Privacy Policy

1. Overview & Roles

2. Information We Collect

We only receive and process the following information from the Partner:

• Customer full name
• Invoice date
• Email address

This information is strictly used for sending review invitations and is not used for any other purpose.

3. Purpose Limitation & Data Minimization

We follow the principle of data minimization, processing only the minimal information needed to fulfill our purpose—sending review requests—and nothing more. We do not collect, store, or process any health-related or otherwise sensitive personal data.

4. How We Use and Then Dispose of Data

We process this data only to send the review invitation on behalf of the Partner.

Once the invitation is delivered—or after a reasonable retention period for record-keeping, whichever comes first—all data is securely destroyed or anonymized in accordance with applicable U.S. and Canadian data protection laws and best practices.

5. Consent & Legal Basis

In Canada, under PIPEDA and substantially similar provincial privacy laws, organizations must obtain meaningful consent for the collection, use, and disclosure of personal information. We rely on the Partner to secure valid consent from individuals before sharing their data with us.

In the U.S., although we do not collect health data, applicable laws still require transparent notice and consent for personal data collection. The Partner must also ensure compliance when providing us with this data.

6. Legal and Regulatory Compliance

We operate under a "processor" model, acting only on instructions from the Partner who is the "controller" of the data. The Partner remains accountable under relevant laws such as:

• PIPEDA / Canadian provincial privacy acts for data originating in Canada.
• U.S. federal and state data laws where applicable.

We do not become the data controller, nor are we subject to additional obligations like HIPAA, as no health-related data is processed.

7. Security Measures

We implement appropriate administrative, technical, and physical safeguards (e.g., encryption, access controls) to protect the data during processing. Once data is no longer needed, we ensure its secure destruction in compliance with privacy and data retention standards.

8. Your Rights

As the Partner—or ultimately the data subject—you (or your customers) retain rights such as:

• Access: Right to request viewing the data we processed.
• Correction: Right to request correction of any inaccuracies.
• Deletion: Right to request deletion of data we processed, to the extent possible before destruction.

These rights align with both PIPEDA and U.S. privacy best practices.

9. Data Breach & Notification

In the unlikely event of a data breach involving the minimal data we process:

• Canadian incidents: We will notify the Partner and any affected individuals, as required under applicable Canadian law.
• U.S. incidents: We will comply with any applicable federal or state breach notification laws.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When changes are made, we will revise the "Last Updated" date. Please review it periodically.

11. Contact Information

For questions about this policy or to exercise your rights, please contact: support@tinyreview.io