Compliance

Effective May 22, 2026 · Version 1.0

This page maps how BAAM Review handles the regulations that matter for a US-focused review-collection platform — what we do, what you (the business owner) need to do, and what we don’t do. If you have a specific compliance question we haven’t covered, email privacy@baamplatform.com and we’ll add it here.

Google Review Content Policy

Google has clear rules about how reviews can be solicited. BAAM Review’s entire workflow is built around them:

• Authentic reviews only.Every review on the platform is written and posted by the actual customer in their own Google account. We don’t post on anyone’s behalf.
• No filtering of negative reviews.We don’t have, and have never had, the ability to hide a negative review from Google. The customer always clicks through to Google to post. What you cando is route low-rating customers to private feedback first (so they can vent to you instead of in public), but we never intercept a review that’s on its way to Google.
• No conditional incentives. The platform allows you to offer an incentive for leaving a review (any rating). It does not let you condition the incentive on a positive or 5-star review.
• No self-reviews. Owner and staff accounts on a location are flagged; the review-invitation system blocks them from being added as recipients.
• AI drafts are clearly drafts. The customer always sees and can edit (or replace) the AI-generated text before posting. The customer is the author.

Read the policy at support.google.com/contributionspolicy/answer/7400114.

Email — CAN-SPAM Act (US)

Every email BAAM Review sends on your behalf carries:

• A clear sender identification with the business name and a real physical address.
• An accurate, non-deceptive subject line.
• A working unsubscribe link processed within 10 business days (we process them within minutes).
• An indication of the email’s commercial nature where required.

Your obligation: only upload contacts that have an “established business relationship” with you (current or recent customers). Don’t upload purchased lists.

SMS — TCPA & 10DLC (US)

SMS rules are stricter than email. BAAM Review handles the platform-side mechanics:

• We register the sending phone numbers under 10DLC and route through a registered campaign with the appropriate use-case (Customer Care / Two-Factor / Marketing as applicable to your sending pattern).
• Every SMS includes a clear sender identifier and references your business name.
• We process STOP / UNSUBSCRIBE / QUIT / CANCEL / END within seconds, send the required confirmation, and never re-send to a number that opted out — even if you re-upload it.
• We process HELP with a response that identifies the sender and offers contact info.
• We respect quiet hours (8 am – 9 pm in the recipient’s local time zone, derived from area code).

Your obligation: only message recipients who have given express consent (TCPA written-consent standard for marketing messages, or established-business-relationship for transactional ones). Document consent — Twilio may ask for proof during campaign approval. Don’t use SMS for prospecting.

CCPA & CPRA — California

California residents have the right to:

• Know what personal info we hold about them.
• Delete personal info we hold (subject to legal retention requirements).
• Correct inaccurate personal info.
• Opt out of “sale” or “sharing” of personal info. BAAM Review does not sell or share personal info as those terms are defined under CCPA/CPRA. There’s nothing to opt out of, but we honor the request anyway.
• Limit use of sensitive personal info.We don’t process sensitive PI (race, religion, health, biometrics, government IDs, precise geolocation).
• Non-discrimination for exercising any of the above.

To exercise any of these rights as a California resident, email privacy@baamplatform.com with “CCPA request” in the subject. We respond within 45 days. If you’re an authorized agent acting for someone else, include verification.

GDPR & UK GDPR — EU / UK

BAAM Review is not marketed in the EU or UK; our infrastructure is in the United States. If you signed up while located in the EU or UK, you have the rights of access, rectification, erasure, restriction, data portability, and objection. The legal basis for processing is contractual necessity (operating the service you bought) and our legitimate interest in security, fraud prevention, and improving the product.

Cross-border transfers are covered by Standard Contractual Clauses — see §8 of the DPA.

HIPAA — healthcare data

BAAM Review is not a HIPAA Business Associate and does not sign Business Associate Agreements at the current pricing tier. If you operate a medical practice, you can use BAAM Review to send review-request messages provided you don’t include Protected Health Information (PHI) in the customer record — name + contact info + appointment-date is permissible under the “limited data set” exception, but specific diagnoses, treatment details, or insurance info are not.

We’re evaluating a HIPAA-compliant infrastructure path (AWS + signed BAAs with sub-processors) for a future pricing tier. If this matters to you, email support@baamplatform.com and we’ll add you to the wait-list.

Accessibility (ADA / WCAG)

We target WCAG 2.1 AA compliance for the customer-facing review- collection page (the page your customers see). Specifics:

• Color contrast ratios meet AA on all text + interactive elements.
• All form fields have proper labels; radio groups have fieldset/legend.
• Page works with keyboard navigation; focus rings are visible.
• The page is responsive down to 320px wide and supports text reflow at 200% zoom.
• Language is declared via the lang attribute so screen readers pronounce correctly.

The admin app at review.baamplatform.comis held to the same standard with one exception: complex data tables in analytics sections may not be fully optimized for screen-reader navigation. We’re working on it.

Section 230 — third-party content

Reviews are user-generated content posted to Google. Once posted, they live in Google’s system, not ours. We’re a passive platform between you and Google — not the publisher of the review text — and rely on the protections of Section 230 of the Communications Decency Act for that posture.

Security & SOC 2

BAAM Platform Inc. is not currently SOC 2 certified. Our sub-processors (Supabase, Vercel, Stripe, Resend, Twilio, Anthropic) are all SOC 2 Type II certified or equivalent, and the data they touch is encrypted in transit and at rest. We follow the security measures described in §7 of the DPA.

SOC 2 Type II certification is on our roadmap for the year after we reach 500 paying business accounts. Email us if your buying process requires it sooner — we can sometimes accelerate or provide equivalent assurance.

Children — COPPA

BAAM Review is not directed at children under 13 and we don’t knowingly collect data from anyone in that age range. If you operate a business that serves families, never upload a child as the customer contact — upload the parent or guardian.

Anti-spam DKIM / SPF / DMARC

Email deliverability is a compliance issue too — landing in spam wastes the recipient’s attention as much as it wastes your money. We:

• Send through Resend with proper SPF, DKIM (selector-rotation), and DMARC policies on baamplatform.com.
• Offer per-location custom sending domains (sender verified through Resend) for accounts that want emails to land in Primary instead of Promotions.
• Monitor bounce rates and automatically suppress addresses that bounce hard or generate complaints.
• Honor list-unsubscribe headers for one-click unsubscribe in Gmail and Outlook.

Reporting a concern

If you believe BAAM Review or a business using it has violated the above, email compliance@baamplatform.com. We investigate within 7 business days. For urgent matters (impersonation, abuse, security), label the subject line URGENT.

Updates

We’ll add new sections here as the platform grows into new regulatory territory (HIPAA BAA, SOC 2, additional state privacy laws). Material changes are emailed to business-owner accounts at least 30 days before they take effect.