ReviewTowerReviewTower

How ReviewTower protects your data

Connecting your App Store Connect and Google Play accounts means trusting us with sensitive credentials. We take that seriously. ReviewTower is built on two principles: least privilege — we only request the minimum permissions required to read reviews and post replies — and encryption at rest — your credentials are never stored in plain text.

Credential storage

Your App Store Connect API key and Google Play service account credentials are encrypted at rest using industry-standard encryption before being persisted to the database.

All data is stored in Supabase Postgres with row-level security (RLS) enabled. Every organization's data is isolated at the database level — no application-level switch or bug can expose one organization's credentials to another.

What we access

We request only the permissions needed to read reviews and post replies.

App Store Connect

  • Read customer reviews
  • Post replies to reviews
  • Sales data or financial reports
  • App binaries or TestFlight builds
  • Developer account or payment info

Google Play Console

  • Read reviews (via Android Publisher API)
  • Post replies to reviews
  • Sales reports or earnings data
  • APK / AAB uploads or releases
  • Billing or subscription management

How to revoke access

You can remove ReviewTower's access at any time from within each store console. Revoking credentials from the store immediately prevents any further syncing.

App Store Connect

  1. Sign in to App Store Connect
  2. Go to Users and Access → Integrations → App Store Connect API
  3. Find the ReviewTower API key
  4. Click Revoke

Google Play Console

  1. Open Google Play Console
  2. Go to Setup → API access
  3. Find the ReviewTower service account
  4. Click Remove access or delete the key in Google Cloud Console

You can also disconnect an app directly from your ReviewTower settings, which will delete the stored credentials from our database.

Reporting a vulnerability

If you discover a security vulnerability in ReviewTower, please report it responsibly. Do not file a public GitHub issue or post on social media before we've had a chance to address it.

Email us at security@reviewtower.io with a description of the issue, steps to reproduce, and potential impact. We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.

← Back to ReviewTower
Security — ReviewTower