Legal

Privacy Policy

We built HonestRemarks around a core commitment: reviewer identities are separated from published accounts. This policy explains exactly what information we collect, how it is stored, when it may be shared, and what rights you have over it.

Last updated: May 2026

What we collect

We collect the minimum information required to operate the platform safely. What we collect depends on how you interact with us.

All users

Email address and password (or third-party OAuth token) used to create your account.
Log data — IP address, browser type, pages visited, timestamps — retained for security and abuse prevention.
Cookie identifiers used to maintain your session.

Verified reviewers (additional)

Professional role and institution, as declared during the verification application.
Verification method and supporting data (institutional email domain, LinkedIn URL, or a copy of a government-issued ID submitted via email).
The content of accounts you submit, linked to your identity in our internal records.
Application status and moderation decisions relating to your reviewer account.

Profile subjects (additional)

Claim verification method and data (institutional email, LinkedIn URL, or indication that a government ID was submitted).
The content of right-of-reply responses you post.
The content of dispute submissions you file, including stated reasons and explanations.

Visitors (no account)

Log data as described above.
We do not use tracking cookies or third-party advertising pixels.

Reviewer identity separation

The central privacy commitment of HonestRemarks is that reviewer identities are never linked to published accounts in a way visible to the public or to the person reviewed. Here is exactly how that works at a technical level:

Separate database tables

Reviewer identity records (name, email, verification documents) are stored in a restricted table with no public access policy. Published accounts are stored in a separate table. The two tables share no public-facing join.

Denormalised display data only

When an account is published, only the reviewer's role (e.g. "Professor") and institution are copied to the public accounts record. No name, email, or unique identifier is included. This display data cannot be used to trace the account back to an individual.

Row-level security

Our database enforces row-level security policies. Anonymous and authenticated non-admin users cannot query the reviewer identity table through any application route, even if they attempt to manipulate API requests.

Admin access is logged

All administrative access to reviewer identity records is logged with a timestamp, the administrator's account, and the reason for access. These logs are retained for audit purposes.

How we use your information

We use information we collect for the following purposes only:

Operating the platform. Authenticating your account, displaying profiles and accounts, processing votes, replies, and disputes.
Verification and moderation. Confirming reviewer credentials, reviewing submitted accounts against our Content Guidelines, and enforcing our Terms of Use.
Security and abuse prevention. Detecting and preventing fraudulent accounts, coordinated campaigns, and platform abuse.
Legal compliance. Retaining records as required by applicable law and responding to valid legal process as described in Section 4.
Service communications. Notifying you of dispute outcomes, application decisions, and material changes to these policies. We do not send marketing email.

We do not sell personal data. We do not use personal data for targeted advertising. We do not share personal data with third parties except as described in Sections 4 and 5.

Subpoenas and legal requests

We do not voluntarily disclose reviewer identity to third parties, including to the subjects of accounts. However, we may be legally compelled to do so.

If we receive a subpoena, court order, search warrant, or other legally binding demand for reviewer identity records, we will:

1Review the request for legal validity and seek to narrow or challenge requests we consider overbroad or legally deficient.
2Notify the affected reviewer before disclosing, where we are legally permitted to do so and where doing so will not compromise an ongoing investigation.
3Disclose only the minimum information required to comply with the specific legal demand.
4Log all disclosures made under legal compulsion.

We cannot guarantee that we will be able to give advance notice in all cases — for example, where a gag order accompanies the legal demand. By using the platform as a reviewer, you acknowledge and accept this risk. If you are concerned about your specific legal exposure, obtain independent legal advice before posting.

Third parties

We use a small number of third-party services to operate the platform. These are:

Supabase

Our database and authentication provider. All user data, account content, and reviewer records are stored in Supabase-managed infrastructure. Supabase is SOC 2 Type II certified. Data is stored in the region selected at account setup.

Vercel

Our hosting and deployment infrastructure. Vercel processes request logs and may store temporary edge-function outputs. We do not pass personally identifiable information to Vercel beyond what is present in standard HTTP request logs.

We do not use analytics platforms, advertising networks, social media trackers, or any other third-party service that receives personal data about our users.

Data retention

We retain data for as long as necessary to fulfil the purposes for which it was collected, subject to the following policies:

Active accounts. Account data (email, profile, preferences) is retained for the lifetime of your account. You may request deletion at any time (see Section 7).

Published accounts. Published accounts remain visible until removed by moderation or a successful dispute. Removed accounts are retained in a non-public state for a minimum of two years for legal compliance purposes.

Reviewer identity records. Verification records are retained for a minimum of three years after the reviewer's last account submission, to support any legal process that may arise from published content.

Moderation logs. All moderation decisions are logged permanently for accountability and legal record-keeping.

Log data. Server and access logs are retained for 90 days then purged, except where required for an ongoing investigation.

Your rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

Access

Request a copy of the personal data we hold about you.

Correction

Request that we correct inaccurate personal data.

Deletion

Request deletion of your account and personal data, subject to our retention obligations.

Portability

Request your data in a structured, machine-readable format.

Objection

Object to processing of your data in certain circumstances.

Restriction

Request that we restrict processing of your data while a dispute is resolved.

Note that a right to deletion does not override our legitimate interests in retaining content for legal accountability. If your deletion request conflicts with an ongoing legal matter or our minimum retention obligations, we will explain this to you and retain only what is necessary.

To exercise any of these rights, contact us at the address in Section 8. We will respond within 30 days. We may ask you to verify your identity before processing the request.

Contact

For privacy-related questions, data requests, or concerns about how your information is handled, contact us at:

Privacyprivacy@honestremarks.com

Legallegal@honestremarks.com

Moderationmoderation@honestremarks.com

We aim to respond to all privacy enquiries within 5 business days. For urgent legal requests or valid law enforcement demands, please contact legal@honestremarks.com with the subject line "Legal Process."

Data request or privacy concern?

Send us a message and we will respond within 5 business days. We take every privacy concern seriously.

Contact privacy team