Privacy Policy
Effective date: 15 February 2026 · Last updated: 4 March 2026
- Who we are
- Information we collect
- How we use your information
- Lawful basis for processing
- Google API data & limited use disclosure
- AI processing
- Data sharing & third parties
- Data storage, security & international transfers
- Data retention
- Your rights
- Cookies & browser storage
- International users
- Changes to this policy
- Contact us
1. Who we are
StellarReply is a trading name of OpsLifeUK Limited, a company registered in England and Wales. We provide an AI-powered review management platform that helps local businesses respond to customer reviews efficiently and professionally.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, OpsLifeUK Limited is the data controller.
2. Information we collect
Account information
When you register for StellarReply, we collect your name, email address, and password (stored in hashed form). If you subscribe to a paid plan, billing information is collected and processed by our payment provider, Stripe.
Google Business Profile data
When you connect your Google Business Profile, we access the following data through the Google Business Profile API:
- Your business account and location information
- Customer reviews (including reviewer name, rating, review text, and date)
- Your existing review responses
We only access review-related data. We do not access or modify your business profile information, posts, photos, or any other Google Business Profile data.
Authentication tokens
When you connect your Google Business Profile, we securely store OAuth access and refresh tokens to maintain the connection. These tokens are encrypted and stored in AWS Secrets Manager with restricted access policies. You can revoke access at any time from your Connections settings or your Google Account permissions page.
Business configuration
When you configure your StellarReply account, we store your business settings including business type, description, response tone preferences, sign-off name, translation language preference, and review request link configuration (including your Google review URL, custom link slug, and link click counts).
Usage data
We collect standard technical information such as IP addresses, browser type, pages visited, and timestamps to maintain and improve our service. We also generate aggregated analytics from your review activity, including rating distributions, response rates, and review volume trends.
3. How we use your information
We use your information to:
- Provide and maintain the StellarReply service
- Display your Google reviews in our dashboard
- Generate AI-drafted responses to your reviews
- Post approved responses to Google on your behalf
- Automatically poll for new reviews when you have an active platform connection
- Translate customer reviews into your preferred language, if you enable the translation feature
- Generate branded review request links and track click counts
- Provide analytics and reporting on your review performance
- Process payments and manage your subscription
- Send transactional emails related to your account
- Improve and develop the service
We will never sell your data. We do not use your data for advertising purposes.
4. Lawful basis for processing
Under UK GDPR, we are required to identify a lawful basis for each type of data processing we carry out. The table below sets out the lawful bases we rely on:
| Data type | Lawful basis |
|---|---|
| Account information (name, email, password) | Contractual necessity — required to create and maintain your account and provide the service |
| Google Business Profile data (reviews, responses) | Consent — you explicitly connect your Google account and authorise access via OAuth |
| Business configuration (settings, preferences) | Contractual necessity — required to personalise AI responses and deliver the service as configured |
| Review request links and click tracking | Contractual necessity — a feature of the service you choose to use |
| Payment and billing data | Contractual necessity and legal obligation — required to process payments and comply with UK tax and accounting regulations |
| AI processing of review data | Contractual necessity — core functionality of the service you subscribe to |
| Translation of reviews | Contractual necessity — an optional feature you enable in your settings |
| Usage data and analytics | Legitimate interest — to maintain, secure, and improve the service. We have assessed that this processing is proportionate and does not override your rights |
| Transactional emails | Contractual necessity — to communicate essential account and service information |
Where processing is based on consent, you may withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
5. Google API data & limited use disclosure
StellarReply's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, we limit our use of Google user data as follows:
- We only request access to data that is necessary to provide the review management features of our service.
- We do not use Google data for serving advertisements.
- We do not allow humans to read your Google data except where you have given affirmative consent, it is necessary for security purposes, to comply with applicable law, or for our internal operations (and even then, the data is aggregated and anonymised where possible).
- We do not transfer or sell Google user data to third parties, except as necessary to provide or improve the service, to comply with applicable law, or as part of a merger, acquisition, or asset sale with prior notice to users.
You can revoke StellarReply's access to your Google data at any time through your Google Account permissions page or from within the StellarReply settings.
6. AI processing
StellarReply uses artificial intelligence (provided by Anthropic's Claude API) to generate draft responses to your customer reviews. When a review is processed:
- The review text, rating, and your business context are sent to the AI service to generate a response.
- AI processing is carried out by Anthropic, whose servers are located in the United States. This constitutes an international transfer of personal data (see Section 8 for safeguards).
