Privacy Policy

1. Introduction

Ratemy, Inc. ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our professional review and reputation platform (the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.

This policy applies to all users, including:

• Reviewers: Individuals who write reviews about professionals
• Professionals: Managers, teachers, doctors, lawyers, realtors, and other professionals who are reviewed
• Parents: Parents reviewing teachers or schools
• Recruiters: Individuals or companies searching for talent
• Job Seekers: Individuals browsing job postings
• Visitors: Anyone browsing the platform without an account

2. Information We Collect

2.1 Personal Information You Provide

We collect information you provide directly when you:

• Create an Account: Email address, password, name, profile photo, bio, job title, company name, date of birth (for age verification)
• Write Reviews: Review text, ratings, comments, uploaded proof documents (redacted pay stubs, employment verification)
• Claim Professional Profile: Work history, LinkedIn profile, professional certifications, employment verification documents
• Make Payments: Credit card details (processed securely by Stripe, we never store full card numbers), billing address, payment history
• Contact Support: Support messages, feedback, survey responses, customer service correspondence
• Use AI Leadership Coach: Voice recordings (temporary), practice session transcripts, feedback data, coaching scores

2.2 Professional Information

• From Your Profile: Specialties, years of experience, certifications, licenses, team affiliations, company information
• From Public Sources: Information from LinkedIn, company websites, professional directories (only for unclaimed profiles)
• From Reviews: Ratings, behavioral patterns identified in reviews, skill endorsements

2.3 Automatically Collected Information

• Device & Browser Data: IP address, browser type and version, device type, operating system, screen resolution, device identifiers
• Usage Data: Pages visited, time spent on pages, click patterns, search queries, features used, session duration
• Cookies & Similar Technologies: Session cookies, authentication tokens, analytics cookies, preference cookies (see Section 9)
• Location Data: Approximate location based on IP address (city/country level only - we do not collect precise GPS location)
• Referral Data: Source that referred you to our Service (Google, LinkedIn, direct link)

2.4 Information from Third Parties

• LinkedIn OAuth: Profile information, work history, email address, profile photo (only if you choose to connect your LinkedIn account)
• Payment Processors (Stripe): Payment confirmation, transaction IDs, payment method details, billing disputes
• AI Services (OpenAI): AI moderation results, PII detection results, AI Coach analysis (processed data only, not raw inputs)
• Email Service (SendGrid): Email delivery status, open rates, bounce notifications, spam reports

3. How We Use Your Information

3.1 Provide & Improve the Service

• Create and maintain your user account
• Display reviews and professional profiles publicly (subject to consent workflow)
• Process payments and manage subscriptions
• Provide AI Leadership Coach sessions (voice-to-text, real-time coaching, feedback reports)
• Send transactional notifications (review approval requests, new review notifications, payment confirmations)
• Improve platform features based on usage patterns
• Detect and prevent fraud, spam, and abuse
• Troubleshoot technical issues

3.2 AI Moderation & Content Safety

• Screen all reviews for PII (personal identifiable information) before publication
• Detect toxic, offensive, or harassing content
• Identify spam and fraudulent reviews
• Flag potential violations of our Community Guidelines
• Process uploaded media for CSAM (Child Sexual Abuse Material) detection
• Note: AI Coach audio recordings are processed for speech-to-text and immediately deleted after transcription

3.3 Communication

• Respond to your inquiries and support requests
• Send administrative emails (password resets, account confirmations, billing notifications)
• Send transactional emails (review consent requests, dispute notifications)
• Send marketing emails about new features and product updates (you can opt out anytime)
• Send weekly AI Coach practice reports (if you use the AI Coach feature)

3.4 Analytics & Research

• Analyze platform usage to understand user behavior
• Generate aggregate statistics (e.g., average ratings by industry, search trends)
• Conduct research to improve AI moderation accuracy
• Develop new features and services based on user needs
• Track search analytics to improve search results

