Review Tomato
Sign in Install on Shopify
Legal

Privacy policy

Last updated: May 2026

Review Tomato is a Shopify app that handles product reviews on behalf of merchants. This policy explains what data we collect, how we use it, and how we protect it.

What we collect

  • Merchant data: store URL, store name, contact email, plan tier, app settings.
  • Customer data: review content (rating, text, photos, customer name, customer email if provided), order ID for verified-buyer matching, IP hash for spam prevention.
  • Usage data: page views inside the embedded admin app, feature usage (no PII).

What we do with it

  • Display reviews on your storefront via the app proxy.
  • Send review-request emails on your behalf via Resend.
  • Generate AI summaries / reply suggestions via Anthropic. Your data is never used to train Anthropic's models.
  • Aggregate anonymous usage statistics to improve the product.

How we protect it

  • All data encrypted in transit (TLS 1.3) and at rest (Supabase encrypted-at-rest).
  • OAuth tokens stored only in encrypted Prisma session storage.
  • Spam-prevention IP hashes are salted SHA-256 - no raw IPs stored.
  • GDPR webhooks honored: customers/data_request, customers/redact, shop/redact.

Your rights

You can request a data export, request deletion, or revoke access at any time by emailing privacy@review-tomato.com. We respond within 72 hours.

Full GDPR / CCPA / DPA documentation available at /dpa. For Shopify-related compliance, see Shopify's Privacy and Data Protection policy.