This Privacy Policy describes how GBP Ninja ("we", "us") collects, uses, stores, and shares information when you use our Google Business Profile management platform.
1. Information We Collect
From you directly:- Name, email address, and profile picture (via Google Sign-In).
- Account configuration: organisations, team members, automation rules.
- Content you upload: posts, media images, services, products.
From Google APIs (with your explicit OAuth consent):- Google Business Profile listings: business name, address, hours, categories, attributes, photos, posts, reviews, Q&A, services, products.
- Business Profile Performance metrics: impressions, calls, direction requests, website clicks.
- Google Search Console data: site queries, pages, indexing status (only for properties you connect).
- OAuth tokens (access & refresh) — stored encrypted to authenticate API calls on your behalf.
Technical data:- IP address, browser fingerprint, session cookies (for security and analytics).
- Server logs of API requests, errors, and feature usage.
2. How We Use Your Information
- Provide, maintain, and improve the Service.
- Read and modify your Google Business Profiles only as you direct (e.g. creating a post, replying to a review).
- Generate AI suggestions for review replies, descriptions, and post drafts. Your data is sent to Google's Gemini API for processing — we do not train models on your data.
- Send transactional emails (login OTPs, automation alerts, weekly digests).
- Detect and prevent abuse, fraud, and security incidents.
- Comply with legal obligations.
3. Google API Services User Data Policy
GBP Ninja's use and transfer of information received from Google APIs adheres to the
Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide and improve user-facing features of GBP Ninja.
- We do not transfer Google user data to others except as necessary to provide the Service, comply with applicable law, or as part of a merger / acquisition.
- We do not use Google user data for serving advertisements.
- We do not allow humans to read Google user data except with your explicit consent, for security investigations, or where required by law.
4. How We Share Information
We do not sell your data. We share data only with:
- Service providers: hosting (DigitalOcean), database (MongoDB Atlas), email (Resend), AI (Google Gemini). Each is bound by data-processing agreements.
- Team members in your organisation: data you add is visible to other users you invite.
- Legal authorities: if required by law, court order, or to protect rights and safety.
5. Data Retention
- Account data: kept while your account is active.
- Google Business Profile data: cached for up to 12 months; refreshed periodically.
- OAuth tokens: kept until you revoke access or delete your account, encrypted at rest.
- Server logs: 90 days.
- Backups: 30 days rolling.
When you delete your account, we delete personal data within 30 days, except where retention is required by law.
6. Your Rights
Depending on your jurisdiction (GDPR, CCPA, etc.), you may have rights to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and data.
- Export your data in a portable format.
- Revoke Google OAuth access via Google Account Permissions.
- Object to certain processing or withdraw consent.
Email
support@helpinglocalbusinessowners.com to exercise any of these rights.
7. Security
We use industry-standard practices: HTTPS everywhere, AES-256 encryption for OAuth tokens at rest, hashed authentication tokens, server-side rate limiting, and least-privilege database access. No system is perfectly secure — please use a strong password and enable two-factor authentication on your Google account.
8. Children
GBP Ninja is not intended for children under 18. We do not knowingly collect personal information from children.
9. International Transfers
Our servers are hosted in India and Singapore. By using the Service you consent to your data being processed in these locations.
10. Changes to This Policy
We may update this Policy. Material changes will be announced via email or in-app notification. The "Last updated" date at the top reflects the most recent revision.