Privacy Policy

1. Who we are

EXTHUS LTD (“we”, “us”, or “our”) trades as GR Widget and operates the website and SaaS platform at https://grwidget.com (the “Service”). The Service lets you connect a Google Business Profile location, configure review widgets, and embed them on websites you control.

For the purposes of applicable data-protection law, EXTHUS LTD is the data controller for personal data processed through the Service. See our company information page for registered office and company number details.

For privacy-related questions or requests, contact us at support@grwidget.com.

2. Scope

This Privacy Policy describes how we collect, use, store, and share information when you:

• visit our marketing site or create and use an account;
• configure widgets, domains, and Google place connections in the dashboard;
• subscribe to a paid plan or contact support;
• submit or vote on public feature requests; or
• install our embed script on your website (including how visitor data is not collected via that script).

This policy does not cover third-party websites you link to from the Service, including Google Maps, Stripe, or social login providers.

3. Information we collect

3.1 Account and profile information

When you register or update your account, we may collect your name, email address, optional phone number and company name, password (stored in hashed form), and plan details. If you sign in with Google, Apple, or Facebook, we receive profile information permitted by that provider (such as name, email, and avatar URL) plus provider identifiers used to link your account.

3.2 Widget, domain, and business data

To provide the Service, we store:

• Domains you register (hostnames authorised to load your widgets);
• Google place connections, including Google Place IDs, business names, formatted addresses, aggregate ratings, review counts, profile URLs, and cached review content retrieved via the Google Places API;
• Widget configuration, such as layout, colours, filters, display limits, branding options, and embed keys; and
• Usage metrics, including aggregate widget load counts used for service operation and abuse prevention.

3.3 Billing and subscription data

Paid plans are processed by Stripe (our primary payment provider). We store subscription status, billing cycle, payment-provider subscription identifiers, and payment records (amount, currency, status, and transaction references). We do not store full payment card numbers on our servers; card and bank details are handled by Stripe under its own privacy policy.

3.4 Support and communications

If you contact us via the support form or dashboard tickets, we collect the information you provide (name, email, subject, message, and any follow-up correspondence). Logged-in subscribers may also open tracked support tickets stored in your account history.

3.5 Feature requests

If you use the public feature requests board, we store your submissions, votes, and associated account information so ideas can be attributed and counted according to plan weighting.

3.6 Technical and security data

Like most web services, our servers automatically log information such as IP address, browser type, referring URL, pages viewed, and timestamps. We use this data for security, debugging, and improving reliability. Session cookies and similar technologies keep you signed in to the dashboard.

3.7 Cookies and analytics on our website

Our marketing site and dashboard may set essential cookies required for authentication, security, and remembering preferences. We also use Google Analytics (measurement ID G-7S0XNN0WMM) on pages where our analytics snippet is loaded, which may set cookies or use similar technologies to help us understand aggregate traffic and usage. You can learn more in Google’s Privacy Policy and use browser controls or opt-out tools Google provides.

When reCAPTCHA is enabled on forms (registration, login, support, or place search), Google may process interaction signals to help prevent abuse, as described in Google’s Privacy Policy and Terms of Service.

3.8 Data we do not collect via the embed script

The widget embed script served to your website visitors is designed not to load advertising trackers or fingerprint individual visitors. We do not use the embed to build marketing profiles of your site’s audience. Server-side, we increment anonymous aggregate load counts and validate the requesting domain against your authorised domain list.

4. How we use information

We use the information described above to:

• create and administer your account and authenticate access;
• fetch, cache, and display Google review data in your configured widgets;
• enforce plan limits (widgets, domains, review counts, sync frequency, and feature access);
• process subscriptions, renewals, cancellations, and billing records through Stripe;
• provide customer support and respond to enquiries;
• operate the feature requests board and improve the product;
• monitor for abuse, fraud, and unauthorised embed use;
• maintain security, backups, and service reliability; and
• comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use account data for third-party advertising.

5. Google Places and review data

Review text, ratings, reviewer display names, profile photo URLs, and related business metadata displayed in widgets are sourced from Google via the Google Places API (New) and cached on our systems so widgets load quickly and stay available between sync intervals.

• Attribution: Widgets are designed to reflect that reviews originate from Google. You must not remove required Google attribution or imply that GR Widget authored the reviews.
• Accuracy: Cached data is refreshed on a schedule that depends on your plan (for example, weekly on Free and daily on paid plans). Displayed content may lag behind live Google listings.
• Your responsibility: You should connect listings you are authorised to represent and comply with Google’s applicable terms and policies for Business Profile and Places data.
• Not affiliated with Google: GR Widget is an independent service and is not affiliated with, endorsed by, or sponsored by Google LLC.

Google’s handling of data is governed by Google’s Privacy Policy and the Google Maps Platform Terms.

6. Legal bases (EEA, UK, and similar regions)

Where applicable data-protection law requires a legal basis, we rely on:

• Contract — to provide the Service you signed up for, including widget delivery, sync, and billing;
• Legitimate interests — to secure the platform, prevent abuse, improve features, and support customers, balanced against your rights;
• Consent — where required for optional analytics or marketing communications; and
• Legal obligation — where we must retain or disclose information to comply with law.

7. How we share information

We share information only as needed to operate the Service:

• Google — Places API requests, optional Analytics, reCAPTCHA, and OAuth sign-in, under Google’s terms;
• Stripe — subscription checkout, renewals, cancellations, and webhook events;
• Social login providers — Google, Apple, or Facebook when you choose those sign-in methods;
• Infrastructure providers — hosting, database, email delivery, and backup services that process data on our behalf under contractual confidentiality and security obligations; and
• Professional advisers or authorities — when required by law, court order, or to protect rights, safety, and integrity of the Service.

We may share aggregated or de-identified statistics that cannot reasonably identify you.

8. International transfers

GR Widget may process and store information in the United Kingdom, European Economic Area, United States, or other countries where we or our service providers operate. Where required, we use appropriate safeguards — such as standard contractual clauses or equivalent mechanisms — for transfers of personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision.

9. Data retention

We retain information for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention includes:

• Account data — until you delete your account or ask us to delete it, subject to backup cycles;
• Cached Google review data — while the associated place connection or widget remains active, and for a reasonable period afterward to support deletion requests;
• Billing records — as long as required for tax, accounting, and fraud-prevention purposes;
• Support tickets and logs — for operational and security needs, generally limited to what is reasonable for the issue type.

We may anonymise or aggregate data so it can no longer identify you and retain it for analytics and product improvement.

10. Security

We implement administrative, technical, and organisational measures designed to protect information against unauthorised access, loss, or misuse. These include encrypted transport (HTTPS), hashed passwords, access controls, and monitoring. No method of transmission or storage is completely secure; you are responsible for keeping your login credentials confidential.

11. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, restrict, or object to certain processing of your personal data, and to data portability or withdrawal of consent where processing is consent-based.

You can update much of your account information from the dashboard. To request access, correction, or deletion of your data — including cached review data tied to your account — email support@grwidget.com. We may need to verify your identity before fulfilling a request.

If you are in the EEA or UK, you also have the right to lodge a complaint with your local supervisory authority. We will respond to valid requests within the timeframes required by applicable law.

12. Children’s privacy

The Service is intended for businesses and individuals at least 18 years old (or the age of majority in their jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the revised policy on this page and update the “Last updated” date. Continued use of the Service after changes become effective constitutes acceptance of the updated policy where permitted by law.

14. Contact

Questions about this Privacy Policy or our data practices:

Operator: EXTHUS LTD trading as GR Widget
Email: support@grwidget.com
Website: grwidget.com