A batch of fake 1-star reviews can be bought from public broker networks for roughly $89. Removing the damage is slow and rarely fully succeeds.

Rogger
Policy

Privacy Policy

Effective 2026-04-22 · Last updated 2026-04-22 · Version 1.0

Rogger Pty Ltd (ABN 65 697 383 814 · ACN 697 383 814, registered in Queensland, Australia — trading as "Rogger", "we", "our", "us") operates the review-verification platform at rogger.io. This policy explains what personal information we handle, why, and the choices you have over it. It is written to align with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), the EU General Data Protection Regulation (GDPR) where applicable, and the UK GDPR + Data Protection Act 2018.

1. Who this policy applies to

  • Business customers — the businesses that sign up for a Rogger account.
  • End consumers — the customers of those businesses who receive review invitations and leave reviews.
  • Site visitors — anyone browsing rogger.io without an account.

2. What we collect

From business customers:

  • Business identity: legal name, trading name, registration number (ABN/ACN/equivalent), country, category, logo, website.
  • Owner/user identity: name, email, hashed password, role.
  • Billing information: via Stripe (we never see card numbers); invoice history.
  • Usage data: login timestamps, IP address, user agent, actions taken in the portal (audit log).
  • Messaging provider credentials: encrypted with AES-256-GCM before storage (see Security).
  • Uploaded transaction evidence: a receipt image is accepted for parsing, the extracted fields and a SHA-256 hash are retained, and the original image is deleted within 60 seconds of parse completion.

From end consumers (your business's customers):

  • Contact identifier: email or mobile number. We store only a SHA-256 hash — never plaintext. The hash allows us to prevent duplicate invitations without being able to read the underlying address.
  • Invitation metadata: transaction date, transaction type, invitation channel, delivery/open/click timestamps.
  • Review content: star rating, review text, images the reviewer attaches, device fingerprint hash, IP address at time of submission (for fraud detection; retained for 90 days then purged).

From site visitors:

  • Standard server logs: IP address, user agent, referrer, pages visited, timestamps. Retained for 30 days.
  • Strictly-necessary cookies for session management; no third-party analytics or advertising cookies are set.

3. Why we collect it

  • To provide the service contracted for (APP 6.1(a) / GDPR Art. 6(1)(b) performance of contract).
  • To prevent fraud, abuse, and fake reviews (APP 6.2(e) / GDPR Art. 6(1)(f) legitimate interests).
  • To comply with tax, accounting, and legal obligations (APP 6.2(b) / GDPR Art. 6(1)(c)).
  • To improve the service through aggregated, non-identifying analytics.

We do not sell personal information, use it for advertising targeting, or share it with data brokers. Ever.

4. Who we share it with

We use a small number of subprocessors to operate Rogger. The current list, with each subprocessor's purpose and location, is published and kept up to date at rogger.io/subprocessors.

We share personal information with a subprocessor only when it is necessary to provide the service, only under a written data-processing agreement, and only with providers we have assessed for security.

5. Where your data lives

Primary hosting is in Australia. Encrypted database backups are stored in Amazon Web Services Sydney (ap-southeast-2) — remaining within Australian jurisdiction. Some subprocessors (listed on the subprocessors page) process limited data in the United States or the European Union; where they do, appropriate transfer safeguards are in place (Standard Contractual Clauses for EU transfers; equivalent mechanisms for UK/US). The subprocessor page identifies the region of each.

6. Retention

We retain personal information only for as long as is necessary to fulfil the purposes for which it was collected, to comply with law, or to resolve disputes. Specific retention periods:

  • Active business-account data — for the duration of your subscription, plus 90 days after cancellation to allow reactivation.
  • Closed accounts — core data deleted within 30 days after the 90-day reactivation window closes. Financial records (invoices, tax records) retained for 7 years as required by the Income Tax Assessment Act 1997 (Cth) and equivalent laws in other jurisdictions.
  • Audit logs — 7 years. This period is required to support compliance obligations and to defend against claims.
  • End-consumer contact hashes — retained while the business's account is active; deleted when the business account closes (see above).
  • Reviews — reviews are part of the verification artefact set and remain on the business's public profile indefinitely unless removed under our notice-and-takedown procedure (see Terms §7) or on business-account closure.
  • Raw IP addresses in review submissions — retained 90 days for fraud-detection; then purged to anonymised aggregate counters.
  • Uploaded receipt images — deleted within 60 seconds of successful parse. SHA-256 hash and extracted fields (merchant, amount, date) retained as audit evidence for the life of the token they generated.
  • Server logs — 30 days.

7. Your rights

You can, at any time:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Request deletion (subject to the legal-retention exceptions above).
  • Export your data in a portable format.
  • Withdraw consent where processing relies on consent.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC), the Information Commissioner's Office (ICO, UK), or your EU national Data Protection Authority.

For any of the above, email [email protected]. We respond within 30 days — usually within 7.

8. Security

We describe our technical and organisational measures on the Security page. In the event of a data breach that is likely to result in serious harm, we notify affected individuals and the Office of the Australian Information Commissioner as required under the Notifiable Data Breach scheme.

9. Children

Rogger is not intended for anyone under 16. We do not knowingly collect information from children. If you believe we have, contact us and we will delete it.

10. Changes

When this policy materially changes we post the updated version here with a new effective date, and notify account owners by email.

11. Contact

Privacy inquiries: [email protected]
General inquiries: [email protected]
Security disclosures: [email protected]

This policy was drafted in-house as an operational baseline. Before any commercial audit or enterprise contract negotiation, it will be reviewed by legal counsel.