Privacy Policy

PublishMyReviews (“PublishMyReviews”, “we”, “us”, or “our”) is a software platform that helps Indian local businesses collect customer reviews via QR code and turn approved testimonials into Instagram posts and stories.

PublishMyReviews is currently operated as a sole proprietorship by Aviraj Battan, registered in Kurukshetra, Haryana, India. This Privacy Policy explains what personal data we handle, how we handle it, and the rights available to you under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).

PublishMyReviews handles two clearly different categories of personal data, and our role under the DPDP Act differs for each.

Account data (you, the business owner / operator)

• Owner name, email, phone number, password (stored as a salted hash — never in plain text).
• Business name, business slug, address city, business category, public review URL.
• Connected Google Place ID and Instagram Business Account ID, plus access tokens for those integrations.
• Billing email, plan tier, subscription status, payment method metadata returned by Razorpay (last 4 digits, brand, UPI handle — we do not store full card numbers, CVV, or UPI PINs).
• Operational logs (login events, IP address, user agent, request IDs) for security and abuse prevention.

Customer review data (your customers, processed for you)

• Name and optional photo submitted by the customer at the QR review form.
• Review text (and AI-polished version, when AI polishing is used).
• Optional Instagram handle for tagging in the published post.
• Consent flag indicating whether the customer agreed to public publishing of their review and photo.
• Submission timestamp and the QR scan that originated the submission.

Technical data

• Standard web logs — IP address, browser, operating system, referrer, page-view paths.
• First-party session cookies that keep you logged in. We do not use third-party advertising cookies.

We use personal data only for clearly defined purposes:

• To run the service — collect reviews, generate testimonial graphics, publish to Instagram, and produce reports for the subscribing business.
• To process subscriptions and add-on purchases through Razorpay, send payment receipts, and enforce plan limits.
• To authenticate accounts, send transactional emails (login codes, payment receipts, abuse alerts), and protect the platform from fraud and misuse.
• To improve the service in aggregate — we look at anonymous usage patterns, not individual customer reviews.
• To comply with applicable Indian law and respond to lawful requests from authorised authorities.

We do not sell personal data. We do not use customer review data to train any AI models.

For account data we rely primarily on:

• Consent — obtained when you create an account.
• Performance of contract — processing necessary to deliver the subscription you have purchased.
• Legitimate use under section 7 — for security, fraud prevention, and statutory compliance.

For customer review data we act on the consent the customer provides at the QR review form, plus the contractual instructions of the subscribing business. The subscribing business is responsible for confirming that customer consent is genuine before publishing.

We share personal data only with the third-party processors that are necessary to operate the service. We have contractual data-protection obligations with each of them.

We do not share personal data with advertising networks, data brokers, or any party not listed above. We may disclose data when required by Indian law, by a court order, or to defend our legal rights.

Operational data is stored on managed infrastructure located in the Asia — South region (India and Singapore data centres). Some processors named above (for example, Resend, Meta, and Google) operate globally and may process data outside India. Where this happens we rely on the contractual data-protection terms offered by those processors and, where applicable, the cross-border transfer rules notified under the DPDP Act.

• Customer reviews are automatically deleted from our database 60 days after submission, even if they were never published. Published Instagram posts remain on Instagram and on the public review page until the business removes them.
• Account data is retained while the business has an active subscription, plus up to 12 months after cancellation to allow restoration. After that we delete or anonymise it, except where Indian law (for example, Income Tax Act and GST law where applicable) requires us to retain invoices and tax records for longer.
• Payment records are retained for at least 8 years from the date of the transaction in line with statutory book-keeping obligations.
• Operational logs are retained for 90 days for security and abuse prevention.

We use industry-standard security practices, including TLS encryption in transit, encryption at rest for databases and backups, strict role-based access for our team, salted password hashing, and short-lived API tokens. No system on the public internet is fully immune to compromise; if a breach affects you we will notify you and the Data Protection Board of India in line with the requirements of the DPDP Act.

The DPDP Act gives you the following rights over your personal data:

• Access — request a copy of the data we hold about you.
• Correction — ask us to correct inaccurate or out-of-date data.
• Erasure — ask us to delete your data, subject to retention obligations under law.
• Withdraw consent — without affecting processing already done before withdrawal.
• Nominate — nominate another individual to exercise these rights on your behalf in the event of incapacity or death.
• Grievance redressal — contact our grievance officer (below) and, if unresolved, escalate to the Data Protection Board of India.

If your review was published by a business using PublishMyReviews and you want it removed, the fastest path is to contact that business directly. We will also act on a request sent to privacy@publishmyreviews.com and route it to the business for action within 7 days.

Inside the application. We use a small number of strictly necessary first-party cookies to keep you signed in and remember preferences. We do not use third-party advertising or cross-site tracking cookies inside the app. You can clear cookies from your browser at any time, but doing so will sign you out of the application.

On the marketing website. publishmyreviews.com loads Google Analytics 4 when a measurement ID is configured for the deployment. GA sets first-party analytics cookies to measure aggregate page-level traffic. We do not enable Google Signals, ad personalisation, or cross-site advertising on this property. You can opt out by using a browser that blocks analytics cookies, the official Google Analytics opt-out add-on, or by viewing the site in private/incognito mode.

PublishMyReviews is intended for businesses and adult users. The platform is not directed at children under 18. If you believe a child has submitted personal data through our review form, contact us at privacy@publishmyreviews.com and we will delete it.

We may update this policy as the product evolves or as the law changes. Material changes will be notified to the registered owner email at least 7 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

For any privacy-related question, request, or complaint please write to our grievance officer at privacy@publishmyreviews.com. For general support write to support@publishmyreviews.com.

For any formal or legal communication, including DPDP Act grievances, please use the privacy email above. We will respond from a verified PublishMyReviews mailbox. Postal correspondence may be sent to the registered business address: PublishMyReviews (sole proprietor: Aviraj Battan), Gali Number 4, 7B, Kurukshetra, Haryana 136119, India. The address may change once the business is incorporated as a private limited company; the latest address will always be reflected on this page and at /about.