- By default, AI-generated responses are drafts that require your manual review and approval before being published.
- If you enable the Autopilot feature, AI-generated responses may be posted automatically on your behalf after an optional delay period that you configure. You can disable Autopilot at any time from your Connections settings.
- We do not use your review data to train AI models. Anthropic's API does not use input data for model training.
7. Data sharing & third parties
We share data only with the following third-party services, strictly to provide the StellarReply service:
- Google (Google Business Profile API) — to retrieve reviews and post your approved responses.
- Anthropic (Claude API) — to generate AI-drafted review responses. Anthropic processes data in the United States.
- Stripe — to process subscription payments securely. Stripe processes data in the United States.
- Amazon Web Services (AWS) — to host the application and store data securely. Our infrastructure is hosted in the United States (US-East-1 region).
- Google Cloud Translation — to translate customer reviews into your preferred language, if you enable the translation feature.
Each of these providers has their own privacy policy and data processing agreements in place. We do not share your data with any other third parties, and we will never sell your data.
8. Data storage, security & international transfers
Where your data is stored
Your data is stored on servers provided by Amazon Web Services (AWS) in the United States (US-East-1 region). Data may also be processed in the United States by our third-party service providers (Anthropic, Stripe, and Google).
International transfers
As your data is transferred from the United Kingdom to the United States, we rely on the following safeguards to ensure your data is protected in accordance with UK GDPR:
- AWS: International transfers are covered by the Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA) incorporated into the AWS Service Terms and Data Processing Addendum, which apply automatically to all AWS customers.
- Anthropic: Data sent to the Claude API for AI processing is subject to Anthropic's data processing terms and is not used for model training.
- Stripe: Payment processing is covered by Stripe's data processing agreement, which includes Standard Contractual Clauses for international transfers.
- Google: Google API data transfers are covered by Google's data processing terms and Standard Contractual Clauses.
Security measures
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest
- Hashed password storage using bcrypt
- Access controls and secrets management via AWS Secrets Manager
- OAuth tokens encrypted and stored in AWS Secrets Manager with restricted access policies
- Rate limiting on authentication and API endpoints
- Security headers (HSTS, X-Frame-Options, CSP)
- Audit logging for compliance monitoring
- Regular security reviews
While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.
9. Data retention
We retain your account information and review data for as long as your account is active.
When you delete your account through the Settings page, all your personal data, business profiles, and review data are deleted immediately and permanently. Your Stripe subscription is cancelled and your Stripe customer record is deleted automatically. A confirmation email is sent to your registered email address.
When you disconnect a platform connection, stored OAuth tokens are deleted immediately. Review data associated with that connection is retained until you delete your account.
Payment records may be retained by Stripe for up to 7 years in accordance with UK accounting and tax regulations.
10. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you
- Rectify any inaccurate or incomplete data
- Erase your personal data (right to be forgotten)
- Restrict processing of your data
- Port your data to another service
- Object to processing of your data
- Withdraw consent at any time where processing is based on consent
You can exercise your right to erasure and data portability directly from the Settings page in your StellarReply dashboard:
- Download my data exports all your personal data, business profiles, and review history as a machine-readable JSON file.
- Delete my account permanently removes all your data and cancels your subscription instantly.
For any other data rights requests, please contact us at the details below. We will respond to your request within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been handled unlawfully.
11. Cookies & browser storage
StellarReply uses only essential browser storage required for the service to function. This includes:
- Local storage: We store an authentication token in your browser's local storage to keep you signed in between visits. This token is removed when you log out or delete your account.
- Cookie consent preference: We store your cookie consent choice so you are not asked repeatedly.
We do not use tracking cookies, analytics cookies, or third-party advertising cookies. We do not use any browser storage for profiling, behavioural tracking, or advertising purposes.
12. International users
StellarReply is operated by OpsLifeUK Limited, a company registered in England and Wales. Regardless of where you access the service from, your relationship is with OpsLifeUK Limited and your use of the service is governed by English law.
If you are located outside the United Kingdom, please be aware that your data will be transferred to and processed in the United States, where our infrastructure is hosted. By using StellarReply, you acknowledge this transfer. We ensure that appropriate safeguards are in place as described in Section 8 of this policy.
If you are located within the European Economic Area (EEA), you benefit from the same rights and protections described in Section 10, as UK GDPR provides equivalent protections to EU GDPR.
13. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice within the application. Your continued use of the service after any changes constitutes acceptance of the updated policy.
14. Contact us
If you have any questions about this Privacy Policy or how we handle your data, please get in touch: