Section 1 — Google Review Policy Compliance

Fully Compliant with Google’s Review Guidelines Google’s official policy for merchants using review tools is clear: you must not discourage or prohibit negative reviews, selectively solicit positive reviews, offer incentives for reviews, or filter customers before sending a review request. This is commonly called “review gating,” and Google has prohibited it since 2018. Violations can result in review removal, ranking suppression, or full suspension of your Google Business Profile.

MTSFlow is designed from the ground up to follow these rules. We never: • Pre-screen customers by sentiment, satisfaction score, or any other filter before asking for a review. • Send the Google review link only to “happy” customers. • Block, delay, or hide negative public reviews from your Google profile. • Encourage customers to revise or remove reviews. • Generate fake reviews or accept paid reviews from third parties. What we do instead: send one neutral request to every customer you add, with the same set of options on the response page. Reference: Google’s official policy is published at support.google.com/contributionpolicy (Maps User Generated Content Policy).

Section 2 — How Our Request Flow Works One

Flow. Every Customer. Same Choice. Here is exactly what happens when you send a review request through MTSFlow:

Step 1 — You add the customer You upload a customer list, add a single customer manually, or trigger a request via your scheduling tool. MTSFlow does not ask for customer satisfaction scores, ratings, or any other filter at this stage. Every customer is treated the same.

Step 2 — The customer receives one neutral request The email or WhatsApp message asks the customer to share their experience. It does not ask for a positive review. It does not ask how satisfied they were before providing the link. It does not say “if you had a good experience, please leave a review.” Every customer receives the same message.

Step 3 — The customer lands on a page with two options Every customer — regardless of who they are, what they bought, or how their experience went — lands on the same page when they click the link.

The page offers two options, shown equally:
• Option A: Leave a review on Google (links directly to your Google Business Profile).
• Option B: Send private feedback to the business (fills a form that goes to the business owner only).

Both options are visible to every customer. The customer chooses. MTSFlow does not make the choice for them based on predicted satisfaction, and does not hide either option from any customer.

Why this is compliant
Google’s policy allows businesses to offer customers a way to give private feedback. What it prohibits is directing customers to Google only when the business expects the review to be positive. Because every customer sees both options equally, and because the customer — not the software — chooses, MTSFlow’s flow is fully within policy. The one sentence that defines our compliance Every customer gets the same request, lands on the same page, and sees the same two options. MTSFlow never filters, routes, or selects customers based on their likely rating.

Section 3 — FTC Compliance (2024 Rule on Customer Reviews)
Aligned with the FTC’s 2024 Rule on Deceptive Reviews In October 2024, the US Federal Trade Commission finalized a rule targeting fake and suppressed customer reviews.
The practices it prohibits include:
• Buying positive reviews or paying for reviews without disclosure.
• Generating AI or fake reviews and publishing them as real.
• Suppressing honest negative reviews through legal threats or filtering systems.
• Using insider reviews (employees, family, contractors) without disclosure.
• Review hijacking (reusing reviews from one product on a different product).
MTSFlow is designed so that businesses using it stay on the right side of this rule. We do not generate reviews, pay for reviews, edit reviews, or suppress reviews. We send neutral requests and let customers speak for themselves.

Section 4 — What MTSFlow Will Never Do Our Commitments to You and Your Customers These are not marketing claims. They are technical design choices:
• We will never filter customers by satisfaction before sending a review request.
• We will never send the Google review link to some customers and not others based on expected sentiment.
• We will never generate, buy, or sell fake reviews.
• We will never offer customers incentives (discounts, gifts, cash) to leave reviews on your behalf.
• We will never hide, delete, or suppress reviews that have already been posted publicly.
• We will never share your customer data with third parties for marketing or resale.
• We will never auto-reply to reviews without your approval (AI replies are drafts you review).
• We will never send requests without daily sending limits that keep your account pattern natural.

Section 5 — Data Privacy & GDPR

How We Handle Your Customer Data When you upload a customer list or add customers individually, MTSFlow processes their data as a processor on your behalf.
You remain the data controller — you are responsible for having a lawful basis to contact those customers.
Here is how MTSFlow handles the data once it reaches us:
• Encryption in transit — all data sent between your browser and our servers uses HTTPS (TLS 1.2+).
• Encryption at rest — customer records and feedback are stored in encrypted databases.
• Data minimization — we only collect the fields needed to send a request (name, email or phone, business context).
• Retention — customer data is retained while your account is active and deleted within 30 days of account closure upon request.
• Subprocessors — we use reputable infrastructure providers (email delivery, WhatsApp Business API, cloud hosting) listed in our Data Processing Addendum.
• No resale — we do not sell, rent, or share customer data with marketing partners.
• Right to access and delete — data subjects can request access, correction, or deletion of their data at any time through your business or directly through our support. GDPR (EU) and CCPA/CPRA (California) give individuals rights over their personal data. If you operate in these regions, you remain responsible for fulfilling data subject rights.

MTSFlow provides the tools to honor deletion, access, and export requests. Data Processing Addendum (DPA): available on request at allen@mtsflow.com for customers who require one to comply with GDPR Article 28 or similar regulations.

Section 6 — Email Compliance (CAN-SPAM, CASL, and More) Email & Messaging Compliance

When you send review requests through MTSFlow, the requests go to your own customers — people who have transacted with your business.
The rules that apply depend on where your customers are located:
• United States (CAN-SPAM): commercial emails must include the sender’s physical address, a clear unsubscribe link, honest subject lines, and must honor opt-outs within 10 business days.
• Canada (CASL): commercial electronic messages require express or implied consent, along with sender identification and an unsubscribe mechanism.
• European Union (ePrivacy + GDPR): consent requirements are stricter; you should have a lawful basis for contacting each customer.
• WhatsApp Business API: Meta’s policies require that you only message customers who have opted into WhatsApp contact from your business within the last 24 hours, or via approved template messages. MTSFlow includes the compliance mechanics in every message by default:
• An unsubscribe link is included in every email review request.
• Your business’s address is automatically added to the email footer.
• WhatsApp templates are pre-approved by Meta before they can be used at scale.
• Opt-outs are honored automatically — a customer who opts out will never receive another request from your account. You are responsible for having a lawful basis to contact your customers in the first place.

MTSFlow is a tool — it does not verify consent on your behalf.

Section 7 — HIPAA Notice (Important for Healthcare & Medspa Businesses)

MTSFlow Is Not HIPAA-Compliant Read this if you work in healthcare, medspa, dental, or wellness. MTSFlow is not a HIPAA-compliant platform.

We do not sign Business Associate Agreements (BAAs), and our infrastructure is not configured for Protected Health Information (PHI). Do not upload patient medical records, treatment notes, diagnoses, or any other information covered by HIPAA into MTSFlow. What this means in practice MTSFlow is safe to use in healthcare, medspa, dental, and wellness settings — as long as the data you put into our system is limited to what is appropriate for a review request. Specifically:

Fine to use in MTSFlow
• Customer first name and last name (or just first name).
• Customer email address or phone number.
• The date the customer visited your business.
• A general reference to the business category (e.g., “medspa visit” or “dental appointment”).

Do NOT upload to MTSFlow
• Specific treatments, procedures, or medications (e.g., “Botox 40 units,” “root canal tooth #14”).
• Medical history, diagnoses, or conditions.
• Lab results, test outcomes, or clinical notes.
• Insurance information or claim details.
• Any information you would not be comfortable being stored outside your EHR/EMR system.

Why MTSFlow is still useful for healthcare businesses

A review request does not need to mention any protected health information. You are simply asking a customer to share their experience with your business.

A typical compliant MTSFlow request looks like this: “Hi Sarah, thanks for visiting [Clinic Name] last week. If you have a minute, we’d love to hear about your experience. [Link] Thanks, Dr. [Name]” Nothing in that message is PHI.

It’s a customer communication — legal, compliant, and exactly what most healthcare businesses send via their standard email system already.

MTSFlow just automates it. If you need a HIPAA-compliant review tool If your workflow requires uploading PHI into the review tool itself (e.g., triggering requests automatically from your EHR), you will need a HIPAA-compliant vendor with a signed BAA. Some options in the market offer this — expect to pay significantly more. MTSFlow is a good fit. For the large majority of healthcare and medspa businesses who send requests using only name and contact information.

It is not the right tool for practices that want to pipe full patient records into their review system.

Questions about HIPAA scope: reach out at support@mtsflow.com and we’ll help you think through whether MTSFlow fits your specific setup.

Section 8 — FAQ for Compliance-Conscious Buyers Compliance

FAQ Can MTSFlow cause my Google Business Profile to be suspended?

Not if you use it as designed. MTSFlow’s request flow, sending limits, and content templates are built to comply with Google’s policies. What can cause a suspension is if you import fake customers, use incentives outside MTSFlow, or buy review lists — practices MTSFlow does not support. Suspension risk is far lower with MTSFlow than with manual review requests sent from a personal email.

How is MTSFlow different from review gating tools?
The difference is whether the software filters customers by predicted sentiment before choosing what to show them. Gating tools do this — often silently, inside a “smart funnel.” MTSFlow does not. Every customer receives the same request and lands on the same page with the same two options (public Google review or private feedback). The customer decides. The software does not.

Do you offer a Business Associate Agreement (BAA) for HIPAA?

No. MTSFlow is not HIPAA-compliant.

See Section 7 above for what this means in practice — most healthcare and medspa businesses can still use MTSFlow safely, as long as they do not upload Protected Health Information into the system.

Do you sign Data Processing Addendums (DPAs)?

Yes, for customers who need one to comply with GDPR, CCPA, or similar regulations. Email allen@mtsflow.com and we’ll send a signed DPA within 2 business days.

Where is my data stored?
MTSFlow is hosted on hostinger. Backups are encrypted. For customers who require data residency in a specific region, please contact us before subscribing.

What happens to my data if I cancel?

Your account is deactivated immediately. Your data is retained for 30 days in case you reactivate, then permanently deleted.

You can request immediate deletion at any time by emailing support@mtsflow.com.

Can I download my customer data and review history?

Yes. All plans include CSV export of customer lists, requests sent, reviews received, and analytics. You own your data.

Do you have SOC 2 certification?

Not currently. MTSFlow follows industry-standard security practices (encryption in transit and at rest, access controls, audit logging), and we are evaluating SOC 2 Type 2 certification as we scale. Enterprise customers who need SOC 2 today should contact us directly to discuss.

What if I get a bad Google review after using MTSFlow?

You will still get negative public reviews from time to time. That is how a fair and compliant review system works — and customers and Google trust your business more because of it. MTSFlow alerts you immediately when a new review is posted so you can respond quickly. Research shows that responding fast and professionally to negative reviews often converts unhappy customers into repeat ones, and signals to Google that you are an engaged business (which helps your local ranking).

Can I see a copy of the request email and the response page before signing up?

Yes. Email us at support@mtsflow.com and we’ll send you screenshots of the exact email template, the WhatsApp message, and the customer-facing response page. We believe compliance should be demonstrable, not just claimed.

Final Section — Trust Signals & CTA Compliance

You Can Verify MTSFlow’s approach is built into the product, not bolted on as a marketing claim. If you have specific questions about compliance in your industry or jurisdiction, we’re happy to walk you through the details before you sign up. Questions?

Email support@mtsflow.com Or start your 14-day free trial — no credit card required.