Voice Note Reviews

Privacy Policy

Last Updated: March 23, 2026

1. Information We Collect

From Merchants (Store Owners)

• Store Information: Shopify store name, domain, email address
• Authentication: OAuth tokens (provided by Shopify for app access)
• Preferences: Widget customisation settings, notification preferences
• Billing: Subscription plan selection (payment processing handled entirely by Shopify)

From Customers (Review Submitters)

• Voice Recordings: Audio recordings of customer reviews in WebM format, up to 60 seconds in duration (with consent)
• Rating: Star rating (1–5)
• Optional Information: Name and email address (only if voluntarily provided)
• Technical Data: Recording duration, submission timestamp, browser type

Automatically Collected

• Usage Data: Feature usage patterns, dashboard interactions
• Technical Data: IP address, browser type, device information
• Performance Data: Error logs, load times (for service improvement)

2. How We Use Your Information

Primary Purposes

• Provide the Service: Store, transcribe, and analyse voice reviews
• Transcription: Convert audio to text using AWS Transcribe (best-effort accuracy)
• Sentiment Analysis: Analyse review sentiment using AWS Comprehend
• Dashboard: Display reviews, analytics, and insights to merchants
• Notifications: Alert merchants about new reviews
• Merchant Display: Merchants may choose to display customer reviews publicly on their storefront or in marketing materials, subject to our Responsible Display guidelines and with appropriate customer consent (see Section 3)

Secondary Purposes

• Service Improvement: Improve functionality and user experience
• Support: Respond to merchant enquiries and troubleshoot issues
• Security: Detect and prevent fraud or abuse
• Legal: Comply with legal obligations
• VNR Testimonials: With merchant consent, we may feature anonymised or approved merchant experiences in our own marketing materials, case studies, or App Store listing (see our Terms of Service for details)

3. Consent for Voice Recording

How We Obtain Consent

Before any audio recording begins, customers must actively opt in via our review widget. The widget clearly displays an inline privacy notice stating that audio will be recorded and shared with the store, and provides a link to this privacy policy. Recording only begins after the customer voluntarily taps the record button, which constitutes informed consent through deliberate action. Customers can close the widget or choose not to record at any time.

Private Use vs Public Display

The standard consent obtained through our widget covers the merchant's private use of the recording — that is, viewing and listening to it within their dashboard, using it to improve their products and services, and internal analysis. If a merchant wishes to display a customer's voice recording publicly (for example, as a testimonial on their storefront, in advertising, or on social media), the merchant is responsible for obtaining additional consent from the customer before doing so. We require merchants to follow our Responsible Display of Customer Reviews guidelines set out in our Terms of Service.

Revoking Consent

Customers may revoke consent and request deletion of their recordings at any time by contacting the merchant directly or by emailing us at info@voicenotereviews.net. If a customer's review has been publicly displayed by a merchant, the customer may also request that the merchant remove the public display; merchants are required to comply within 7 days (see our Terms of Service).

4. Data Storage and Security

Storage Locations

Data Type	Service	Region
Audio files	Amazon S3	Sydney, Australia (ap-southeast-2)
Transcriptions & metadata	MongoDB Atlas	Australia (default)
Sentiment analysis	AWS Comprehend	Singapore (ap-southeast-1)
Application server	Heroku	United States

Note: While our application server is hosted in the United States, customer audio files and review data are stored in the Australian region. The US-hosted server processes API requests and serves the merchant dashboard; audio and personal data are encrypted in transit and are not permanently stored on the application server.

Security Measures

• Encryption in Transit: All data transferred using HTTPS/TLS 1.2+
• Encryption at Rest: Audio files and database encrypted at rest
• Access Controls: Role-based access control and authentication
• API Security: Secure OAuth authentication with Shopify
• Webhook Verification: HMAC signature verification for all webhooks
• Regular Updates: Security patches and monitoring
• Backups: Regular automated backups with encryption

5. Third-Party Services

Amazon Web Services (AWS)

• S3 (Sydney): Secure audio file storage
• Transcribe (Sydney): Audio-to-text transcription — best-effort accuracy, audio not permanently stored after processing
• Comprehend (Singapore): Natural language processing for sentiment analysis

AWS Privacy Policy: aws.amazon.com/privacy

MongoDB Atlas

Database hosting for review metadata, transcriptions, and settings.

MongoDB Privacy Policy: mongodb.com/legal/privacy-policy

Shopify

App platform, merchant authentication, and billing.

Shopify Privacy Policy: shopify.com/legal/privacy

Heroku (Salesforce)

Application hosting and infrastructure.

Heroku Privacy Policy: salesforce.com/company/privacy

6. Data Sharing and Disclosure

We do not sell your personal information. We may share data only in the following circumstances:

Normal Business Operations

• With Merchants: Customer voice reviews are shared with the merchant whose products are being reviewed. Merchants own the customer reviews submitted about their products.
• Service Providers: AWS, MongoDB, Heroku under strict confidentiality agreements

Legal Requirements

• When required by law, court order, or government request
• To protect our rights, property, or safety, or that of our users
• To detect, prevent, or address fraud, security, or technical issues

Business Transfers

In connection with a merger, acquisition, or sale of assets, with notice to affected users.

