woocommercegdprreviews

WooCommerce Reviews and GDPR: What Store Owners Need to Know

Third-party review plugins raise GDPR questions. Here is what leaves your server, what does not, and what to check in any plugin's privacy disclosures.

On this page
  1. What do WooCommerce review plugins typically send to third-party services?
  2. The GDPR question for review plugins
  3. What Sumzy sends
  4. The difference between collection plugins and summarization plugins
  5. What to look for in any third-party review plugin's privacy disclosures
  6. Your responsibilities as the data controller
  7. A next step

Adding any plugin that sends data to a third-party service brings a GDPR question with it. For review plugins, the question is specific: which parts of your customers' data leave your server, where do they go, and how long do they stay there? The answer changes significantly depending on what type of review plugin you are using - and whether you have read the plugin's privacy documentation carefully enough to know.


What do WooCommerce review plugins typically send to third-party services?

It depends entirely on what the plugin does. Collection plugins - those that send review request emails to customers - typically process customer names, email addresses, and order data. Display plugins that operate locally may send nothing at all. AI summarization plugins send review content to an AI processing service, but the exact scope of what is transmitted varies by plugin and should be documented in the plugin's privacy policy or external services disclosure. For Sumzy, an AI review summary plugin for WooCommerce, the data sent to the AI service is specifically: review text, the star rating for each review, a coarse recency band (for example, "within the last 6 months"), a product identifier, and your configured language and tone settings. No customer names, no email addresses, no order identifiers, no IP addresses, and no purchase history leave your server.


The GDPR question for review plugins

GDPR covers personal data - information that identifies or could identify a natural person. Article 4(1) of the GDPR defines personal data as "any information relating to an identified or identifiable natural person." The data you need to assess for your review plugin is: which of the data it touches counts as personal data under this definition?

For WooCommerce reviews, the answer depends on what the plugin processes:

Review text. Review content itself is generally not personal data in most cases - it is text about a product, not about the reviewer. However, a review that includes a customer's name ("I'm Sarah, I bought this for my son"), a location, or other identifying detail could tip into personal data. This is an edge case rather than a systematic risk, but it is worth being aware of.

Customer names and email addresses. These are clearly personal data. A review collection plugin that stores customer emails to send follow-up requests is processing personal data and requires a lawful basis, typically the legitimate interest of processing a review request under a purchase contract, or explicit consent.

Order data. Order IDs, purchase amounts, and order history are personal data when linked to an identified customer.

The important point: if a plugin sends customer names, email addresses, or order data to an external AI service to generate summaries, that transmission involves personal data and requires GDPR-compliant safeguards including a Data Processing Agreement with the service provider.


What Sumzy sends

To be precise about the data scope:

Sumzy sends to its AI processing service: the text content of product reviews, the star rating associated with each review, a coarse recency band indicating the approximate age of the review (for example, "recent" or "older"), the WooCommerce product identifier, and your configured output language and tone settings.

Sumzy does not send: customer names, customer email addresses, reviewer usernames, order identifiers, purchase amounts, IP addresses, or any data that identifies the reviewer.

The review text that is sent is the text that the reviewer chose to make public when they submitted their review. It is the same text that is already displayed on your product page for any visitor to read.

Data retention: after the AI service processes the review corpus and returns a summary, the raw review text is not retained by the AI service beyond the processing period. On the Batch API processing path, which is the primary processing method, review data may be held at the AI subprocessor (Anthropic) for up to approximately 29 days as part of the batch processing infrastructure. This is documented in Anthropic's data handling terms and is reflected in Sumzy's privacy policy and sub-processor disclosures at sumzy.io.

The generated summary - the output text - is stored in your own WordPress database. Sumzy does not store the summary on its own servers; the summary lives in your installation.


The difference between collection plugins and summarization plugins

This distinction matters for GDPR assessment and for understanding which type of plugin presents the higher privacy complexity.

Review collection plugins actively process personal data. They need the customer's email address to send a review request. They may need the order ID to verify the purchase. They may import the customer's name as a reviewer display name. For GDPR compliance, a collection plugin requires: a documented lawful basis for contacting customers, a Data Processing Agreement with any third-party email service, and a clear retention policy for customer contact data.

Display plugins that operate entirely locally - reading reviews from the WordPress database and presenting them in a custom layout - typically involve no personal data transmission at all. The data stays in your database, displayed to the visitor as the reviewer already intended.

Summarization plugins sit in the middle. They process review content to produce a summary. Whether they involve personal data depends on what they transmit. A plugin that sends full customer details alongside review text is handling personal data. A plugin that strips identifying information and sends only the review text, star rating, and product reference is handling content that may not qualify as personal data in most cases - with the edge-case caveat noted above about reviews that happen to contain identifying information.

WooCommerce review plugins: collection, display, and summarization covers this distinction in more detail if you are evaluating which category of plugin you need.


What to look for in any third-party review plugin's privacy disclosures

The WordPress plugin repository and plugin vendor sites are not always consistent about disclosing what data leaves the site. Before installing any plugin that touches review data, look for the following:

An "External services" or "Data transmission" section. A plugin's documentation should disclose any external services it sends data to, naming the service, describing what data is sent, and linking to the service's privacy policy. If this section is absent for a plugin that clearly uses an external AI service, that is a meaningful gap.

A named AI subprocessor. If the plugin uses AI to process reviews, there is an AI service receiving that data. The plugin's privacy documentation should name that service. "We use AI" without naming the provider is not a sufficient disclosure for GDPR purposes. You cannot enter into a DPA with an unnamed entity.

Retention periods. The privacy policy should state how long processed data is retained at the subprocessor. "Data is not retained" and "data is retained for 30 days" are both acceptable disclosures - what is not acceptable is no statement at all.

What personal data is excluded. A privacy disclosure that says "we send your review data to process summaries" without clarifying whether "review data" includes customer names and emails is ambiguous. Look for an explicit list of what is not sent, not just what is.

A Data Processing Agreement. If your store is established in the EU or serves EU customers, you should be able to request a DPA with any plugin vendor that processes data on your behalf. A vendor who cannot produce one is operating outside GDPR requirements.


Your responsibilities as the data controller

Under GDPR, your store is the data controller for your customers' data. Plugins that process that data on your behalf are data processors. This means:

  • Your privacy policy should disclose that reviews are summarized by an AI service, and name any third-party subprocessors involved.
  • You should have a DPA in place with the plugin vendor.
  • You should be able to respond to a customer's data subject access request by knowing where their data has been sent.

For most WooCommerce store owners, review text without identifying information sits in a low-risk zone, because most review text is already publicly visible and does not identify the reviewer as a natural person. The higher-risk processing is in collection plugins that hold email addresses and order history - that is where the more careful documentation is needed.


A next step

The WooCommerce review plugins comparison covers how different types of review plugins compare on data handling and other criteria. If you are evaluating plugins specifically for your privacy obligations, the scope differences between collection, display, and summarization plugins are the primary factor.

Sumzy's full privacy policy and sub-processor list are linked in the plugin documentation. The external services disclosure specifies exactly what data is sent and the Anthropic DPA reference for EU-based stores.

Sumzy offers a 14-day free trial, enough to summarize your whole catalog and see it live on your product pages. See the pricing page for plans.

Try Sumzy on your store

14-day free trial. Works with any WooCommerce theme.

Start free trial