A batch of fake 1-star reviews can be bought from public broker networks for roughly $89. Removing the damage is slow and rarely fully succeeds.

Legal

Data Processing Agreement

Rogger Pty Ltd (ABN 65 697 383 814) · Effective 2026-06-16 · Version 2.0 — Bootstrapper Edition

Bootstrapper-grade DPA. This agreement is designed for early-stage B2B SaaS customers and is modeled on the online DPAs used by Google Cloud and Microsoft 365. It covers standard data-processing obligations under Australian privacy law and GDPR/UK GDPR. It is not a substitute for independent legal advice; we recommend solicitor review before large enterprise contracts.

1. Parties and scope

1.1 Parties. This Data Processing Agreement ("DPA") is between Rogger Pty Ltd (ABN 65 697 383 814), trading as "Rogger" ("we", "us", "Processor"), and the business customer accepting the Rogger Terms of Service ("you", "Controller").

1.2 Incorporation. This DPA is incorporated by reference into the Rogger Terms of Service. If there is a conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the inconsistency.

1.3 Roles. In relation to Customer Personal Data, you are the controller (or processor acting on behalf of a third-party controller), and we are your processor. We process Customer Personal Data only on your documented instructions, including as set out in this DPA, the Terms of Service, and any settings you configure in the Rogger portal.

2. Definitions

"Applicable Privacy Laws" means the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs); the GDPR and UK GDPR, to the extent they apply to you; and any other privacy or data protection laws that apply to the processing of Customer Personal Data.

"Customer Personal Data" means personal data (or personal information) that we process on your behalf in providing the Services, excluding our own business contact information and aggregated or de-identified data.

"Data Subject" means the individual to whom Customer Personal Data relates.

"Security Incident" means any actual unauthorised access to, disclosure of, alteration of, or loss of Customer Personal Data.

"Services" means the Rogger review-verification platform and any related services described in the Terms of Service.

"Subprocessor" means a third party engaged by us to process Customer Personal Data.

3. What we process and why

We process Customer Personal Data solely to provide, secure, and improve the Services. The categories of Data Subjects, types of data, and processing purposes are set out in Annex A.

We do not:

  • sell, rent, or monetise Customer Personal Data;
  • use it to build profiles for our own unrelated purposes;
  • combine it with data from other sources for our own purposes;
  • use it to train generative AI models, except where the output is used only for fraud detection, content moderation, or service improvement for your benefit and does not permit re-identification of individual Data Subjects.

4. Our obligations

4.1 Instructions. We process Customer Personal Data only on your instructions and as required by law. If we believe an instruction violates Applicable Privacy Laws, we will notify you promptly.

4.2 Confidentiality. We require our personnel who may access Customer Personal Data to be bound by confidentiality obligations.

4.3 Security. We implement and maintain appropriate technical and organisational security measures to protect Customer Personal Data. A summary of these measures is in Annex B.

4.4 Subprocessors. We may engage Subprocessors to provide parts of the Services. Our current Subprocessors are listed in Annex C. We will notify you of any new Subprocessor at least 14 days before it begins processing Customer Personal Data. You may object on reasonable data-protection grounds. If we cannot resolve the objection, you may terminate the affected Services.

4.5 International transfers. Customer Personal Data is primarily stored and processed in Australia. If we transfer Customer Personal Data outside Australia, we do so only with appropriate safeguards, such as Standard Contractual Clauses (see Annex D) or other mechanisms permitted by Applicable Privacy Laws.

4.6 Data Subject rights. We will assist you, by appropriate technical and organisational measures, in responding to requests from Data Subjects to exercise their rights under Applicable Privacy Laws.

4.7 Security Incidents. We will notify you without undue delay, and in any event within 24 hours, after becoming aware of a Security Incident affecting Customer Personal Data. We will co-operate with you in investigating and remedying the incident.

4.8 Deletion. On termination of your account, we will delete or return Customer Personal Data within 90 days in accordance with your instructions, except where retention is required by law or for the establishment, exercise, or defence of legal claims.

5. Your obligations

You represent and warrant that:

  • you have a lawful basis for processing and providing Customer Personal Data to us;
  • you have provided Data Subjects with any required privacy notices and, where necessary, obtained consent;
  • the processing of Customer Personal Data under this DPA does not violate any law or third-party right.

You are responsible for the accuracy and lawfulness of Customer Personal Data you provide; configuring the Services in a manner consistent with Applicable Privacy Laws; and responding to Data Subject requests, with our assistance as described above.

6. Audit rights

You may audit our compliance with this DPA once per calendar year (or more frequently if required by a regulator or following a Security Incident), on 30 days' written notice. Audits must be conducted during our normal business hours and in a way that minimises disruption. In lieu of an on-site audit, we may provide relevant security documentation or third-party reports. If the audit reveals a material breach by us, we will bear the reasonable costs; otherwise, you bear the costs.

7. Liability

Our liability under this DPA is subject to the liability cap in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable consumer protection or privacy legislation.

8. Term and termination

This DPA commences when you accept the Terms of Service and continues for as long as we process Customer Personal Data on your behalf. Clauses relating to confidentiality, security, incidents, deletion, audits, and liability survive termination.

9. Governing law

This DPA is governed by the laws of Queensland, Australia. The parties submit to the exclusive jurisdiction of the courts of Queensland.

10. Updates

We may update this DPA from time to time to reflect changes in our Services, Subprocessors, or Applicable Privacy Laws. We will notify you of material changes by email or through the Rogger portal. Continued use of the Services after the effective date of an update constitutes acceptance.

Annex A — Details of processing

A.1 Data Subjects

  • Your customers or patients (end consumers who receive review invitations).
  • Individuals who submit reviews through the Rogger platform.
  • Your authorised staff users of the Rogger portal.

A.2 Categories of Customer Personal Data

CategoryExamplesStorage
Contact identifiersEmail addresses, mobile numbers of end consumersSHA-256 hash only — plaintext is not retained
Review contentStar ratings, free-text reviews, images, audio, videoPlaintext (user-generated content)
Transaction metadataTransaction date, type, service category, value bandPlaintext (business operational data)
Device dataDevice fingerprint hash, IP addressIP: 90 days; fingerprint hash: fraud-detection lifetime
Staff user dataName, email, role, login metadataPlaintext for authenticated portal users
Business identity dataLegal/trading name, ABN/ACN, address, logo, websitePlaintext
Evidence documentsInvoice/receipt images uploaded for verificationEncrypted at rest (AES-256-GCM)

A.3 Processing purposes

  • Issue and manage review-invitation tokens.
  • Deliver review links to you for onward transmission to Data Subjects.
  • Collect, moderate, and publish verified reviews.
  • Detect and prevent fraud.
  • Provide analytics and insights to you.
  • Maintain audit logs and comply with legal obligations.

Annex B — Security measures

Control areaMeasures
Access controlRole-based access control; API key authentication; signed session cookies; least privilege
EncryptionTLS 1.2+ in transit; AES-256-GCM for credentials and evidence documents at rest
NetworkCloudflare WAF and DDoS protection; rate limiting; HSTS; origin-locked CORS in production
LoggingAudit logs for token issuance, review submission, and admin actions; structured logging with PII redaction
InfrastructureContainerised deployment; production hosted in Australia; regular security patching
PersonnelConfidentiality obligations for personnel with access to production systems

Planned enhancements (not yet operational): SOC 2 Type II audit, ISO 27001 certification, formal background checks, SIEM-class monitoring.

Annex C — Subprocessors

Current Subprocessors are listed below. An up-to-date list is always available at rogger.io/subprocessors.

SubprocessorJurisdictionPurpose
Stripe, Inc.United StatesPayment processing and subscription management
Cloudflare, Inc.United StatesDNS, CDN, WAF, DDoS protection
Fastmail Pty LtdAustraliaTransactional email delivery for Rogger addresses
Sentry (Functional Software, Inc.)United StatesError tracking and performance monitoring
OpenAI / Anthropic / Moonshot (via LiteLLM proxy)United States / ChinaAI-assisted fraud analysis, content moderation, receipt parsing

AI routing note: AI requests are routed through a local LiteLLM proxy. Local Ollama models are used by default, keeping data within Australian infrastructure. Escalation to US-based providers occurs only when configured and only for real-time inference. No Customer Personal Data is used to train foundation models.

Annex D — International transfer safeguards

For transfers of Customer Personal Data from Australia to countries that do not have substantially similar privacy laws (such as the United States), we rely on:

  • For EU/UK data: the EU Commission Standard Contractual Clauses for the transfer of personal data to processors established in third countries (SCCs 2021/914), and where applicable, the UK Addendum to the EU SCCs.
  • For Australian data: the recipient's binding contractual obligations under this DPA and the Terms of Service, together with any applicable transfer mechanism required by the APPs.

A copy of the SCCs is available on request.

Annex E — Contact details

Rogger Pty Ltd
ABN 65 697 383 814
Email: [email protected]
Data protection / privacy contact: [email protected]

Customer: as recorded in the Rogger account.