Privacy & Compliance

What data we collect

• User account information (email, name, password - hashed)
• Shop information (name, phone, address, Google review URL)
• Customer contact information (names, phone numbers, email addresses, service dates)
• Invite event data (sent timestamps, clicked timestamps)
• Review statistics (manually entered review counts)

How we use your data

• Sending review invites to your customers via SMS and email
• Displaying analytics and performance metrics in your dashboard
• Billing and subscription management
• Customer support and troubleshooting
• Product improvements (aggregated and anonymized data only)

Third-party processors

We share data with the following trusted service providers:

• Supabase: Database hosting and authentication
• Stripe: Payment processing and subscription management
• Twilio: SMS message delivery
• Email service providers: Email delivery (Postmark, SendGrid, or similar)
• n8n: Workflow automation execution

Data security

• All data transmitted over HTTPS/TLS encryption
• Passwords are hashed using industry-standard bcrypt
• Database encryption at rest via Supabase
• Row Level Security (RLS) ensures data isolation between shops
• Regular security audits and updates

Your data rights

• Access: View all your data through the dashboard
• Correction: Edit inaccurate data via account settings
• Deletion: Request account deletion (contact support)
• Portability: Export your data in CSV format

Data retention

We retain your data as long as your account is active. After account deletion, we retain minimal data for legal and accounting purposes (up to 7 years) and securely delete all other data within 90 days.

SMS compliance (TCPA, CTIA)

• All SMS messages include "Reply STOP to stop" opt-out language
• Shop owners must have prior consent to contact customers
• Messages are only sent to actual service customers, not purchased lists
• STOP requests are honored immediately and maintained in an opt-out list
• Messages are sent during reasonable hours (8am-9pm local time)
• All messages clearly identify the sending shop

Email compliance (CAN-SPAM Act)

• Accurate "From" name (shop name) and valid reply-to address
• Clear subject lines that indicate the message purpose
• Unsubscribe mechanism in every email
• Physical shop address included in email footer
• Unsubscribe requests honored within 10 business days

Consent requirements

During signup, shop owners confirm they have permission to contact the customers they upload. DieselLocal is designed for contacting actual service customers with whom you have an existing business relationship—not for cold outreach or purchased lists.

✅ What we allow

• Asking customers for honest reviews
• Sending review links to all customers equally
• Using Google's official "Write a review" links
• Tracking that an invite was sent and clicked (no Google API required)

❌ What we prohibit

• Review gating: Only asking "happy" customers for reviews
• Incentives: Offering discounts, gifts, or rewards for reviews
• Selective requesting: Asking only for 5-star reviews
• Fake reviews: Creating or soliciting fake reviews
• Manipulation: Any deceptive practices to inflate ratings

Template compliance

All review invite templates in DieselLocal request "honest" feedback. We validate templates to ensure they don't contain prohibited language like incentives or 5-star requests. Shop owners can customize templates, but compliance checks prevent rule violations.

No Google API (Tier 1)

Tier 1 does not use Google's APIs, which eliminates API compliance complexity. We use only publicly-available review links and simple tracking. Future tiers may integrate Google Business Profile API with proper OAuth and permissions.

GDPR (European Union)

If your shop serves EU customers, we comply with GDPR requirements:

• Clear legal basis for processing (consent or legitimate interest)
• Transparent privacy policy explaining data usage
• Data processing agreements with all third-party processors
• Right to erasure ("right to be forgotten")
• Data portability (export customer data)
• Breach notification within 72 hours if required

CCPA (California, USA)

We comply with California Consumer Privacy Act requirements:

• Clear disclosure of data collection and use
• Right to know what data we collect
• Right to delete personal data
• Right to opt-out of data sale (we don't sell data)

Data sale prohibition

We do NOT sell customer data. Your customer information is never sold, rented, or shared for marketing purposes. Third-party processors only access data necessary to provide services (sending messages, processing payments, etc.).