Privacy, explained simply

This policy explains how Cedric (“we”, “us”, “our”) handles personal information. “You” includes business customers, authorised users on your account, and website visitors.

Contact: privacy@trycedric.com

We collect information in three buckets:

• Account & contact details: name, email, business name, role/permissions, billing contact info.
• Service data: connected locations, reviews/ratings from connected platforms, reply drafts, posting status, audit history, configuration (tone, templates, thresholds, escalation keywords).
• Website & device data: basic analytics/cookies, IP address, browser type, pages visited (to improve performance and reliability).

• Directly from you when you sign up, configure settings, or contact support.
• From connected platforms (such as Google, Yelp, TripAdvisor, Trustpilot) when you connect via OAuth (permission-based access).
• Automatically via cookies and similar technologies when you use our site.

We use information to deliver Cedric and keep it secure. Typical purposes include:

• Provide the service: fetch reviews, generate AI-powered reply drafts, publish replies when authorised, and show reporting.
• Safety & governance: enforce approval rules, thresholds, escalation keywords, and keep an audit history.
• Customer support and troubleshooting.
• Billing and account administration.
• Security, fraud prevention, and reliability monitoring.
• Product improvement using aggregated insights (not selling personal info).

If you're in Australia, we handle personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles where applicable.

Cedric connects to Google Business Profile using OAuth. That means:

• We do not ask for or store your Google password.
• We request the business.manage scope, which allows us to read your business reviews and post replies on your behalf.
• You can revoke access at any time in your Google Account settings.

If we store tokens to keep the integration running, we store them securely (encrypted at rest with AES-256-GCM) and only use them to provide the features you enabled.

Google API Services Limited Use Disclosure

Cedric's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We do not use Google data to serve advertisements.
• We do not transfer Google data to third parties except as needed to provide user-facing features of Cedric, or as required by law.
• We do not allow humans to read Google user data without your explicit consent, except for security purposes, to comply with law, or to investigate abuse.
• We do not use Google user data to train generalised AI or machine learning models.

Note: Google is a third-party service. Cedric is not endorsed by or affiliated with Google.

Cedric uses Anthropic's Claude API (a third-party AI provider) to generate review reply suggestions. When you use AI features:

• Review content (text, star rating, business name) and your brand voice settings are sent to Anthropic for processing.
• AI-generated replies are suggestions, not human-written content. You are responsible for reviewing and approving them before posting.
• Anthropic's API terms state that data sent via the API is not used to train their models. We have confirmed this and rely on it.
• We do not use your review data or any Google user data to train generalised AI or machine learning models.

We share data only when needed to run Cedric. Our current sub-processors are:

• Vercel (hosting, serverless functions) — United States.
• PostgreSQL database provider (managed database) — see current region in our sub-processor list.
• Prisma Accelerate (database connection pooling) — United States.
• Resend (transactional email delivery) — United States.
• Twilio (SMS delivery for campaigns) — United States.
• Stripe (payment processing) — United States. We do not store full card details.
• Anthropic / Claude (AI reply generation) — United States.

We also share data when required by law, or to protect the rights, safety, and security of our users and the service.

We do not sell personal information.

Our sub-processors are primarily located in the United States. Where personal information is transferred outside Australia, we take reasonable steps to ensure compliance with the Australian Privacy Principles (APP 8), including:

• Contractual obligations with sub-processors requiring them to protect personal information to a standard comparable to the APPs.
• Encryption of data in transit (TLS) and at rest.
• Regular review of sub-processor security practices.

By using Cedric, you consent to the transfer of your personal information to these countries for the purposes described in this policy.

We use safeguards designed to protect information, including access controls, least-privilege permissions, encryption in transit (TLS) and at rest (AES-256-GCM for sensitive tokens), and monitoring.

No method of transmission or storage is 100% secure, but we work to minimise risk.

We retain information for specific periods based on its purpose:

• Account data: retained for the duration of your account plus 90 days after a deletion request is processed.
• Review data: synced from connected platforms and retained while your account is active. Deleted within 90 days of account closure.
• Billing records: retained for 7 years to comply with Australian tax law requirements.
• Server logs: retained for 90 days.
• Backups: purged within 30 days of primary data deletion.

Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information, and to object to or restrict certain processing.

Account deletion

• You can request account deletion by emailing privacy@trycedric.com or through your dashboard settings.
• Upon receiving your request, we will delete your account and associated data within 30 days, subject to the retention periods above.
• You may request an export of your data before deletion.
• Google OAuth tokens can be revoked independently via your Google Account settings at any time.

To make any privacy request, email privacy@trycedric.com.

We use cookies and similar technologies in the following categories:

• Strictly necessary: session cookies for authentication and security. These cannot be disabled.
• Analytics/performance: we use analytics tools to understand site performance, page views, and feature usage. This data is aggregated and not used to personally identify you.

We do not currently use marketing or advertising cookies. You can control non-essential cookies in your browser settings; some functionality may be affected if you disable them.

We may send you product updates, feature announcements, and tips to help you get the most from Cedric. You can opt out of non-essential communications at any time by:

• Clicking the unsubscribe link included in every marketing email.
• Emailing privacy@trycedric.com with your opt-out request.

Essential service communications (security alerts, billing notifications, and critical account updates) cannot be opted out of while your account is active.

For customers on plans that support multiple locations, the account holder (the business or organisation) is the data controller for review data across all connected locations. Cedric acts as a data processor, processing review data on the account holder's behalf and according to these terms.

If you are a franchise or multi-brand operator, please ensure you have appropriate authority to connect and manage reviews for all locations under your account.

If we become aware of an eligible data breach that is likely to result in serious harm, we will:

• Notify affected users as soon as practicable after completing our assessment, and within 30 days of becoming aware of the breach.
• Notify the Office of the Australian Information Commissioner (OAIC) as required under Part IIIC of the Privacy Act 1988.
• Provide details of the breach, the type of information involved, and recommended steps you should take.

If you suspect a data breach or security incident involving Cedric, please report it immediately to security@trycedric.com.

If you have concerns, contact us first and we'll work to resolve them quickly: privacy@trycedric.com.

If you're in Australia and not satisfied, you may also contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

We may update this policy to reflect changes to the service, law, or our providers. We'll update the “Last updated” date above. For material changes, we will notify you by email at least 30 days before the changes take effect. Continued use of Cedric after the effective date constitutes acceptance of the updated policy.