Privacy, explained simply

This policy explains how Cedric ("we", "us", "our") collects, uses, and protects personal information. "You" includes business customers, authorised users on your account, website visitors, and — where we process review or contact data on a customer's behalf — the individuals that data is about.

Cedric is operated by its registered Australian entity (ABN 63 217 095 546). For account, billing, and website data we are the data controller. For most personal information you connect or upload to run the service (reviews and campaign contacts), our business customer is the controller and Cedric acts as a processor on their behalf.

Privacy contact: privacy@trycedric.com. Security reports: security@trycedric.com.

We collect information in the following categories:

About you (our customer and your users)

• Name, email, business name, role/permissions, and billing contact details.
• Authentication data: a hashed password, whether two-factor authentication is enabled, and verification/reset tokens.
• Security logs: IP address and browser/device (user-agent) recorded at sign-in and during two-factor challenges.

Service data you connect or create

• Connected locations and the reviews and ratings synced from connected platforms — including the review text and the reviewer's display name as published on the platform.
• Reply drafts, posting status, and audit history.
• Configuration: tone, templates, thresholds, escalation keywords, and automation rules.

Your customers' contact details (for review-request campaigns)

• Contact lists you import, upload, or paste — first/last name, email address, and phone number.
• Campaign engagement (sent, delivered, opened, clicked) and unsubscribe/suppression status.
• You provide this data and remain responsible for having a lawful basis to share it with us — see "Review-request campaigns" below.

Website & device data

• A strictly-necessary session cookie and OAuth-state cookie, your IP address, browser type, and pages requested — used for security, reliability, and performance.
• We do not currently use analytics, advertising, or tracking cookies. See "Cookies" below.

• Directly from you when you sign up, configure settings, or contact support.
• From connected platforms (such as Google Business Profile) when you connect via OAuth.
• From the contact lists you import or paste to run review-request campaigns.
• Automatically via strictly-necessary cookies and server logs when you use our site.

We use information to provide Cedric, keep it secure, and meet our legal obligations. Typical purposes include fetching reviews, generating AI reply drafts, publishing replies you authorise, sending the campaigns you configure, reporting, support, billing, and fraud/abuse prevention.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract — to provide the service to you and your users.
• Legitimate interests — to secure the service, prevent fraud and abuse, maintain audit history, and improve Cedric using aggregated, de-identified insights, balanced against your rights.
• Consent — for non-essential communications and any processing you specifically opt into; you can withdraw consent at any time.
• Legal obligation — to meet tax, accounting, and lawful-request requirements.

Where we act as a processor on a customer's behalf (review and campaign-contact data), that customer is responsible for establishing the legal basis for the processing; we process the data under their instructions and our agreement.

If you're in Australia, we handle personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

Cedric connects to Google Business Profile using OAuth. That means:

• We do not ask for or store your Google password.
• We request the business.manage scope, which allows us to read your business reviews and post replies on your behalf.
• You can revoke access at any time in your Google Account settings.

If we store tokens to keep the integration running, we store them securely (encrypted at rest with AES-256-GCM) and only use them to provide the features you enabled.

Google API Services Limited Use Disclosure

Cedric's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We do not use Google data to serve advertisements.
• We do not transfer Google data to third parties except as needed to provide user-facing features of Cedric, or as required by law.
• We do not allow humans to read Google user data without your explicit consent, except for security purposes, to comply with law, or to investigate abuse.
• We do not use Google user data to train generalised AI or machine learning models.

Note: Google is a third-party service. Cedric is not endorsed by or affiliated with Google.

Cedric uses Anthropic's Claude API (a third-party AI provider in the United States) to generate review reply suggestions and to extract topics and sentiment. When you use AI features, we send the following to Anthropic for processing:

• The review text, star rating, review date, and the reviewer's display name as published on the platform.
• Your business and location name, brand-voice settings, tone presets, and example approved replies.
• Extracted topics and, where relevant, prior public reviews by the same author so replies stay consistent.

Our commitments:

• Anthropic's API terms state that data submitted via the API is not used to train their models. We rely on this and do not consent to training.
• We do not use your review data, your campaign contacts, or any Google user data to train generalised AI or machine-learning models.
• AI output is a suggestion. Replies are generated under human-in-the-loop control — nothing is posted by AI except within the Autopilot rules you configure, and you remain responsible for posted content.
• We do not make decisions producing legal or similarly significant effects about any individual solely by automated means.

If you use Cedric's review-request campaigns, you can provide contact lists and we will send review-request emails to those contacts on your behalf. In this context:

• You are the controller of your contact data; Cedric is your processor and sends only on your instruction.
• You confirm you have the right, and any consent required by law, to contact each recipient, and that doing so complies with applicable law (for example the Spam Act 2003 (Cth) in Australia, CAN-SPAM in the US, CASL in Canada, and the GDPR/PECR in the EU/UK).
• Every campaign email identifies the sending business and includes a working unsubscribe link. We honour unsubscribes and maintain a suppression list so opted-out contacts are not re-contacted.
• We do not sell, rent, or use your contact lists for our own marketing — only to deliver the campaigns you configure.

Campaigns are currently sent by email only. If we add other channels (such as SMS) in future, additional consent and compliance requirements will apply.

We share data only with the service providers needed to run Cedric, under contracts that require them to protect it and use it only to provide their service to us. Our current sub-processors are:

• Vercel (hosting, serverless functions), United States / global edge.
• Managed PostgreSQL database provider (data storage at rest), United States.
• Prisma Data Platform / Accelerate (database connection pooling), United States.
• Anthropic / Claude (AI reply generation), United States.
• Stripe (payment processing), United States. We do not store full card details.
• Resend (transactional and review-request campaign email), United States.
• Google (review sync and reply posting via OAuth), your Google account / Google infrastructure.

