete existing copies unless storage is required by applicable law
  • Provide written certification of deletion upon request

11. Audits and Compliance

We will make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Customer or an auditor authorized by the Customer.

Audit requests must be made with reasonable notice (at least 30 days) and conducted during normal business hours.

12. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations and exclusions set forth in the Terms of Service, except where such limitations are prohibited by applicable law.

Review Insight AI will indemnify the Customer against any claims, fines, or penalties resulting from our failure to comply with this DPA, except to the extent caused by the Customer's instructions or actions.

13. Term and Termination

This DPA will remain in effect for as long as we process personal data on behalf of the Customer. Upon termination, the data deletion provisions in Section 10 will apply.

14. Governing Law

This DPA shall be governed by the laws of the State of Wyoming, United States, except where the GDPR or other data protection laws require otherwise.

15. Contact Information

For questions about this DPA or to exercise your rights under data protection laws, please contact our Data Protection Officer:

Email:Privacy email address