AI Review ResponderStart free trial

Privacy Policy

Last updated: March 2026

1. Who We Are

AI Review Responder is operated by Nostra, a company providing AI-powered review management services for restaurants, hotels, and local businesses. For data protection inquiries, contact us at contact@yourdomain.com.

2. Data We Collect

  • Account data: email address, business name, password hash (if using email login)
  • Google data: Google account ID, OAuth tokens (used to sync Google Business reviews)
  • Review data: Google Business reviews fetched via API on your behalf
  • Notification data: Telegram chat ID (if you connect Telegram alerts)
  • Usage data: number of AI responses generated per billing period
  • Payment data: Stripe customer ID (we do not store card details — handled by Stripe)

3. How We Use Your Data

  • To provide the service: sync reviews, generate AI responses, publish to Google
  • To send notifications (Telegram and/or email) about new reviews
  • To manage your subscription and billing via Stripe
  • To send transactional emails (email verification, password reset)

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. AI Processing

Review content is sent to OpenAI's API to generate response drafts. Review text may be processed outside the EU by OpenAI. We send only the review content — no personally identifiable information about you is included in AI prompts. Please review OpenAI's Privacy Policy for details on their data handling.

5. Data Retention

  • Your account data is retained as long as your account is active
  • Upon account deletion, all personal data is permanently deleted within 30 days
  • Review data fetched from Google belongs to your Google Business account and is deleted with your account

6. Data Security

All data is stored on servers hosted by Hetzner in the European Union (Germany). Connections are encrypted via HTTPS/TLS. OAuth tokens are stored encrypted at rest. We follow industry-standard security practices.

7. Your Rights (GDPR)

Under the GDPR (EU) 2016/679, you have the following rights:

  • Right of access (Art. 15): request a copy of your personal data
  • Right to rectification (Art. 16): correct inaccurate data
  • Right to erasure (Art. 17): request deletion of your account and all associated data
  • Right to data portability (Art. 20): receive your data in a structured format
  • Right to object (Art. 21): object to processing of your data

To exercise any of these rights, contact us at contact@yourdomain.com. We will respond within 30 days.

8. Cookies

We use only essential cookies (authentication token stored in memory, cleared on page close, with session managed via a secure httpOnly cookie). We do not use tracking or advertising cookies.

9. Third-Party Services

  • Google: OAuth authentication and Google Business Profile API
  • Stripe: payment processing (PCI DSS compliant)
  • OpenAI: AI response generation
  • Resend: transactional email delivery
  • Telegram: optional push notification delivery
  • Hetzner: EU-based server hosting

10. Contact & Complaints

For privacy matters: contact@yourdomain.com

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the French data protection authority: CNILwww.cnil.fr

A French version of this policy is available upon request.