Skip to main content
SuchScore Privacy Policy — plain-language draft. We collect: email, name, password (hashed by Supabase), reviews, claim information, and standard server logs. Third-party providers: Supabase (database), Vercel (website), Railway (backend), Resend (email), Google (optional sign-in). We do not run advertising trackers, Google Analytics, Facebook Pixel, or any third-party tracking tools. We do not ask for CNIC or government identifiers. Available in English and Urdu via the language toggle at the top of the page.
Legal
Englishاردو

Privacy Policy

Plain language, no weasel words. What we keep, why, and what you can do about it.

Last updated: 1 May 2026

SuchScore exists to help people make better decisions about businesses. To do that we keep some of your information. This page explains exactly what we keep, why we keep it, who else can see it, and what you can do about it. We've written it the way we'd want a privacy policy written for ourselves — in plain language, with no weasel words.

1. Who runs SuchScore

SuchScore is operated by the SuchScore Team. Until SuchScore is incorporated as a registered company, you should treat the team as the data controller for the purposes of this policy.

For any privacy question, request, or complaint, write to support@suchscore.com. We respond to every email personally, usually within 24 hours.

2. What we collect

We collect different things depending on what you do on SuchScore.

When you create an account

  • Your email address
  • Your first and last name (or display name)
  • A password (which we don't see — it's hashed by our authentication provider)
  • Whether you signed up as a consumer or as a business
  • If you signed in via Google: your Google profile picture URL and the fact that Google verified your email

When you write a review

  • The business you reviewed
  • The star rating you gave
  • The text of your review
  • The date and time you submitted it

When you claim a business

  • Your role at the business (Owner, Manager, etc.)
  • A phone number we can use to verify the claim
  • Any evidence you give us to support the claim (e.g. links, descriptions)

Automatically, when you use the site

  • Standard server logs from our hosting providers — your IP address, the pages you requested, and timestamps. These are kept for security and debugging.
  • An authentication cookie that keeps you signed in. We explain this in more detail in our Cookie Policy.
What we don't collect:we don't track you across other websites. We don't run advertising or marketing trackers (no Facebook Pixel, no Google Analytics, no Hotjar, nothing of that kind). We don't ask for your CNIC, address, date of birth, or any government identifier.

3. Why we collect it

  • To run the platform: sign you in, show your reviews, link claims to your account, send transactional emails (claim acknowledgements, password resets, etc.).
  • To keep the platform safe: spot fake reviews, prevent abuse, investigate when someone reports a problem.
  • To improve the platform: understand which features are used and which aren't — but only by looking at aggregate patterns, never at individual users.
  • To keep you informed: send you updates about your claims, replies to your reviews, and (if you've left the marketing-emails option ticked at signup) occasional product news or partner brand updates. You can change this preference any time in your account settings, or unsubscribe via the link in any marketing email we send.
About marketing emails:when you create your account, you'll see a checkbox labelled “Email me about new features, businesses, and partner offers”. It's ticked by default, so you'll receive these emails unless you untick it before signing up. If you change your mind later, you can toggle this in your account settings or click “unsubscribe” in any marketing email — it works instantly. Transactional emails (claim approvals, password resets, replies to your reviews) are not affected by this setting; you'll always receive those because the platform doesn't work without them.

We don't currently send marketing emails. We expect to start sending them once we have a meaningfully large user base — likely sometime in our second year. When that begins, anyone who has unticked the box (or unsubscribed since) will not receive them.

When marketing emails do start, brands paying us to reach you will only ever see aggregateperformance — for example, “8,400 emails sent, 2,100 opened”. Brands will not see your name, email address, phone number, or whether you specifically opened or clicked. That information stays inside SuchScore. Brands will only ever receive your contact details if you explicitly choose to share them with that specific brand (for example, by filling out a form linked from one of their emails).

4. Who else sees your data

SuchScore relies on a small number of trusted technical providers to operate. These are the only third parties who hold any of your data, and they only hold it because we couldn't run SuchScore otherwise.

