Skip to main content
Your ReputationSolution

Privacy Policy

We treat your information with the same care we expect from the platforms we work with. This policy explains exactly what we collect, why we collect it, and how you can control it.

Last updated:

Summary in plain English

We collect the minimum information required to assess and resolve your case. We do not sell your data. We do not use it for behavioral advertising. We retain it only as long as we have a lawful basis. You can request deletion at any time.

Who we are

Your Reputation Solution Ltd. ("we", "our", "us") operates youreputationsolution.com. We are the data controller for the personal data described in this policy. You can reach our data protection contact at [email protected].

What we collect

Information you give us directly

  • Contact details: name, email, phone, organization (when relevant) — submitted through our contact form, by phone, or via email.
  • Case information: details of the account or reputation issue you're asking us to assess. This may include account identifiers, screenshots of breach notifications, and incident timelines.
  • Identity verification documents: government ID, video selfies, or proof of ownership materials, when these are required by the platform's recovery process.

Information collected automatically

  • Site analytics: anonymized page-view and engagement data via a privacy-respecting analytics provider. No cross-site tracking, no fingerprinting.
  • Server logs: standard request logs (IP, timestamp, user-agent) retained for 30 days for security purposes.

What we don't collect

  • Passwords: we never request or accept your live account passwords. Recovery is identity-based.
  • Financial card data: payment processing is handled by our PCI-compliant payment provider; we do not store card numbers.
  • Tracking cookies: no third-party advertising cookies, no cross-site tracking pixels.

Why we process your data (lawful basis)

For users in the EU, UK, and California, we identify the lawful basis for each processing activity:

  • Contract performance: to assess and execute your case (Art. 6(1)(b) GDPR).
  • Legitimate interest: to improve our services and prevent fraud (Art. 6(1)(f) GDPR).
  • Legal obligation: to comply with tax, accounting, and regulatory rules (Art. 6(1)(c) GDPR).
  • Consent: where you've specifically opted in (e.g., to a newsletter); withdrawable at any time.

Who we share data with

We share the minimum data necessary, only with vetted processors who handle data on our behalf under written agreements:

  • Platform partners: Meta, Google, TikTok, X, LinkedIn — only the case-relevant identity verification information necessary to execute the recovery you've authorized.
  • Cloud infrastructure: encrypted storage with a major US-based provider, with EU data residency where required by GDPR.
  • Email and ticketing: a single integrated provider with end-to-end encryption.
  • Legal counsel: only when your case requires legal coordination and only with your written authorization.

We do not sell, rent, or otherwise commercialize your data.

How long we keep your data

  • Active case data: retained for the duration of the engagement plus 12 months for follow-up.
  • Identity verification documents: deleted within 30 days of case resolution unless you request earlier deletion.
  • Billing records: retained for 7 years to meet US tax and accounting requirements.
  • Server logs: 30 days.

Your rights

Depending on your location, you have the following rights:

  • Access your data and receive a portable copy.
  • Correct inaccurate or incomplete data.
  • Delete your data (subject to lawful retention requirements).
  • Object to or restrict processing.
  • Withdraw consent at any time.
  • Lodge a complaint with your supervisory authority.

To exercise any of these, email [email protected] with the subject line "Data rights request." We respond within 30 days.

International transfers

When we transfer data outside the EU/UK, we use Standard Contractual Clauses or other approved mechanisms to maintain GDPR-equivalent protection.

Security

We use TLS 1.3 in transit and AES-256 at rest. Sensitive verification documents are stored in a separate, access-restricted environment with hardware-key MFA for staff. We have an incident response plan and notify affected individuals within 72 hours of a confirmed breach.

Changes to this policy

When we materially change this policy, we update the "last updated" date and notify active clients by email. Older versions are available on request.