3.5 Legal & Safety Obligations

• Comply with legal obligations (subpoenas, court orders, regulatory requests)
• Enforce our Terms of Service and Community Guidelines
• Protect against fraud, spam, and malicious activity
• Investigate disputes between users
• Report CSAM (Child Sexual Abuse Material) to NCMEC (National Center for Missing & Exploited Children) as required by law

3.6 Consent-Based Review System

Unique to Ratemy: All reviews are subject to approval by the professional before publication. We use your information to facilitate this consent workflow:

• Notify professionals of new pending reviews
• Track review approval status
• Manage dispute and appeal processes
• Allow professionals to respond publicly to reviews

4. Legal Basis for Processing (GDPR)

If you are located in the European Union (EU) or European Economic Area (EEA), we process your personal data based on the following legal grounds under GDPR:

• Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service you requested (e.g., creating your account, processing payments, displaying your reviews, providing AI Coach sessions)
• Consent (Article 6(1)(a)): You have given explicit consent for specific processing activities (e.g., marketing emails, non-essential cookies, LinkedIn OAuth data sharing)
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests that do not override your rights (e.g., improving the Service, fraud prevention, analytics, platform security)
• Legal Obligation (Article 6(1)(c)): Processing required to comply with laws (e.g., tax records, responding to legal requests, CSAM reporting)

You have the right to object to processing based on legitimate interests. See Section 7 for details on how to exercise your rights.

5. Data Sharing and Disclosure

5.1 Public Information

The following information is publicly visible on the Service:

• Reviews: Your reviews and ratings (if not anonymous) - reviewers can choose to remain anonymous
• Professional Profiles: Professional profiles are publicly accessible for anyone to view
• User Profiles: Your display name, profile photo, and bio (optional) may be publicly visible
• Professional Responses: Responses from professionals to reviews are public

5.2 Service Providers (Processors)

We share data with trusted third-party vendors who help us operate the Service. These providers are contractually obligated to protect your data and use it only for the services they provide to us:

• Stripe: Payment processing (PCI-DSS Level 1 compliant)
• SendGrid: Transactional and marketing email delivery
• AWS S3/Cloudinary: Secure file storage for photos and documents
• OpenAI: AI moderation (PII detection, toxicity screening), AI Coach functionality (speech-to-text, GPT-4, text-to-speech)
• D-ID (Optional): Video avatar generation for AI Coach (if enabled)
• Upstash Redis: Caching and rate limiting
• Vercel: Hosting and infrastructure
• Supabase: Database hosting and authentication

5.3 Legal Requirements & Safety

We may disclose your information if required by law or to protect safety:

• In response to subpoenas, court orders, or other legal processes
• To comply with government or regulatory requests
• To protect the rights, property, or safety of Ratemy, our users, or the public
• In emergencies involving danger to life or property
• To report CSAM (Child Sexual Abuse Material) to NCMEC and law enforcement as required by law

5.4 Business Transfers

If we are involved in a merger, acquisition, bankruptcy, or asset sale, your information may be transferred to the new owner. We will notify you via email and/or a prominent notice on the Service at least 30 days before your information is transferred and becomes subject to a different privacy policy.

5.5 Aggregate & De-identified Data

We may share aggregate or de-identified data that cannot reasonably be used to identify you (e.g., "40% of managers in tech receive ratings above 4.5 stars") with research partners, industry analysts, or the public.

6. Data Retention Policy

We retain your information for as long as necessary to provide the Service and comply with legal obligations. Specific retention periods:

• Account Data: Retained while your account is active, plus 90 days after deletion (to allow account recovery and prevent abuse)
• Reviews: Retained indefinitely unless you delete them or we remove them for violations
• Professional Profiles: Retained indefinitely (including unclaimed profiles) to maintain platform integrity
• Payment Records: Retained for 7 years (tax and accounting compliance)
• AI Coach Audio Recordings: Deleted immediately after transcription (transcripts retained for 1 year)
• Session Transcripts: Retained for 1 year to enable progress tracking
• Logs & Analytics: Retained for 90 days (security monitoring and troubleshooting)
• Moderation Records: Retained for 2 years (dispute resolution and appeals)
• Email Delivery Events: Retained for 30 days (delivery tracking)
• Backups: May contain deleted data for up to 30 days (disaster recovery)

After the retention period, data is securely deleted or anonymized so it cannot be associated with you.

7. Your Privacy Rights (GDPR/CCPA)

7.1 GDPR Rights (EU/EEA Residents)

If you are in the EU/EEA, you have the following rights under GDPR:

• Right to Access (Article 15): Request a copy of all personal data we hold about you
• Right to Rectification (Article 16): Correct inaccurate or incomplete data
• Right to Erasure / "Right to be Forgotten" (Article 17): Request deletion of your data (exceptions apply for legal obligations, public interest, or legitimate claims)
• Right to Restrict Processing (Article 18): Limit how we use your data while disputes are resolved
• Right to Data Portability (Article 20): Receive your data in a machine-readable format (JSON/CSV) and transfer it to another service
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent (Article 7(3)): Withdraw consent for processing (e.g., marketing emails) at any time (does not affect prior processing)
• Right to Lodge a Complaint (Article 77): File a complaint with your local data protection authority (e.g., ICO in UK, CNIL in France)
• Right Not to Be Subject to Automated Decision-Making (Article 22): We do not make solely automated decisions with legal or significant effects (AI moderation is reviewed by humans when flagged)

7.2 CCPA Rights (California Residents)

If you are a California resident, you have the following rights under CCPA:

• Right to Know: Request disclosure of:
  • Categories of personal information we collect
  • Specific pieces of personal information we hold about you
  • Sources of that information
  • Purposes for collecting or selling that information
  • Categories of third parties we share information with
• Right to Delete: Request deletion of your personal information (exceptions apply for legal obligations, fraud prevention, or completing transactions)
• Right to Opt-Out of Sale: We do not sell your personal information, so this right is not applicable
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights (no denial of service, different prices, or different quality of service)
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond those permitted by CCPA

7.3 How to Exercise Your Rights

You can exercise your privacy rights in the following ways:

• Privacy Settings Page: Visit /settings/privacy to download your data, delete your account, or manage cookie preferences
• Email Request: Send a Data Subject Access Request (DSAR) to privacy@www.ratingapp.net (see Section 8 for details)
• Phone Request (CCPA): Call 1-800-RATEMY-1 (California residents only)
• Notification Settings: Manage marketing email preferences in Notification Settings

7.4 All Users (Regardless of Location)

• Update Account Info: Edit your profile anytime in Account Settings
• Delete Reviews: Delete your reviews from your Dashboard
• Opt-Out of Marketing: Click "Unsubscribe" in any marketing email
• Manage Cookie Preferences: Click the cookie consent banner or visit Privacy Settings

8. Data Subject Access Request (DSAR) Process

We are committed to fulfilling your privacy rights promptly. Follow this process to submit a Data Subject Access Request (DSAR):

8.1 How to Submit a DSAR

8.2 Verification Process

To protect your privacy, we must verify your identity before processing your request:

1. We will send a verification email to the address associated with your account
2. Click the verification link within 7 days
3. For deletion or portability requests, we may require additional verification (e.g., answering security questions)
4. If you no longer have access to your email, we may ask for government-issued ID (redact sensitive info)

8.3 Response Timeline

• GDPR (EU/EEA): We will respond within 30 days (may extend to 60 days for complex requests with notification)
• CCPA (California): We will respond within 45 days (may extend to 90 days for complex requests with notification)
• Simple Requests: Most access requests are fulfilled within 10-14 days

8.4 What You Will Receive

Depending on your request type:

• Access Request: A downloadable ZIP file containing:
  • Account information (JSON format)
  • All reviews and ratings you've written (JSON/CSV)
  • Payment history (CSV)
  • AI Coach session transcripts and scores (JSON)
  • Uploaded files (original format)
• Deletion Request: Confirmation email when deletion is complete (90-day recovery period for account data)
• Rectification Request: Confirmation that corrections have been made

8.5 Limitations & Exceptions

We may deny or limit your request if:

• We cannot verify your identity
• The request is manifestly unfounded or excessive (e.g., repetitive requests)
• We have a legal obligation to retain the data (e.g., tax records, ongoing legal disputes)
• Deletion would prevent us from establishing, exercising, or defending legal claims
• The data is necessary for public interest or scientific research (in which case it will be anonymized)

If we deny your request, we will explain why and inform you of your right to lodge a complaint with your data protection authority.

8.6 Fees

We do not charge a fee for most DSAR requests. However, we may charge a reasonable fee if:

• Your request is clearly unfounded or excessive
• You request multiple copies of the same data

We will notify you of any fees before processing your request.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide, improve, and protect the Service.

9.1 Types of Cookies We Use

• Essential Cookies (Strictly Necessary): Required for the Service to function properly. These cannot be disabled without breaking core functionality.
  • Authentication tokens (login sessions)
  • Security tokens (CSRF protection)
  • Load balancing cookies
• Functional Cookies: Remember your preferences and settings.
  • Language preferences
  • Dark mode / theme preferences
  • Cookie consent choices
• Analytics Cookies: Help us understand how the Service is used.
  • Google Analytics (page views, session duration, bounce rate)
  • Vercel Analytics (performance metrics)
  • Search analytics (internal tracking for improving search results)
• Marketing Cookies (Third-Party): Track your activity across websites for advertising (if enabled).
  • Google Ads conversion tracking
  • LinkedIn Insight Tag (for recruiter ads)

9.2 How to Manage Cookies

• Cookie Consent Banner: When you first visit, you can accept or decline non-essential cookies
• Privacy Settings: Update your preferences anytime in Privacy Settings
• Browser Settings: Most browsers allow you to block or delete cookies:
  • Chrome: Settings → Privacy and Security → Cookies and other site data
  • Firefox: Settings → Privacy & Security → Cookies and Site Data
  • Safari: Preferences → Privacy → Manage Website Data

9.3 Do Not Track (DNT)

Some browsers have a "Do Not Track" (DNT) feature. We do not currently respond to DNT signals because there is no industry standard for how to interpret them. However, you can manage cookies as described above.

10. Security Measures

We implement industry-standard technical and organizational security measures to protect your information from unauthorized access, disclosure, alteration, or destruction.

10.1 Technical Safeguards

• Encryption in Transit: All data transmitted over HTTPS (TLS 1.3 encryption)
• Encryption at Rest: Databases and file storage use AES-256 encryption
• Password Security: Passwords are hashed using bcrypt with salt (never stored in plain text)
• Secure Authentication: JWT tokens with expiration, HTTP-only cookies
• API Rate Limiting: Prevents brute force attacks and abuse (Upstash Redis)
• DDoS Protection: Cloudflare protection against distributed denial-of-service attacks
• Web Application Firewall (WAF): Blocks common attacks (SQL injection, XSS)

10.2 Organizational Safeguards

• Access Controls: Employees have role-based access (principle of least privilege)
• Background Checks: All employees with data access undergo background checks
• Security Training: Regular training on data protection and security best practices
• Incident Response Plan: Documented procedures for data breach response
• Regular Audits: Quarterly security reviews and annual penetration testing
• Vendor Management: All third-party vendors sign Data Processing Agreements (DPAs)

10.3 AI Moderation for Safety

• PII Detection: Automatic redaction of phone numbers, emails, addresses before content is published
• Toxicity Screening: AI flags offensive, harassing, or threatening content for review
• CSAM Detection: All uploaded media is scanned for Child Sexual Abuse Material (reported to NCMEC)
• Spam Detection: Machine learning models identify fraudulent or fake reviews

10.4 Data Breach Notification

In the unlikely event of a data breach, we will:

• Notify affected users via email within 72 hours (GDPR requirement)
• Notify relevant data protection authorities (EU supervisory authorities, California AG)
• Provide details on what data was affected and steps we're taking
• Offer guidance on how to protect yourself (e.g., reset passwords)

10.5 Limitations

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security.

11. International Data Transfers

Ratemy is based in the United States. If you are accessing the Service from outside the US, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

11.1 GDPR Compliance for EU/EEA Transfers

For transfers from the EU/EEA to countries outside the European Economic Area, we ensure compliance with GDPR through:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (2021 version) with all service providers that process EU data outside the EEA
• Adequacy Decisions: Where possible, we use service providers in countries with adequacy decisions by the European Commission (e.g., UK, Switzerland)
• Additional Safeguards: Encryption, access controls, and contractual commitments to ensure data protection equivalent to GDPR standards

11.2 Where Your Data May Be Processed

• United States: Primary data storage and processing (Vercel, AWS, Supabase)
• European Union: EU data may be stored in EU data centers (Vercel EU region)
• Global CDN: Cached public content (professional profiles, reviews) distributed globally via Cloudflare

11.3 Your Rights Regarding International Transfers

If you are in the EU/EEA, you have the right to:

• Request a copy of the Standard Contractual Clauses we use with third parties
• Object to the transfer of your data to countries outside the EEA
• Withdraw consent for transfers based on consent (does not affect prior processing)

To request SCC documentation or object to transfers, email privacy@www.ratingapp.net.

12. Children's Privacy (COPPA Compliance)

12.1 Minimum Age Requirement

The Service is intended for users who are at least 13 years old. We comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect personal information from children under 13 years of age.

12.2 Age Verification

During registration, all users are required to provide their date of birth. We verify that users are at least 13 years old before allowing them to create an account. Users who are under 13 are not permitted to register for the Service.

12.3 If We Discover a Child Under 13 Has Registered

If we learn or have reason to believe that a user is under 13 years of age, we will immediately:

• Terminate the account
• Delete all personal information associated with that account from our systems
• Remove all user-generated content (reviews, comments) posted by that user
• Notify the email address associated with the account (if verifiable as a parent/guardian)

12.4 For Parents and Guardians

If you are a parent or guardian and you believe your child under 13 has created an account without your permission, please contact us immediately:

We will delete the account within 48 hours of receiving a verified request from a parent or guardian.

12.5 Information We Collect from Users 13-17

For users aged 13-17, we collect only the information necessary to provide the Service:

• Email address and password (for account authentication)
• Date of birth (for age verification only - not displayed publicly)
• Display name (optional)
• Reviews and ratings

We do not require users aged 13-17 to provide more personal information than is reasonably necessary to participate in the Service.

13. Third-Party Links

The Service may contain links to third-party websites, including:

• LinkedIn (for OAuth login and profile verification)
• Company websites (linked from professional profiles)
• Job application portals (linked from job postings)
• Professional social media profiles

We are not responsible for the privacy practices or content of these third-party websites. We encourage you to review their privacy policies before providing any personal information.

Links to third-party websites do not imply endorsement by Ratemy.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

14.1 How We Notify You of Changes

We will notify you of material changes by:

• Email notification to your registered email address (at least 30 days before changes take effect)
• Prominent notice on the Service (banner notification)
• Updating the "Last Updated" date at the top of this page

14.2 Your Acceptance of Changes

Your continued use of the Service after changes take effect constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using the Service and may request account deletion.

14.3 Material Changes Requiring Consent

For material changes that significantly affect how we use your data (e.g., sharing data with new categories of third parties), we will request your explicit consent before applying the changes to existing data.

15. Contact Information

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about how we handle your data, please contact us: