GDPR FAQ

WiserReview acts in both roles depending on the data involved. For merchant account data (names, emails, billing), WiserReview is the Data Controller. For end-consumer review data processed on behalf of merchants, WiserReview is the Data Processor and the merchant is the Data Controller. This dual role is fully documented in our Data Processing Agreement.

Yes. Our DPA is publicly available and incorporated into the Terms & Conditions by reference. By using WiserReview, you automatically enter into this DPA. Enterprise customers requiring a formally countersigned copy can request one by emailing [email protected]. We return it within 10 business days.

Primary data is stored on Microsoft Azure infrastructure in the United States. Email delivery uses AWS SES. File storage (photos/videos) uses Azure Blob Storage and AWS S3, both in the United States. Cloudflare CDN caches only public widget assets at global edge locations. No personally identifiable information is cached at the edge.

We rely on three lawful bases: (1) Legitimate Interest: merchants have a legitimate interest in collecting and displaying reviews to build trust. (2) Consent: end consumers voluntarily submit reviews. (3) Contractual Necessity: processing is required to deliver the review management service to merchants.

We use a defined set of sub-processors: Microsoft Azure (hosting, storage, message queuing), MongoDB Atlas (database), Cloudflare (CDN, WAF, DDoS), AWS SES & S3 (email and file storage), SendGrid (transactional email), Chargebee (billing, PCI DSS Level 1), OpenAI (AI text generation, review text only, no PII), and Sentry (error monitoring). We notify merchants of any sub-processor changes with at least 14 days notice.

Merchants can export all review data in CSV format from the dashboard (access & portability), edit reviews (rectification), and delete individual reviews or their entire account (erasure). Automated deletion is supported through integration events from connected platforms. For requests requiring direct WiserReview action, contact [email protected]. We respond within 30 days.

Review content and consumer data is retained while the merchant account is active and deleted on review deletion, GDPR request, or account closure. Merchant account data is retained for the subscription lifetime plus 60 days post-cancellation. Error logs are automatically rotated after 90 days. Cache data expires within hours.

Yes. Data is processed primarily in the United States via Microsoft Azure infrastructure and our sub-processors. All cross-border transfers from the EEA or UK are conducted under Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent GDPR-compliant transfer mechanisms maintained by our sub-processors.

We will notify affected merchants within 72 hours of discovering a breach that poses a risk to their rights and freedoms, in compliance with GDPR Article 33. We will also notify the relevant supervisory authority where required. A root cause analysis is conducted and remediation steps are implemented following our documented incident response process.

As the Data Controller, you are responsible for: (1) ensuring you have a lawful basis to share customer data with WiserReview, (2) disclosing WiserReview as a sub-processor in your privacy policy, (3) including WiserReview pixel cookies in your cookie consent banner where required, and (4) promptly forwarding any data subject rights requests that involve data held by WiserReview.

WiserReview does not currently hold a formal GDPR certification (no such certification officially exists under GDPR). SOC 2 Type II and ISO 27001 certifications are on our roadmap. Our entire infrastructure runs on sub-processors that hold SOC 2 Type II, ISO 27001, and GDPR-compliant certifications. We provide a full security and control mapping on request.

On wiserreview.com: cf_clearance (Cloudflare, essential, no consent needed), _ga/_gid/_gat (Google Analytics, requires consent for EEA/UK visitors). On merchant storefronts via our pixel: WR_UNQ_VID and WR_ACT_ARR (functional/analytics, require consent), W_LMT_RVW_APP (anti-abuse essential, no consent needed). The WiserReview dashboard uses localStorage and sessionStorage only, not cookies.

Our simplified public RoPA is available at /security/ropa. It lists all 9 processing activities, their legal basis, data categories, sub-processors, and cross-border transfer details, maintained pursuant to GDPR Article 30.