Skip to content
Legal

Privacy
Policy

How we collect, use, and protect your personal data. Written in plain language because transparency is not optional.

1. Introduction

PollenGrains (“we”, “us”, “our”) operates the PollenGrains platform, a verified review service available at pollengrains.com and app.pollengrains.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you access or use our services.

By accessing or using PollenGrains, you acknowledge that you have read, understood, and agree to the practices described in this policy. We act as the data controller for the personal information processed through our platform.

Our commitment is to transparency and plain language. Every section of this policy is written to be understood without legal expertise. We believe that if a privacy policy requires a lawyer to interpret, it has failed its purpose. This approach reflects our Editorial Guardian philosophy: clarity, authority, and unwavering honesty in every interaction.

KEY TAKEAWAY

“We treat your data the way a quality publication treats its sources: with rigorous care, transparent methodology, and absolute respect for the trust you place in us.”

2. Data We Collect

We collect different categories of information depending on how you interact with our platform. Each category serves a specific purpose and is retained only as long as necessary.

Direct Data

First name, email address, password (or Google/Apple OAuth credentials). Profile information you provide during registration, including optional avatar and display preferences.

Technical Data

IP address, browser type and version, timezone, operating system. Collected automatically when you access our platform, used solely for security monitoring and performance optimization.

Usage Data

Interactions with businesses, search queries, review activity, and content engagement patterns. Internal logs used exclusively for platform improvement and service quality.

Verification Data

Purchase verification information: QR code scans, email invitation tokens, payment processor confirmations, ecommerce order data, and receipt uploads. Used solely to verify legitimate purchases.

The Transparency Principle

We do not sell your personal information to third parties. Every piece of data collected is used solely to verify reviews, improve moderation quality, and protect our community from fraudulent activity.

3. How We Use Your Data

We process your personal data for specific, documented purposes. Each use case is tied to either your consent, contractual necessity, legitimate interest, or legal obligation.

  • Service Provision — Managing your account, facilitating verified reviews, processing purchase verifications, and providing access to business profiles and analytics dashboards.

  • Communication — Delivering transactional emails (review confirmations, invitation notifications), responding to support inquiries, and sending critical security alerts. All email is delivered via self-hosted SMTP with SPF/DKIM/DMARC authentication.

  • Independent Moderation — AI-powered content checks (spam, profanity, PII detection) execute within 2 seconds, followed by blind human moderation where necessary. Moderators never have access to business payment information, ensuring decisions are based solely on content quality and guideline compliance.

  • Security & Fraud Prevention — Detecting fake reviews, spam patterns, coordinated manipulation campaigns, and unauthorized access attempts through behavioral analysis and device fingerprinting.

  • Platform Improvement — Anonymized analytics to improve search relevance, review quality signals, and verification accuracy. Individual users are never identifiable in aggregated datasets.

4. Data Sharing & Third Parties

Payment Processing via Polar.sh

PollenGrains uses Polar.sh as our merchant of record for all payment processing. When you subscribe to a paid plan, Polar.sh processes your payment information directly. We do not store credit card numbers or payment credentials on our servers. Polar.sh's handling of your payment data is governed by their own privacy policy.

We share personal data only in the following strictly limited circumstances:

  • Polar.sh — for payment processing when you subscribe to a paid plan.

  • Law enforcement — when legally required by valid court order, subpoena, or regulatory obligation.

  • Service providers — operating under strict data processing agreements, with access limited to what is necessary to perform their function.

What we will never do with your data:

  • We never sell personal data to third parties.

  • We never share data with advertisers or ad networks.

  • We never grant third parties access to review content for commercial exploitation.

5. Your Rights

Compliance

GDPR & CCPA Rights

Whether you are located in the European Union, California, or anywhere else in the world, we extend the same comprehensive set of data rights to all users.

Manage Rights in Settings

Right to Access & Portability

Request a complete copy of all personal data we hold about you in JSON, CSV, or JSON-LD (Schema.org) format. Data export is available on all plans, including Free. We respond to all access requests within 30 days.

Right to Rectification

Correct inaccurate personal data at any time through your account settings. Edits to reviews are logged with timestamps for transparency, and original versions are preserved in the audit trail.

Right to Erasure

Request permanent deletion of your account and all associated data. Full erasure is completed within 30 days per GDPR requirements. Once initiated, this process is irreversible.

Right to Object

Object to processing for direct marketing or non-essential analytics at any time. One-click opt-outs are available for all non-transactional communications, including weekly summaries and monthly digests.

6. Data Retention

We retain your personal data only as long as necessary to fulfill the purposes described in this policy. Our retention periods are designed to balance service quality with your right to erasure.

  • Active accounts: Data is stored for the duration of your membership and active use of the platform.

  • Account deletion: All personal information is purged from our systems within 30 days of your deletion request.

  • Deleted reviews: Hard-deleted from all systems after a 90-day grace period, allowing for accidental deletion recovery.

  • Archived reviews: Reviews older than 5 years are archived. They remain accessible but are deprioritized in default views and search results.

  • Anonymized data: Aggregate statistical data with no personally identifiable information may be retained indefinitely for platform improvement.

Data Lifecycle

30-Day Purge Guarantee

7. International Data Transfers

PollenGrains is a global platform serving users worldwide. Your personal data may be transferred to and processed on servers located outside your country of residence. We implement robust safeguards to ensure your data receives equivalent protection regardless of where it is processed.

  • Standard Contractual Clauses (SCCs) for all data transfers from the European Economic Area to jurisdictions without an adequacy decision.

  • End-to-end encryption for all cross-border data transit, ensuring data remains protected during transfer between regions.

  • Data processing agreements with all sub-processors, requiring them to maintain equivalent security standards and limiting data use to specified purposes.

Transfer Status

EU Standard Contractual Clauses
TLS 1.3 Encryption
Sub-processor Agreements
Annual Compliance Audits

8. Security Measures

Protecting your data is foundational to our platform. We employ industry-standard and purpose-built security measures across every layer of our infrastructure.

Encryption

All data encrypted in transit (TLS 1.3) and at rest. Review verification tokens are cryptographically signed with HMAC-SHA256, ensuring tamper-proof purchase verification.

Authentication

Passwords hashed with bcrypt. JWT access tokens expire after 15 minutes. Refresh tokens valid for 30 days with automatic rotation. OAuth2 support for Google and Apple social login.

Content Safety

All review content is sanitized before storage and again before display to prevent XSS attacks. Input validation is enforced via Pydantic on all API endpoints, rejecting malformed data at the boundary.

9. Children's Privacy

PollenGrains is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. Our platform requires purchase verification, which inherently involves adult commercial transactions.

If we become aware that we have inadvertently collected personal information from a user under 18 years of age, we will promptly delete their account and all associated data. If you believe a minor has provided us with personal information, please contact us immediately at privacy@pollengrains.com.

10. Changes & Contact

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or regulatory guidance. When we make material changes, we will notify you via email and display a prominent notice on our platform at least 30 days before the changes take effect.

Minor clarifications or corrections that do not materially affect your rights may be made without prior notice. We encourage you to review this policy regularly. Your continued use of PollenGrains after changes are published constitutes your acceptance of the updated policy.

Questions about this policy? Contact our Data Protection Officer at privacy@pollengrains.com