Privacy Policy

1. About this policy

This Privacy Policy explains how Orixo Ltd (“we”, “us”, “our”), trading as Reviewax, collects, uses, shares, and protects personal data when you visit our website at reviewax.com or use the Reviewax service (the “Service”).

We act as a data controller for the personal data of our customers (the businesses subscribing to Reviewax) and as a data processor for the end-customer contact details our customers upload to send review requests on their behalf.

2. Who we are

Orixo Ltd is a private limited company registered in England and Wales.

• Company number: 17067073
• Registered office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
• Trading name: Reviewax
• General contact: hello@reviewax.com
• Privacy contact: privacy@reviewax.com

For UK GDPR purposes, our supervisory authority is the Information Commissioner’s Office (ICO).

3. Personal data we collect

3.1 Information you provide directly

• Account data: name, business name, email address, password (hashed), country.
• Billing data: billing address, VAT number where applicable, last four digits of payment card. Full card numbers are processed exclusively by our payment provider Stripe and never stored on our servers.
• Communications: messages you send us via email, chat, or support tickets.

3.2 Information you upload as a customer

When using the Service to send review requests, you upload contact details of your own customers (“end-customers”): typically first name and mobile phone number. We process this data on your behalf as a processor; you remain the controller of that data and are responsible for the lawful basis to share it with us.

3.3 Information collected automatically

• Usage data: pages visited, features used, IP address, browser type, device, language, timestamps.
• Cookies and similar technologies: see our Cookie Policy.
• Service logs: WhatsApp message delivery status, review submission events, error logs.

4. How we use your data

We use personal data for the following purposes:

• To deliver the Service — create and manage your account, send review requests via WhatsApp, track review submissions, generate analytics dashboards.
• To process payments — charge your subscription, issue invoices, handle refunds via Stripe.
• To communicate with you — service notifications, security alerts, support responses, product updates.
• To improve the Service — analyse usage patterns, fix bugs, develop new features.
• For marketing (optional, with consent) — send newsletters, growth tips, product announcements. You can unsubscribe at any time.
• To comply with the law — tax, accounting, anti-fraud, and legal obligations.
• To protect our rights — detect abuse, enforce our Terms, defend against legal claims.

5. Legal bases for processing (GDPR)

Under the UK GDPR and EU GDPR, we rely on the following lawful bases:

Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights. You have the right to object to such processing.

6. Who we share your data with

We do not sell personal data. We share data only with the following categories of recipients, under contracts requiring them to protect it:

• Service providers (sub-processors): infrastructure, email, payments, analytics, customer support — see the table below.
• Professional advisors: lawyers, accountants, auditors, when needed.
• Authorities: when legally required (court order, regulator request).
• In a corporate transaction: if Orixo Ltd is sold, merged, or restructured, your data may be transferred under equivalent privacy protections.

Current sub-processors

7. International data transfers

Some of our sub-processors are located outside the UK and EEA, including in the United States. When we transfer personal data outside these jurisdictions, we use one of the following safeguards required by UK and EU law:

• Standard Contractual Clauses (SCCs) approved by the European Commission and the UK’s International Data Transfer Agreement (IDTA).
• Adequacy decisions where they apply (e.g. EU-US Data Privacy Framework for certified US providers).
• Transfer impact assessments documenting additional measures where appropriate.

You can request a copy of the safeguards in place by emailing privacy@reviewax.com.

8. How long we keep your data

9. Your rights under GDPR

You have the following rights regarding your personal data:

• Access — obtain a copy of the data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure (“right to be forgotten”) — request deletion of your data.
• Restriction — ask us to limit how we process your data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests, including direct marketing.
• Withdraw consent — where processing is based on consent, withdraw it at any time.
• Lodge a complaint with your supervisory authority. In the UK: ico.org.uk. In the EU: your national data protection authority.

To exercise any of these rights, email privacy@reviewax.com. We will respond within one month and may extend by two months for complex requests, in accordance with GDPR.

10. California privacy rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• The right to know what personal information we collect, use, share, or sell.
• The right to delete personal information we collected from you.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of personal information.
• The right to non-discrimination for exercising your rights.

We do not sell personal information as defined under California law. We do not knowingly collect or sell personal information of consumers under 16. To exercise your California rights, email privacy@reviewax.com with subject line “California Privacy Request”.

11. Children’s privacy

Reviewax is not directed to or intended for use by anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@reviewax.com and we will delete it promptly.

12. Security

We implement technical and organisational measures appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Hashed passwords (bcrypt with salt).
• Role-based access controls and least-privilege principles.
• Regular backups and disaster recovery testing.
• Sub-processor due diligence and contractual data protection clauses.
• Vulnerability monitoring and timely patching.

No system is 100% secure. If you suspect a data breach, contact security@reviewax.com immediately. We notify affected users and the relevant supervisory authority within 72 hours when legally required.

13. Cookies and similar technologies

We use cookies and similar technologies to operate, secure, and improve the Service. For full details including cookie names, purposes, and how to manage them, please read our Cookie Policy.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of the page. For material changes, we will notify you by email or through the Service at least 14 days before they take effect.

15. How to contact us