The Review Engineby X18

Last updated: 17 April 2026

Privacy Policy

This Privacy Policy explains how X18 Global Pty Ltd ABN (pending), trading as X18 Agency ("we", "us", "our"), collects, uses, and protects information about you when you use The Review Engine by X18 (the "Service").

1. Who we are

X18 Agency is an Australian marketing agency that builds and operates The Review Engine by X18. For privacy questions, contact info@x18agency.com.

2. Information we collect

  • Account information. Name, email, and organisation details you provide when signing up.
  • Google account data. With your consent, your Google Business Profile email address, the list of business locations you manage, and reviews left on those locations. We request the business.manage scope only.
  • OAuth tokens. A Google refresh token, encrypted at rest with AES-256-GCM, used solely to call Google APIs on your behalf.
  • Reviews and replies. Reviews we fetch from Google, AI-generated reply drafts, and replies you approve and post.
  • Billing information. Payment is processed by Stripe. We store a Stripe customer ID. We do not store card numbers.
  • Usage data. Standard server logs (IP, user agent, request path) retained for 30 days for security and debugging.

3. How we use your data

  • Operate the Service, including fetching reviews and posting replies.
  • Draft replies with an AI model (Anthropic Claude).
  • Send service and billing emails.
  • Provide customer support.
  • Maintain security, prevent abuse, and comply with law.

The Review Engine by X18's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Google user data is used only to provide and improve user-facing features that are prominent in the Service, is not transferred to third parties except as necessary to provide or improve user-facing features, is not used for advertising, and is not read by humans except with your explicit consent, to investigate a security or abuse incident, or when required by law.

3a. Google OAuth scopes we request

We request only the minimum scopes required to deliver the Service. Each scope is listed below with its purpose.

  • openid, .../auth/userinfo.email, .../auth/userinfo.profile — to identify the signed-in user and link their Google account to their Review Engine organisation.
  • https://www.googleapis.com/auth/business.manage (restricted scope) — to list the Google Business Profile accounts and locations the user manages, to read reviews left on those locations, and, when the user approves a reply, to post that reply back to Google. No other use. No write to profile details, hours, photos, posts, or any other field.

Revocation. You can revoke our access at any time from your Google Account security settings or from inside the Service, at which point we immediately delete the stored refresh token and purge cached review data within 24 hours.

4. Sharing

We share data only with:

  • Supabase (database and auth) for storage and authentication.
  • Vercel for hosting and request logs.
  • Stripe for payment processing.
  • Anthropic for AI reply generation (review text is sent, no account identifiers).
  • Google, to the extent needed to fetch reviews and post replies on your behalf.

We do not sell your data. We do not use it to train third-party AI models. We do not use it for advertising.

5. Security

We encrypt data in transit (HTTPS) and at rest. Google refresh tokens use AES-256-GCM with keys held in Vercel's managed secret store. Multi-tenant isolation is enforced in the database via Row Level Security. Service-role credentials are never exposed to the browser.

6. Retention and deletion

Reviews and reply history are retained for the life of your account. When you cancel, we retain your data for 30 days in case you change your mind, then permanently delete it. You can self-serve delete your account and all associated data at any time: see our Data Deletion page for the exact steps. You can also email info@x18agency.com to request deletion. Disconnecting a Google account revokes our stored refresh token immediately and purges cached review data within 24 hours.

7. Your rights

Under the Australian Privacy Principles and other applicable laws you may have the right to access, correct, or delete your personal information. Contact us at info@x18agency.com to exercise any of these rights.

8. Changes

We will post updates to this policy on this page. Material changes will be announced via email to account owners at least 14 days before they take effect.