Privacy Policy

1. Information We Collect via Google Business Profile API

When you connect your Google Business Profile, KoalaReviews requests the https://www.googleapis.com/auth/business.manage scope. Through this scope we access:

• Your venue's business name and location, used to identify the listing and personalize replies.
• Guest reviews (rating, text, author display name, and timestamps), which we draft replies for.
• The ability to post owner replies to those reviews on your behalf, only after you have explicitly approved each reply.

To authorize these actions, Google issues OAuth access and refresh tokens. These tokens are stored encrypted at rest using AES-256-GCM and are never shared with any third party.

2. Purpose of Processing

We use this data for a single purpose: to generate draft replies that reflect the reality and voice of your business. We do not sell, trade, or share your data with third-party advertisers. Review data is never used to train machine learning models.

3. Google API Services User Data Policy

KoalaReviews' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4. Data Control & Retention

You retain full ownership of your data. If you disconnect your Google Business Profile from within KoalaReviews, the stored OAuth tokens are invalidated server-side and removed from our database immediately. You may also revoke KoalaReviews' access at any time from your Google Account permissions. You may request the permanent deletion of your account and all associated data by contacting david@koalareviews.com.

5. Security

OAuth access and refresh tokens are encrypted at rest using AES-256-GCM with key versioning. Access tokens are never written to application logs and are never transmitted to third parties — they are used solely to communicate with Google's own APIs on your behalf.