7. Data Ownership and Control

Merchant Rights

Merchants own the customer reviews submitted about their products, including audio recordings, transcriptions, ratings, metadata, and sentiment analysis results.

Customer Rights

Customers retain the right to request access to their reviews, request deletion of their reviews, and withdraw consent. Customer requests should be directed to the merchant first, as they own the review data. We will cooperate with valid requests.

8. Data Retention

Active Merchants

• Review Data: Retained while the merchant's account is active
• Shop Settings: Retained while app is installed
• Usage Analytics: Retained for 12 months

After Uninstallation

• Export Reminder: We will send you a reminder email 7 days before scheduled data deletion, giving you a final opportunity to export your data
• All Merchant Data: Deleted within 30 days of app uninstall
• Audio Files: Permanently deleted from S3 within 30 days
• Database Records: Purged within 30 days
• Backup Data: Deleted from backups within 90 days
• Irreversible: Once data is deleted, it cannot be recovered. Please ensure you have exported any data you wish to keep before uninstalling.

Legal Holds

Data may be retained longer if required by legal obligation, active dispute, or fraud prevention.

9. Your Rights and Choices

For Merchants

• Access: View all data about your store through the dashboard
• Export: Download your review data in CSV format (metadata and transcriptions) or as a ZIP archive including original audio files in WebM format. Exports are available at any time from the dashboard while your account is active.
• Delete: Request deletion of all data by uninstalling the app or contacting us
• Modify: Update settings, preferences, and widget configuration anytime
• Port: Export your data to transfer to another service. Audio files are provided in their original WebM format; transcriptions and metadata are provided in CSV, a widely supported open format.

For Customers

• Access: Request a copy of your reviews by contacting the merchant or us
• Delete: Request deletion of your reviews by contacting the merchant or emailing info@voicenotereviews.net
• Opt-out: Choose not to provide optional information (name, email)
• Decline Recording: Choose not to record a voice review at any time

How to Exercise Your Rights

Email info@voicenotereviews.net. We will respond within 30 days (or sooner as required by applicable law).

10. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA) or UK, you have additional rights under the General Data Protection Regulation (GDPR):

Your GDPR Rights

• Right to Access: Obtain confirmation of data processing and access your data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Request restriction of processing under certain conditions
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing of your data for certain purposes
• Right to Withdraw Consent: Withdraw consent at any time (doesn't affect prior processing)
• Right to Lodge a Complaint: File a complaint with your local data protection authority

Legal Basis for Processing

Data Type	Legal Basis
Audio recordings from customers	Explicit consent
Merchant account data	Contract performance
Usage analytics	Legitimate interests
Security logs	Legitimate interests

Data Protection Enquiries

For GDPR-specific enquiries, contact: info@voicenotereviews.net

11. California Privacy Rights (CCPA)

California residents have specific rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information collected
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of the sale of personal information (we don't sell data)
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights

Categories of Information Collected

Identifiers (email, IP address), commercial information (reviews, ratings), audio/electronic information (voice recordings), and internet activity (usage data).

We do not sell personal information and have not sold personal information in the past 12 months.

12. Australian Privacy Principles (APP)

For Australian users, we comply with the Privacy Act 1988 and the Australian Privacy Principles:

Data Location

• Primary Storage: AWS Sydney region (Australia)
• Overseas Disclosure: Data may be processed in Singapore (AWS Comprehend) and the US (Heroku) with appropriate safeguards

Complaints

Complaints can be made to us at info@voicenotereviews.net or to the Office of the Australian Information Commissioner at www.oaic.gov.au.

13. Children's Privacy

Our service is not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children. If we discover that we have collected data from a child under the applicable age, we will delete the information immediately and notify the merchant.

Parents or guardians who believe we may have collected information from a child should contact us immediately at info@voicenotereviews.net.

14. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses: EU-approved clauses for transfers from EEA
• Data Processing Agreements: With all service providers
• Adequacy Decisions: Where applicable

Countries Where Data May Be Processed

• Australia (primary storage — Sydney region)
• Singapore (sentiment analysis — AWS Comprehend)
• United States (application hosting — Heroku)

15. Cookies and Tracking

We use minimal cookies and tracking technologies:

Essential Cookies (Required)

Authentication (merchant login sessions), security (CSRF protection tokens), and preferences (language and display settings).

Analytics (Optional)

Usage analytics to understand app usage patterns and performance monitoring to identify errors. You can control cookies through your browser settings or dashboard preferences. We honour Do Not Track signals.

16. Data Breach Notification

In the event of a data breach affecting your personal information, we will:

• Assess: Evaluate scope and severity within 24 hours
• Contain: Take immediate steps to contain and remediate the breach
• Notify Users: Notify affected users within 72 hours of discovery
• Notify Authorities: Notify relevant data protection authorities as required by law
• Document: Document the breach and our response

17. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you via a dashboard notice, email to registered merchant accounts, updated "Last Updated" date, and 30 days advance notice for significant changes. Continued use of the app after changes constitutes acceptance.

18. Data Processing Agreement (DPA)

For merchants processing personal data of EU residents, we act as a data processor. A Data Processing Agreement is available upon request covering data processing instructions, security measures, sub-processor details, and data subject rights procedures. Contact us at info@voicenotereviews.net to request a DPA.