  • Supabase — stores our database (your account, reviews, claims). Hosted in the United States or European Union depending on region.
  • Vercel — serves the SuchScore website you're reading right now. May process IP addresses and standard request logs at the edge.
  • Railway — hosts the backend that responds to your actions on the site. Holds the same kinds of server logs as Vercel.
  • Resend — sends our transactional and (when you've opted in) marketing emails. They temporarily process your email address to deliver mail.
  • Google — only if you choose “Sign in with Google”. Google verifies your identity and shares your name, email, and profile picture with SuchScore.

Each of these providers has its own privacy commitments. We've chosen them because they are reputable and standard for products like SuchScore, but their data handling is ultimately governed by their own terms.

Beyond these providers, your data may be shared in only two other situations: (a) if a court or regulator with proper legal authority compels us to, or (b) if we transfer SuchScore (e.g. selling the company) — in which case we'd notify you in advance and the new operator would inherit the same commitments to you that we have today.

5. Where your data is stored

SuchScore is operated from the United Kingdom by a Pakistani founder, for users mostly in Pakistan, on infrastructure hosted in the United States and the European Union. Your data therefore travels internationally as part of normal operation. We've chosen providers that offer strong technical safeguards (encryption in transit and at rest, access controls, regular audits), but it's important you know that your data does not stay inside Pakistan.

6. How long we keep it

  • Your account information: until you delete your account.
  • Your reviews: indefinitely, even if you delete your account, because removing them would distort the rating of the businesses you reviewed. If you want a specific review removed, write to us — we will look at it case by case.
  • Claim records: indefinitely, for audit purposes (so we can show how a business came to be verified).
  • Server logs: typically 30 days at our hosting providers, after which they're rotated out automatically.
  • Marketing email engagement: aggregated within 90 days. Individual open/click events are deleted; only the aggregate stats survive.

7. Your rights

You can ask us to do any of the following at any time, by emailing support@suchscore.com:

  • See what we hold about you — we'll send you a copy.
  • Correct anything that's wrong — name, email, anything.
  • Delete your account — see the note about reviews above.
  • Opt out of marketing — unsubscribe link in every marketing email, or just write to us.
  • Withdraw consent — at any time, with no penalty. Withdrawal applies going forward; it doesn't undo things we did while you had consented.

If you're not happy with how we've handled a request, you can complain to whichever data protection authority has jurisdiction over you. In Pakistan, this will be the authority designated under the Personal Data Protection Bill once it is enacted. In the UK, it's the Information Commissioner's Office (ICO).

8. Security

Passwords are hashed by our authentication provider (Supabase), not stored in plain text. All traffic between your device and SuchScore is encrypted in transit (HTTPS). The database itself is encrypted at rest. We restrict who on the SuchScore team can access production data, and we log access for auditing.

That said, no online service is perfectly secure. If we ever discover a breach affecting your data, we will tell you about it as soon as we can — promptly, honestly, and with a clear explanation of what happened and what we're doing about it.

9. Children

SuchScore is not intended for anyone under 15 years old. We do not knowingly collect data from children under 15. If you are a parent or guardian and you believe a child has created an account on SuchScore, write to us at support@suchscore.com and we'll delete the account.

10. Changes to this policy

If we make a meaningful change to how we handle data — particularly anything that expands what we collect or how we share it — we will email everyone with an active account before the change takes effect, and we will update the “last updated” date at the top of this page. Smaller corrections (typo fixes, clearer wording for the same practice) we just make.

11. Talk to us

We're a small team. We read every email. If anything in this policy is unclear, makes you uncomfortable, or sounds like the kind of weasel-worded language we said we wouldn't use — tell us, and we'll fix it.

Privacy questions: support@suchscore.com
General contact: hello@suchscore.com
Security reports: security@suchscore.com

Draft notice: This privacy policy is a good-faith plain-language draft. Before public-scale launch, it should be reviewed by a lawyer familiar with Pakistan's PECA 2016, the forthcoming Personal Data Protection Bill, and UK GDPR where applicable.