This Privacy Policy explains how Repeat Reviews (a trading name of Mechanise.AI Ltd) (“we”, “us”, “our”) collects, uses, stores, shares, and protects personal data, and how you can exercise your rights.
This policy applies when you:
- Visit our website or interact with us online
- Create an account or use our services
- Communicate with us (including sales, support, marketing, or events)
- Use integrations (e.g., Google services, CRM connections) in connection with Repeat Reviews
We are committed to processing personal data fairly, lawfully, and transparently in line with the UK GDPR and the Data Protection Act 2018. Where we send electronic marketing messages, we also comply with PECR.
1) WHO WE ARE
Controller (for most website/account data): Repeat Reviews (Mechanise.AI Ltd)
Key roles under data protection law Depending on the context, we act as either:
Data Controller (we decide how and why your personal data is processed), for example for our website, admin, billing, security, and direct communications with you; and/or
Data Processor (we process personal data on a client’s instructions), where our business customers upload or sync their customer contact data into Repeat Reviews to send review requests and manage reputation activity on the customer’s behalf.
Where we act as a Processor, our business customer is the Controller of that end-customer data.
2) WHAT PERSONAL DATA WE COLLECT
We collect personal data in the following main categories:
A. Data you provide to us
This may include:
- Name, business name, job title
- Email address, phone number
- Billing address and invoice details
- Account login and authentication information
- Preferences and communications with us
- Any content you submit to the platform (e.g., review reply templates, messages, business information)
- Customer contact data you upload or sync (as part of providing the service to you)
B. Data we collect automatically (website/app usage)
This may include:
- IP address
- Device type, browser type and settings
- Operating system
- Language preferences
- Referring URLs and interaction data
- Log files, timestamps, pages viewed, features used
- Approximate location derived from IP (depending on device/settings)
C. Data from third parties / integrations
Where you connect third-party services, we may receive data from those providers in order to deliver the integration (e.g., account identifiers, tokens, or business profile data). The exact data depends on the integration you enable.
Payment data
We do not store payment card details. Payments are processed by a third-party payment provider (for example, Stripe). The payment provider processes your payment details in accordance with its own privacy notice.
3) SPECIAL CATEGORY DATA
We do not seek to collect special category data (such as health data, religious beliefs, sexual orientation, etc.). If such data is included in content you submit or upload, we will process it only to the extent necessary to provide the service and in line with applicable law.
4) HOW WE USE PERSONAL DATA
We process personal data for the following purposes:
To provide and operate Repeat Reviews
- Creating and managing accounts
- Authenticating users and managing access
- Sending review requests on your behalf (e.g., SMS/email)
- Providing dashboards, monitoring, alerts, and reporting
- Managing integrations you enable
To communicate with you
- Service messages (e.g., confirmations, changes to terms)
- Support and troubleshooting
- Admin messages about your account
For security, fraud prevention, and service integrity
- Monitoring for suspicious activity
- Preventing misuse and protecting systems
- Maintaining audit logs and access records
To improve and develop the service
- Analytics and performance measurement
- Debugging and feature improvements
- Internal research and testing
Marketing (where permitted)
- Sending information about products, features, or offers
- Event invitations and updates (You can opt out at any time—see Section 10.)
To comply with legal obligations
- Tax/accounting requirements
- Responding to lawful requests
- Establishing or defending legal claims
5) OUR LAWFUL BASES (UK GDPR)
We only process personal data where we have a lawful basis under Article 6 UK GDPR. Depending on the purpose, we rely on:
Contract (Article 6(1)(b))
Processing is necessary to provide Repeat Reviews under the contract with you.
Legitimate interests (Article 6(1)(f))
Processing is necessary for our legitimate interests (e.g., running and improving our business, security, fraud prevention, service analytics), balanced against your rights. Where required, we complete legitimate interest assessments.
Legal obligation (Article 6(1)(c))
Processing is necessary to comply with legal obligations (e.g., tax requirements).
Consent (Article 6(1)(a))
Used where required—particularly for certain marketing and cookie/tracking activities. You can withdraw consent at any time.
If we ever process special category data, we will also meet an Article 9 condition (typically explicit consent, unless another condition applies).
6) CLIENT CUSTOMER DATA (PROCESSOR TERMS SUMMARY)
If you are a business customer using Repeat Reviews to contact your own customers (for example, to request reviews), you may upload or integrate customer contact data.
In that situation:
- You (our business customer) are typically the Controller of your customer data.
- We act as your Processor, processing the data on your documented instructions to provide the service.
- You are responsible for ensuring you have a lawful basis to share that customer data with us and to contact those individuals (including compliance with PECR for electronic messages where applicable).
We use sub-processors to deliver parts of the service (see Section 7) and put appropriate contracts in place where required.
7) WHO WE SHARE PERSONAL DATA WITH
We may share personal data with trusted third parties where necessary to run our services, including:
- Cloud hosting and infrastructure providers
- Analytics and performance monitoring providers
- Customer support and communications tools
- Authentication and security providers
- Payment processors (e.g., for billing)
- SMS / email delivery providers and telecommunications networks
- Integration providers you choose to connect (e.g., Google services)
We only share the minimum data necessary and require appropriate contractual protections where required.