A current, detailed list, including what each provider processes and where, is published on our Sub-processors page.

We may also disclose data when required by law, or to protect the rights, safety, and security of our users and the service. If we are involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to this policy.

We do not sell personal information, and we do not share it for cross-context behavioural advertising (as those terms are defined under the CCPA/CPRA).

Our sub-processors are primarily located in the United States. Where personal information is transferred outside your country, we put in place safeguards appropriate to the transfer, including:

• For Australia: reasonable steps to ensure overseas recipients handle the data consistently with the Australian Privacy Principles (APP 8).
• For the EU/UK: Standard Contractual Clauses (and the UK International Data Transfer Addendum), or reliance on an adequacy decision, together with technical measures such as encryption.
• Encryption of data in transit (TLS) and at rest, and regular review of sub-processor security practices.

By using Cedric, you understand your personal information may be processed in these countries for the purposes described in this policy.

We use safeguards designed to protect information, including access controls, least-privilege permissions, encryption in transit (TLS) and at rest (AES-256-GCM for sensitive tokens), organisation-level tenant isolation, and monitoring.

No method of transmission or storage is 100% secure, but we work to minimise risk.

We retain information for specific periods based on its purpose:

• Account data: retained for the life of your account, then deleted within 90 days of account closure.
• Review data: synced from connected platforms and retained while your account is active. Deleted within 90 days of account closure.
• Campaign contact data: retained while your account is active or until you delete the list; we keep the minimum suppression record needed to honour an unsubscribe.
• Billing records: retained for 7 years to comply with Australian tax law requirements.
• Server logs: retained for up to 90 days.
• Audit logs: retained according to your plan (30 days on Starter, 12 months on Pro, and for the life of the account on Multi).
• Backups: purged within 30 days of primary data deletion.

Depending on where you live, you have rights over your personal information. We honour requests from individuals directly and, where we act as a processor, we will forward the request to the relevant customer (controller) and assist them in responding.

Everyone

• Access a copy of your information, ask us to correct it, ask us to delete it, and opt out of non-essential communications.

EU / UK (GDPR and UK GDPR)

• Access, rectification, erasure, restriction, data portability, objection (including to processing based on legitimate interests), and the right to withdraw consent.
• The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
• The right to lodge a complaint with your supervisory authority.

California (CCPA/CPRA)

• The right to know what we collect and why, to access and delete it, and to correct it.
• The right to opt out of the sale or sharing of personal information — we do not sell or share it — and to limit the use of sensitive personal information, which we do not use for those purposes.
• The right not to be discriminated against for exercising your rights, and to use an authorised agent. Under California's "Shine the Light" law, we do not disclose personal information to third parties for their own direct marketing.

How to make a request, and account deletion

• Email privacy@trycedric.com. We verify your identity before acting. Reviews and audit logs can also be exported from your dashboard at any time.
• To delete your account and associated data, email privacy@trycedric.com; we action deletion within 30 days, subject to the retention periods above.
• You may request a copy of your data before deletion.
• Google OAuth access can be revoked independently in your Google Account settings at any time.

To make any privacy request, email privacy@trycedric.com.

Cedric uses only strictly-necessary cookies — the ones required to sign you in and keep the service secure:

• cedric_session — your authenticated session (HTTP-only, so it cannot be read by JavaScript).
• cedric_oauth_state — a short-lived value that protects against cross-site request forgery while you connect a platform.
• A short-lived two-factor cookie when you use email-based two-factor authentication.

We do not currently use analytics, advertising, or cross-site tracking cookies, so no cookie-consent banner is required to use Cedric. If we introduce non-essential cookies in future, we will update this policy and, where required, ask for your consent first. You can block cookies in your browser, but sign-in will not work without the session cookie.

We may send you (our customer and your users) product updates, feature announcements, and tips to help you get the most from Cedric. These are separate from the review-request campaigns you send to your own customers. You can opt out of non-essential communications at any time by:

• Clicking the unsubscribe link included in every marketing email.
• Emailing privacy@trycedric.com with your opt-out request.

Essential service communications (security alerts, billing notifications, and critical account updates) cannot be opted out of while your account is active.

Cedric is a business tool and is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact privacy@trycedric.com and we will delete it.

For customers on plans that support multiple locations, the account holder (the business or organisation) is the data controller for review and contact data across all connected locations. Cedric acts as a data processor, processing that data on the account holder's behalf and according to these terms.

If you are a franchise or multi-brand operator, please ensure you have appropriate authority to connect and manage reviews, and to run campaigns, for all locations under your account.

If we become aware of an eligible data breach that is likely to result in serious harm, we will:

• Notify affected users (or, where we are a processor, the relevant customer) as soon as practicable after completing our assessment.
• Notify the Office of the Australian Information Commissioner (OAIC) as required under Part IIIC of the Privacy Act 1988, and — where the GDPR or UK GDPR applies — the relevant supervisory authority without undue delay and, where feasible, within 72 hours.
• Provide details of the breach, the type of information involved, and recommended steps you should take.

If you suspect a data breach or security incident involving Cedric, please report it immediately to security@trycedric.com.

If you have concerns, contact us first and we'll work to resolve them quickly: privacy@trycedric.com.

If you're in Australia and not satisfied, you may also contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

If the GDPR or UK GDPR applies to you, you may also complain to your local data protection authority (in the UK, the Information Commissioner's Office at ico.org.uk).

We may update this policy to reflect changes to the service, law, or our providers. We'll update the “Last updated” date above. For material changes, we will notify you by email at least 30 days before the changes take effect. Continued use of Cedric after the effective date constitutes acceptance of the updated policy.