Privacy Policy

From business owners (account holders): your name, email address, password (stored as a salted hash, never in plain text) or Google account identifier, business details (name, category, address, branding, Google review link), team member invites, and billing information processed via Razorpay (we never receive or store your full card number).

From customers using a review page: the star rating and answers they choose to give, an optional name and phone number if they provide one, an optional voice recording (sent to Google Speech-to-Text for transcription and not retained by us beyond generating the transcript), and the resulting AI-drafted review text. Customers are not required to create an account or log in.

Automatically:basic technical data such as IP address, device/browser type, and QR-scan timestamps, used for analytics, fraud prevention, and rate-limiting (see "Cookies and local storage" below).

• To create and manage accounts, authenticate logins, and provide the dashboard;
• To generate QR codes, collect feedback, and produce AI-drafted review suggestions;
• To run analytics (ratings trends, sentiment, topic insights) for business owners;
• To process payments, manage subscriptions, and send billing receipts;
• To send transactional emails (password resets, team invites, billing notices);
• To detect abuse, enforce rate limits, and keep the Service secure and reliable;
• To respond to support requests and improve the Service over time.

We do not sell your personal information, and we do not use customer review content to train third-party foundation models.

We share information with the service providers that power Crocko, strictly to operate the Service on our behalf:

• Google — Vertex AI / Gemini (review drafting, sentiment analysis, insights, reply suggestions), Speech-to-Text (voice transcription), Places API (business search), and Google Sign-In (authentication);
• Razorpay — payment processing for paid subscriptions;
• Resend — transactional email delivery (password resets, invites, receipts);
• MongoDB Atlas (or our database host) — secure storage of account and business data.

We may also disclose information if required by law, to protect our rights, or in connection with a merger, acquisition, or sale of assets — in which case we'll make reasonable efforts to notify affected users.

We use essential cookies/local storage to keep you signed in (an authentication token) and to remember in-progress review sessions on customer-facing pages (so refreshing mid-flow doesn't lose your answers). We don't use third-party advertising trackers. You can clear these at any time via your browser settings, though doing so will sign you out or reset an in-progress review session.

We keep account and business data for as long as your account is active. Customer review submissions are retained by the business owner's account so they can manage their reputation and analytics over time. Voice recordings are processed in memory for transcription and are not stored after the transcript is produced. Password reset tokens expire after 15 minutes and are deleted once used or expired.

You can review and update your profile and business details at any time from your dashboard. You can permanently delete your account from Account settings — this immediately and irreversibly removes your business profile, reviews, QR scan history, team members, locations, and billing history from our systems.

Depending on where you live, you may also have rights to access, correct, or export your personal data, or to object to certain processing. To exercise any of these rights, contact us at the email below and we'll respond within a reasonable time.

We use industry-standard measures to protect your data — passwords are hashed with bcrypt, payment signatures are verified with HMAC and timing-safe comparison, traffic is encrypted in transit, and access to production systems is restricted. No method of transmission or storage is 100% secure, but we work to keep your information safe and to respond quickly if something goes wrong.

The Service is intended for business owners aged 18 and over. We don't knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we'll remove it.

We may update this Privacy Policy from time to time. If we make material changes, we'll notify you (for example, by email or an in-app notice) before they take effect. The "Last updated" date above always reflects the latest version.

Questions about this policy or your data? Reach us at hello@crocko.app.