Business transfers
If we are involved in a merger, acquisition, financing, or sale of assets, personal data may be shared as part of that transaction, subject to appropriate safeguards.
Legal disclosures
We may disclose personal data where required by law or where necessary to establish, exercise, or defend legal claims.
Sub-processor list
We may maintain a list of key sub-processors on request. Contact us at [email protected].
8) INTERNATIONAL TRANSFERS
Some of our third-party providers may process personal data outside the UK.
Where personal data is transferred outside the UK, we ensure appropriate safeguards in line with UK GDPR Chapter V (Articles 44–49), such as:
- UK adequacy regulations where applicable
- The UK International Data Transfer Agreement (IDTA) and/or UK Addendum (as applicable)
- Additional contractual and technical safeguards where appropriate
9) COOKIES AND SIMILAR TECHNOLOGIES
We use cookies and similar technologies to:
- Operate and secure the site and service
- Remember preferences
- Measure usage and improve performance
- Support marketing where permitted
Where cookies are not strictly necessary, we will seek consent where required. You can control cookies through your browser settings and, where implemented, via our cookie preferences tool.
10) MARKETING AND PECR (EMAIL/SMS)
We comply with the Privacy and Electronic Communications Regulations 2003 (PECR).
Our own marketing to you
Where we send marketing communications:
- You can opt out at any time (unsubscribe links in emails, or contact us)
- We will respect opt-out requests promptly
- We may still send non-marketing service messages necessary to administer your account
Review requests sent on behalf of our business customers
Repeat Reviews enables business customers to send review requests to their customers by SMS/email. In these cases:
- Our business customer is typically responsible for ensuring they have the correct lawful basis (including any consent requirements under PECR)
- End recipients can opt out using provided mechanisms (e.g., “STOP” for SMS where supported)
- We maintain suppression mechanisms to help prevent further messaging to opted-out numbers (except for permitted confirmations)
Mobile opt-in data
We do not sell mobile opt-in data. We use it only to deliver the service and communications as instructed by the business customer.
11) AI FEATURES
Repeat Reviews may include features powered by artificial intelligence (AI), such as suggested or automated review responses.
Where AI features are used:
- We process inputs/outputs to provide the feature
- We implement controls and safeguards appropriate to the feature
- We do not use AI to make solely automated decisions producing legal or similarly significant effects about individuals without appropriate safeguards (see Section 12)
Opt-out
If AI responses are optional, you can disable them within your account settings where available.
12) AUTOMATED DECISION-MAKING AND PROFILING
We do not generally carry out solely automated decision-making (including profiling) that produces legal effects or similarly significant effects on individuals in the sense intended by Article 22 UK GDPR.
If this position changes, we will update this policy and provide required information and safeguards.
13) HOW LONG WE KEEP PERSONAL DATA (RETENTION)
We keep personal data only as long as necessary for the purposes described in this policy, including:
- While you have an account with us
- As needed to provide the service and meet contractual obligations
- As required by law (e.g., accounting/tax retention)
- For security and dispute resolution (as reasonably necessary)
When personal data is no longer required, we securely delete it or anonymise it. Where deletion is not immediately possible (e.g., backups), we isolate it and delete it in line with our backup retention cycles.
If you want more detail on retention periods by category, contact [email protected].
14) SECURITY
We implement appropriate technical and organisational measures to protect personal data in line with Article 32 UK GDPR, including (where appropriate):
- Access controls and authentication
- Role-based access management
- Security monitoring and logging
- Encryption in transit and, where appropriate, at rest
- Supplier due diligence and contractual protections
- Operational security practices
No system can be guaranteed 100% secure. You should use strong passwords and keep account credentials confidential.
Personal data breaches
If we become aware of a personal data breach, we assess it and, where required, notify the Information Commissioner’s Office (ICO) and affected individuals in accordance with Articles 33–34 UK GDPR.
15) CHILDREN
Our services are not intended for children and we do not knowingly collect personal data from individuals under
18. If you believe a child has provided personal data to us, please contact us and we will take appropriate steps.
16) YOUR UK DATA PROTECTION RIGHTS
If you are in the UK, you have rights under the UK GDPR, including:
We may need to verify your identity before responding. We aim to respond within one month, unless the request is complex or numerous.
Complaints
If you are unhappy with how we handle your data, you have the right to complain to the UK regulator:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
(You can also contact the ICO via its website or helpline.)
17) DO NOT TRACK
Some browsers offer a “Do Not Track” setting. There is no consistent industry standard for responding to these signals, so we do not currently respond to them.
18) CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect legal, technical, or business changes. The “Last updated” date will change accordingly. If changes are material, we may provide additional notice (e.g., via the website or email).
19) HOW TO CONTACT US
If you have questions about this Privacy Policy or how we use personal data, contact:
