OUR PLATFORMS AND SERVICES

Shout About Us, Inc. operates the following platforms, all of which are governed by this Privacy Policy:

Enterprise Infrastructure Platforms (Generation 2)

These platforms operate on dedicated AWS cloud infrastructure with enterprise-grade security controls described in Section 5 of this policy.

• Review Data — Our review data aggregation and insights API, accessible at shoutaboutus.com. Delivers normalized review data, sentiment analysis, and competitor benchmarking to enterprise API clients.
• Review Management — Our review management infrastructure platform, accessible at shoutaboutus.com. Delivers review aggregation, solicitation, AI-generated responses, direct response publishing, analytics, and reporting via API to enterprise partners. Enterprise clients access their account data through a dedicated client dashboard at app.shoutaboutus.com.

Legacy SMB Platforms (Generation 1)

These platforms serve our existing SMB and agency customer base and are hosted on separate infrastructure maintained with commercially reasonable security measures appropriate to SMB-grade services. We are actively migrating legacy platform customers to our enterprise infrastructure over the next 12 to 24 months.

• Review Navigator — Our legacy SMB review management platform, hosted at online-review-manager.com. Serves approximately 8,000 business locations including direct brands, individual locations, and white-label agency accounts.
• Response Scribe — Our legacy review response platform, hosted at responsescribe.com. Serves customers whose primary need is managed review response services.

Legacy platform users: Visitors to online-review-manager.com and responsescribe.com are directed to this policy at shoutaboutus.com/privacy-policy. The data practices described in this policy apply to all platforms. Where security capabilities differ between platform generations, this is noted explicitly in Section 5.

1.  INFORMATION WE COLLECT

1.1  Through Enterprise Platform Services

When providing Review Data and Review Management infrastructure services to enterprise partners, we process the following categories of personal information on behalf of those partners:

• Contact information of end customers — names, email addresses, phone numbers
• Review content — text, ratings, and metadata from third-party review platforms
• Platform usage data — API activity, login events, feature usage, and interaction data
• Account information — business names and billing contact details of partner organizations

Note on data collection methodology: SAU employs proprietary technology to collect review data from Supported Platforms and to publish responses on Supported Platforms on behalf of our partners. The availability of these capabilities is subject to the ongoing accessibility of each platform and is not guaranteed. SAU is not liable for interruptions caused by third-party platform restrictions, access changes, or policy modifications.

1.2  Through Legacy Platform Services

When providing Review Navigator and Response Scribe services to SMB customers, we process:

• Account registration data — business name, contact name, email address, username
• Location data — business addresses, phone numbers, and website URLs for managed locations
• Review content — reviews retrieved from third-party platforms on behalf of customers
• Response content — review responses created by or for customers
• Communication records — support tickets, emails, and in-platform messages

1.3  From Website Visitors

When you visit shoutaboutus.com, we may collect:

• Usage data — IP address, browser type, pages visited, time on page, referring URLs
• Contact form submissions — name, email address, company name, and message content
• Cookie data — as described in Section 8 of this policy

1.4  From Business Partners

When organizations enter into a commercial relationship with us, we collect:

• Business contact information — names, email addresses, and phone numbers of authorized representatives
• Billing information — company name, billing address, and payment method details (processed by our PCI-DSS compliant payment processor — we do not store payment card numbers)
• Communication records — emails, support tickets, and other correspondence

1.5  From Employees and Contractors

We collect employment-related information from current and prospective employees and independent contractors, including contact information, employment history, and information necessary to administer the employment or contractor relationship. We use this information solely for the purposes of that relationship and retain it only as long as legally required.

1.6  Information We Do Not Collect

We do not knowingly collect:

• Payment card numbers or financial account information (handled by our payment processor)
• Government-issued identification numbers
• Sensitive personal information such as health data, biometric data, or racial or ethnic origin
• Personal information from children under 13 years of age

2. HOW WE USE PERSONAL INFORMATION

We use personal information only for the purposes for which it was collected. We never sell personal information to third parties, and we never use personal information for automated decision-making that produces legal or significant effects on individuals without human review.

3.  HOW WE SHARE PERSONAL INFORMATION

We share personal information only in the following circumstances:

3.1  With Sub-processors

We engage trusted third-party service providers to assist in delivering our services. All sub-processors are bound by Data Processing Agreements and are required to protect personal information to the same standard as Shout About Us. Our current sub-processors include:

We maintain a current sub-processor list and will notify our enterprise partners at least 30 days before engaging any new sub-processor that processes their customers' personal data.

3.2  With Business Partners

For enterprise platform services, we share personal information with the partner organization on whose behalf we are processing that data, in accordance with our contractual terms. Enterprise partners are responsible for their own privacy practices with respect to their end customers.

3.3  For Legal Compliance

We may disclose personal information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, protect the safety of any person, or investigate fraud. Where legally permitted, we will notify affected parties before making such disclosure.

3.4  Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal information may be transferred as part of that transaction. We will notify affected individuals and partners prior to any such transfer and will ensure that the receiving entity is bound by privacy protections at least equivalent to those in this policy.

4.  DATA RETENTION

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, contractual, or reporting requirements. When personal information is no longer needed, it is securely deleted or anonymized.

Upon expiry of the applicable retention period, personal information on our enterprise platforms is securely deleted using cryptographic erasure for encrypted data stores, with destruction events logged for audit purposes.

5.  DATA SECURITY

We implement and maintain appropriate technical and organizational security measures to protect personal information against unauthorized access, disclosure, alteration, loss, or destruction. Our security posture differs across our platform generations as described below.

5.1  Enterprise Platform Security (Review Data and Review Management)

Our enterprise infrastructure platforms operate on dedicated AWS cloud infrastructure with the following controls:

• Infrastructure and Hosting.  Hosted on Amazon Web Services (AWS) using containerized services (ECS/Fargate) with multi-availability-zone deployment, providing geographic redundancy and high availability.
• Data Encryption.  All data encrypted in transit using TLS 1.2 or higher. All data at rest encrypted using AES-256 via AWS RDS (Multi-AZ MySQL) and AWS S3 with server-side encryption via AWS Key Management Service (KMS).
• Access Controls.  Role-based access controls enforcing least-privilege principles. Multi-factor authentication (MFA) required for all personnel with access to production environments. Access reviewed periodically.
• Network Security.  AWS Web Application Firewall (WAF) for perimeter protection. Amazon GuardDuty for continuous threat detection. Network segmentation between production, staging, and development environments.
• Secrets Management.  All credentials, API keys, and secrets managed through AWS Secrets Manager. No credentials stored in code repositories or configuration files.
• Monitoring and Logging.  Comprehensive audit logging via AWS CloudTrail and application-level monitoring via Datadog. Continuous security event monitoring with alerting thresholds.
• Access Controls.  Role-based access controls enforcing least-privilege principles. Multi-factor authentication (MFA) required for all personnel with access to production environments. Access reviewed periodically.
• Change Management.  All code changes deployed through AWS CodePipeline with automated testing gates. Changes to production infrastructure follow a documented change management process.
• Backup and Recovery.  Automated daily database backups with point-in-time recovery capability. Documented disaster recovery plan with defined recovery time and recovery point objectives.
• Security Assessment.  SAU's SOC 2 Type 1 examination is underway with expected completion in Q2 2026. Annual third-party penetration testing is conducted.

5.2  Legacy Platform Security (Review Navigator and Response Scribe)

Our legacy SMB platforms — Review Navigator (online-review-manager.com) and Response Scribe (responsescribe.com) — are hosted on separate infrastructure and maintained with commercially reasonable security measures appropriate to SMB-grade services, including encryption in transit, access controls, and regular maintenance. These platforms do not currently operate under the enterprise security stack described in Section 5.1.

We are actively migrating legacy platform customers to our enterprise infrastructure over the next 12 to 24 months. Customers will be notified in advance of any migration affecting their accounts.

Despite our security measures, no method of transmission over the internet or electronic storage is 100% secure. In the event of a security incident affecting personal information, we will notify affected parties and relevant regulatory authorities in accordance with applicable law and our contractual obligations.

6.  OUR ROLE AS CONTROLLER AND PROCESSOR

Shout About Us acts in different capacities depending on the nature of the data relationship:

Data Processor (Enterprise Platform Services). When providing Review Data and Review Management infrastructure services to enterprise partners, SAU acts as a data processor operating on behalf of the partner (the data controller). In this capacity, we process personal information solely in accordance with our partners' documented instructions and our contractual terms, including the Data Processing Addendum incorporated into our enterprise agreements.

Data Controller (Legacy SMB Platforms and Website). When providing Review Navigator and Response Scribe services directly to SMB customers, and when operating our website, SAU acts as the data controller. In this capacity, we are responsible for determining the purposes and means of processing personal information, and the practices described in this Privacy Policy apply directly.

Where SAU's enterprise partners have their own end customers whose personal information flows through our infrastructure, those partners are responsible for their own privacy disclosures and for ensuring they have a lawful basis for sharing personal information with SAU.

7.  INTERNATIONAL DATA TRANSFERS

Shout About Us is headquartered in the United States. Personal information processed through our platforms is primarily stored and processed in AWS data centers located in the United States.

Australian Residents.  For personal information transferred from Australia to the United States, we have implemented contractual protections equivalent to the Australian Privacy Principles under the Privacy Act 1988 (Cth), consistent with the requirements for cross-border disclosure under APP 8.

EEA and UK Residents.  For personal information transferred from the European Economic Area or the United Kingdom to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.

Other Jurisdictions.  We strive to comply with all applicable data protection and privacy laws in jurisdictions where we operate or have customers. If you have questions about data transfers applicable to your jurisdiction, please contact us using the details in Section 10.

8.  YOUR PRIVACY RIGHTS

Depending on your location and applicable law, you may have the following rights regarding your personal information. To exercise any of these rights, please contact us using the details in Section 10. We will respond to verified requests within the timeframes required by applicable law, generally 30 to 45 days.

8.1  Australian Residents (Privacy Act 1988 / APPs)

• Access — request access to personal information we hold about you
• Correction — request correction of inaccurate or incomplete personal information
• Complaint — lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au

8.2  EEA and UK Residents (GDPR / UK GDPR)

• Access — obtain a copy of the personal information we hold about you
• Rectification — request correction of inaccurate personal information
• Erasure — request deletion of your personal information in certain circumstances
• Restriction — request that we restrict processing of your personal information
• Portability — receive your personal information in a structured, machine-readable format
• Objection — object to processing based on legitimate interest
• Withdrawal of consent — withdraw consent at any time where processing is based on consent
• Complaint — lodge a complaint with your local supervisory authority

8.3  California Residents (CCPA / CPRA)

• Know — request disclosure of the categories and specific pieces of personal information we have collected
• Delete — request deletion of personal information we have collected
• Correct — request correction of inaccurate personal information
• Opt-out of sale — we do not sell personal information
• Limit use of sensitive personal information — as defined under CPRA
• Non-discrimination — we will not discriminate against you for exercising your privacy rights

8.4  All Users

• Opt-out of marketing communications — click the unsubscribe link in any marketing email or contact us directly
• Access and correction requests — we will respond to reasonable requests to access or correct your personal information

Note for enterprise partner customers: If you are a customer of one of our enterprise partners (for example, a business whose review data is managed through our infrastructure), your privacy rights with respect to that data should be exercised directly with that partner, who acts as the data controller for your personal information. We will cooperate with our partners in fulfilling such requests.

9.  COOKIES AND TRACKING TECHNOLOGIES

Our website at shoutaboutus.com uses cookies and similar tracking technologies to improve your browsing experience and analyze website traffic.

You can control cookie preferences through your browser settings. Disabling certain cookies may affect website functionality. We do not use cookies for cross-site advertising or behavioral tracking.

Our legacy platforms (online-review-manager.com and responsescribe.com) also use session and functional cookies necessary for platform operation. No tracking cookies are used on those platforms for advertising purposes.

10.  CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will post the updated policy at shoutaboutus.com/privacy-policy with a revised "Last Updated" date.

For material changes that significantly affect how we handle personal information, we will provide more prominent notice, which may include email notification to our business partners and SMB customers.

Legacy platform users: This policy also governs personal information processed through online-review-manager.com and responsescribe.com. Updates to this policy apply to all platforms operated by Shout About Us, Inc.

11.  CONTACT US

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or wish to make a complaint, please contact us:

Regulatory Contacts

Australian privacy complaints not resolved to your satisfaction may be directed to the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992

GDPR-related complaints may be directed to your local supervisory authority in the EU or UK.

California privacy complaints may be directed to the California Privacy Protection Agency (CPPA) at cppa.ca.gov.

PLATFORM QUICK REFERENCE

For quick reference, the following table summarizes all Shout About Us, Inc. platforms and how they relate to this Privacy Policy:

Migration notice: Shout About Us is actively migrating Review Navigator and Response Scribe customers to the enterprise infrastructure over the next 12 to 24 months. Customers will be notified in advance of any migration affecting their accounts.