Your data is safe with us.
We take security seriously. Review+ is built on enterprise-grade Google Cloud infrastructure with multiple layers of protection for your business data and your customers' information.
How we protect your data
Encryption in transit & at rest
All data sent between your browser and our servers is encrypted using TLS 1.3. Data at rest in Firebase Firestore and Cloud Storage is encrypted by Google using AES-256.
Google-grade authentication
Merchant accounts use Google OAuth 2.0 — one of the most battle-tested auth systems on the planet. We never store or handle your Google password.
Firestore Security Rules
Our database is protected by Firebase Security Rules that enforce per-merchant data isolation. A merchant can only read and write their own documents — cross-account access is structurally impossible.
Google Cloud infrastructure
Review+ runs on Firebase, which is built on Google Cloud Platform — ISO 27001, SOC 2 Type II, and PCI-DSS Level 1 certified infrastructure used by millions of apps worldwide.
Least-privilege access
Our team follows a least-privilege policy. Engineers access production data only when required, with full audit logging of all administrative actions.
Dependency management
We keep our dependencies up to date and regularly audit for known vulnerabilities using automated tooling. Critical patches are applied within 48 hours.
Merchant data isolation
Every merchant's data lives in its own namespace inside Firestore. Our security rules are structured so that:
Merchants can only read and write their own business profile and feedback documents
Customer feedback submitted for Merchant A is structurally inaccessible to Merchant B
Customer experience pages (/customer-exp) are read-only public routes — they only fetch the specific merchant's public profile fields
Write operations to the feedback subcollection are rate-limited at the rule level to prevent abuse
What we don't do
We never sell your data to advertisers or third-party brokers
We never store Google passwords or other credentials
We never share customer feedback with other merchants
We don't use customer data to train AI models without explicit consent
We don't retain data after account deletion (beyond the 30-day grace period)
We don't use advertising cookies or third-party trackers on our platform
Compliance & certifications
Review+ is built on Firebase and Google Cloud Platform, which hold the following certifications:
ISO 27001
SOC 2 Type II
PCI DSS L1
GDPR Ready
Responsible disclosure
We welcome security researchers who responsibly disclose vulnerabilities. If you discover a security issue in Review+, please:
- Email: security@review-plus.app
- Include a clear description of the vulnerability
- Provide steps to reproduce (proof-of-concept if available)
- Allow us a reasonable remediation period before public disclosure
We commit to acknowledging your report within 48 hours and providing a remediation timeline within 7 business days. We do not pursue legal action against researchers who act in good faith.
Related policies