Yotpo Privacy Guide

Everything you need to know about privacy, data processing, and compliance at Yotpo.

Last updated on October 1, 2020
Data Processing
Global Data Compliance
Chapter 01


Our Worldview on Privacy

As Yotpo’s Data Privacy Officer, privacy is my business. I am a member of the IAPP, and trained with PwC and Deloitte in the most cutting-edge privacy practices and standards. Privacy by Design is more than just a phrase to me: it’s the guiding principle against which all of our decisions — from research and development, to third-party integrations and beyond — are weighed.

At Yotpo, we’ve built a secure digital framework that warrants your trust. As mentioned above, we use Privacy by Design, embedding secure practices into our technology and policies. Within this framework, your customer data is treated intelligently so that you can achieve compliance while growing your business reach.

Let’s go through the most important parts of Yotpo’s data privacy so you can learn exactly how we protect your customers’ personal data. For any specific questions, please reach out to privacy@yotpo.com

– Privacy Team


*Please note that we update our data processing agreement with new integrations and sub-processors as they become relevant. You can stay updated by subscribing below. We will only send you emails related to DPA updates:

Chapter 02

Data Processing

Breaking it down

Yotpo’s Data Processing Agreement details our comprehensive data policy. Because it can be a bit dry, we’ll break down the most important parts.

  • For this guide we will use the term “merchant” to refer to a business that has entered into an agreement with Yotpo to use its services and “customer” to refer to the merchant’s customers
  • This guide was written for our merchants. If you are the customer of a Yotpo merchant, and you have questions or concerns about your data, please contact the merchant directly

What personal data do we collect from your customers?

We process personal data relating to customers who purchase products and/or services from our merchants’ stores, or customers who submit reviews via the on-site reviews widget on our merchants’ websites. We also collect and process the contact information of our merchants’ employees, who serve as the points of contact with Yotpo’s Customer Success Managers.

Here is a list of the personal data that we collect from customers, and why we use it:

  • Name: Enables us to personalize our communication with your customers and use a partially anonymized version of a customer’s name when they leave a review
  • Email address: Enables us to communicate with your customers on your behalf
  • Phone number: Enables us to contact your customers via a text message, a feature we have recently implemented
  • IP address: Provides customer location information so that you can have better analytics about where reviews are originating
  • Shipping address: Allows us to monitor the use of referral links as part of our rewards and referral program

In compliance with the principle of data minimization, we only collect, store, and process data that is absolutely necessary for carrying out the purpose for which the data is processed.

How long do we retain your customers’ personal data?

We retain the data only as long as is necessary for the purposes of processing the information, or as is required by applicable law.

Please note that applicable law in the U.S. requires us to be able to verify that all user-generated content displayed on our merchants’ sites is authentic and attributable to an actual person. Therefore, we retain the personal data of a customer who submits UGC for as long as the content is active in the Yotpo system or until removed in response to a valid request from a customer.

Where does this personal data go?

As soon as the data is submitted to Yotpo, it’s protected by secure data encryption protocols. This encryption occurs throughout data transmissions, including its transmission from your servers and your customers’ devices.

If you or your customers are located in the EU, the data transfer is protected by the Standard Contractual Clauses that we sign with our customers and partners, which addresses our adherence to privacy and security standards and practices.


Our data center is located in northern Virginia in the United States and is hosted with Amazon Web Services (AWS). While it’s hosted, all data is encrypted by AWS/KMS best encryption method. We also have a comprehensive Disaster Recovery Plan (DRP).

We can provide you with a copy of our SOC 2 Type 2 report upon request.

What do we do with the data?

Yotpo is committed to protecting the personal data that we process.

  • We only share the data with the sub-processors mentioned in the following section
  • We do not use the personal data for any purpose other than what is described in your agreement with Yotpo
  • We do not sell the data that we receive from you or collect from your customers

Who do we share data with?

As part of operating procedure, Yotpo may share personal information about end users with some or all of the following Yotpo partners, depending upon which features you enable.

*Yotpo employees are only able to access your customers’ personal data when absolutely necessary (i.e. to resolve a support ticket). Each request for access must be approved by management on a case-by-case basis.

  • Amazon Web Services (AWS): Hosts the content that Yotpo processes for customers
  • SendGrid: Sends emails to your customers on your behalf
  • Google: Displays customer reviews in your Google Seller Ratings and/or Google Shopping Ads. Google only receives your customers’ first name and last initial
  • Segment.io: Keeps you updated about your customers’ submitted content and personal information, providing you with insights
  • Customer.io: Keeps you updated about your customers’ submitted content and personal information via email
  • ViSenze: Provides artificial intelligence-based visual search and image recognition to improve the shopping experience for your customers by identifying additional products that appear in the images displayed on your website
  • Qubole: Provides a cloud-based platform for data processing and data analytics
  • Looker: Provides you with advanced data analytics and business metrics dashboards
  • Tableau: Allows Yotpo to develop data analytics dashboards for processing and displaying your data
  • Bazaarvoice: Yotpo distributes customer reviews across a network of retail partners through a syndication partnership with Bazaarvoice, Inc. This relationship is subject to a separate agreement between you and Bazaarvoice

If you’re using our SMS service (SMSBump), we also share your customers’ personal data with the following partners, all of which provide features and service to allow communication with customers via SMS, chat, and voice:

  • Intercom: A marketing and support software service provider which we use to communicate with you
  • Twilio: Provides features and services to allow communication with customers via SMS, chat, and voice
  • Nexmo: Provides features and services to allow communication with customers via SMS, chat, and voice
  • Bandwidth: Provides features and services to allow communication with customers via SMS, chat, and voice

Additionally, we share your employees’ personal data with the following partners:

  • Customer.io: A cloud email services provider which uses your employees’ behavioral data for targeted email communications
  • Zendesk & Salesforce: Customer relations management software and a customer support platform that enable us to support and manage our relationship with your team

For more information about our sub-processors, please see the full list here.

How are we supporting your management of customers’ privacy rights?

Right of access: Your customers may ask to access any of the personal data your company keeps. To that end, we’ve developed a new API to probe our systems and verify if Yotpo processes any data related to a specific user. This API also enables you to retrieve this data via a secure email from Yotpo once requested.

Right to rectification: Your customers have the right to change or amend any inaccurate personal data that a merchant may be storing. Yotpo’s Support Team has undergone specific training to help you fulfil these requests if and when they come in from your customers.

Right to erasure: Certain privacy laws allow for customers to request that you remove their personal data from your records. As your user-generated content partner, we have built a functionality to erase your customers’ personal data quickly and easily on request. For more information, contact our Support Team or your Customer Success Manager.

Chapter 03

Global Data Compliance

GDPR, CCPA, LGPD and more

While privacy regulations and agreements differ by country, Yotpo looks at the issue from a holistic, global standpoint.

If you operate internationally, we want to make sure you’ll be compliant wherever your business operates. That’s why, instead of focusing only on GDPR, CCPA, LGPD or any other local compliance, our privacy policy is designed to continuously adapt to new standards globally.

As countries develop and modify guidelines, your business could face new challenges with data compliance. With Yotpo’s privacy practices, you can rest assured that you’ll have the adaptability to meet any new regulations that may develop in world regions.

For more details on specific agreements, see:

*A quick word on COPRA (Consumer Online Privacy Rights Act): this piece of federal privacy legislation is expected to become a law in the United States sometime this year. Stay tuned for our comprehensive guide to COPRA, coming out soon.