Privacy Policy

ReviewBod, Inc. ("ReviewBod", "we", "us", or "our") operates the ReviewBod platform, available at reviewbod.com and related subdomains. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our services. By accessing or using ReviewBod you agree to the terms of this Privacy Policy. If you are using ReviewBod on behalf of an organization, you represent that you have authority to bind that organization to this policy.

We use collected information to: • Provide, maintain, and improve the ReviewBod platform and its features • Process transactions and send related billing and account notices • Generate AI-powered performance grades, insights, and recommendations within your organization's workspace • Send transactional notifications such as review cycle reminders and deadline alerts • Respond to support requests and communicate about your account • Monitor platform health, detect security incidents, and prevent fraud • Comply with legal obligations and enforce our Terms of Service We do not use your private organizational data — including source code, internal documents, or review content — to train any publicly available machine learning models.

We do not sell your personal information. We share data only in the following circumstances: Service providers. We engage vetted sub-processors (cloud infrastructure, payment processing, transactional email, error monitoring) under data processing agreements that restrict them from using your data for their own purposes. A current list of sub-processors is available on request. Within your organization. Data you or your colleagues submit is visible to other authorized members of your ReviewBod organization according to the role-based permissions you configure. Legal requirements. We may disclose information where required by law, subpoena, or government request, or to protect the rights, property, or safety of ReviewBod, our users, or others. Business transfers. If ReviewBod is acquired or merges with another entity, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a materially different privacy policy.

We retain your account data for as long as your organization maintains an active subscription, plus 90 days after cancellation to allow for account recovery. After that window, personal data is deleted from production systems within 30 days and from backup systems within 90 days. You may request earlier deletion by contacting privacy@reviewbod.com. Deletion requests are processed within 30 days, subject to our obligations to retain certain data for legal or financial compliance purposes.

ReviewBod maintains a SOC 2 Type II certification. Our security program includes: • Encryption in transit (TLS 1.2+) and at rest (AES-256) • Role-based access controls and least-privilege principles for internal staff • Quarterly third-party penetration testing • Continuous vulnerability scanning and dependency monitoring • Incident response procedures with defined SLAs for breach notification No method of electronic transmission or storage is 100% secure. If you discover a potential security vulnerability, please report it to security@reviewbod.com rather than disclosing it publicly.

Depending on your location, you may have the following rights regarding your personal data: Access & portability. Request a copy of the personal data we hold about you in a machine-readable format. Correction. Ask us to correct inaccurate or incomplete data. Erasure. Request deletion of your personal data, subject to legal retention requirements. Restriction. Ask us to restrict processing of your data in certain circumstances. Objection. Object to processing based on legitimate interests. To exercise any of these rights, email privacy@reviewbod.com. We will respond within 30 days. Where you are an employee whose data is managed by your employer's ReviewBod organization, please direct requests to your employer as the data controller; we will cooperate as data processor.

ReviewBod is headquartered in the United States. If you access the platform from outside the US, your data is transferred to and processed in the US. For transfers from the European Economic Area, UK, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission.

ReviewBod is designed for use by organizations and professionals. We do not knowingly collect personal information from individuals under the age of 16. If we become aware that a minor has provided personal data, we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the platform at least 14 days before the change takes effect. Continued use of ReviewBod after the effective date constitutes acceptance of the updated policy.

If you have questions or concerns about this Privacy Policy or our data practices, please contact: ReviewBod, Inc. Attn: Privacy Team privacy@reviewbod.com