Features Why Us Case Studies FAQ Contact
Login Get Started
Data Protection & Privacy Rights

GDPR Compliance

How GMB Toolkit complies with the General Data Protection Regulation and protects the rights of EU/EEA users and beyond.

Effective Date: May 13, 2025

Our commitment to GDPR. GMB Toolkit is committed to protecting the personal data of all users, including those in the European Union and European Economic Area. We have designed our platform with privacy by design and default principles.

This page outlines how we comply with the General Data Protection Regulation (GDPR) (EU) 2016/679, your rights under GDPR, and how to exercise them. Even if you are outside the EU, many of these protections apply to you.

1 Who Is the Data Controller?

GMB Toolkit (operated by SAER Technologies, Jaipur, Rajasthan, India) acts as the Data Controller for personal data you provide when registering and using our platform.

For data retrieved from Google APIs on your behalf, you (the user) remain the data controller and GMB Toolkit acts as a Data Processor.

For GDPR-related requests, contact our Data Protection contact at: privacy@gmbtoolkit.com

2 Legal Bases for Processing

We only process your personal data when we have a valid legal basis under GDPR Article 6:

Legal Basis When We Use It
Contract Providing the platform, processing payments, delivering features you subscribe to
Legitimate Interests Security monitoring, fraud prevention, product improvement, abuse detection
Consent Marketing emails, optional analytics cookies, non-essential communications
Legal Obligation Tax records, compliance with court orders, regulatory requirements

3 Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data:

Right to Access
Request a copy of all personal data we hold about you.
Right to Rectification
Correct inaccurate or incomplete personal data we hold.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Restrict Processing
Ask us to limit how we use your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or direct marketing.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.
Right Not to Be Profiled
Object to automated decision-making or profiling that significantly affects you.

To exercise any of these rights, email us at privacy@gmbtoolkit.com. We will respond within 30 days and may request identity verification before processing your request.

4 Data We Collect & Why

  • Account Data (name, email, password hash) — necessary to create and secure your account under contractual basis.
  • Google OAuth Tokens — necessary to connect and manage your Google Business Profile on your instruction. Encrypted at rest.
  • GBP Content (reviews, posts, insights) — fetched from Google APIs solely to display and operate features you have activated.
  • Usage Data (IP, browser, pages visited) — collected under legitimate interests for security and fraud prevention.
  • Communication Data (support emails) — retained to resolve issues and improve support quality.

5 Data Minimisation & Purpose Limitation

We collect only the data strictly necessary for the purposes stated. We do not use your data for any purpose incompatible with what is described in this policy or our Privacy Policy.

We request only the minimum Google API scope required: https://www.googleapis.com/auth/business.manage. We never request broader access than what features you enable require.

6 Data Retention

  • Account data is retained as long as your account is active.
  • Upon account deletion, personal data is deleted or anonymized within 30 days from production systems and within 90 days from encrypted backups.
  • Some data may be retained longer where required by law (e.g. tax records for 7 years under Indian law).
  • Anonymized, aggregated analytics data may be retained indefinitely as it cannot identify you.

7 International Data Transfers

GMB Toolkit is based in India. Your data may be processed in India and by sub-processors located in other countries, including the United States (e.g. cloud hosting, AI processing).

Where we transfer data to countries outside the EU/EEA that do not have an adequacy decision, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data Processing Agreements (DPAs) with all sub-processors.
  • Appropriate technical safeguards including encryption in transit and at rest.

8 Data Processing Agreement (DPA)

If you use GMB Toolkit to process personal data of your own customers or clients (for example, if you are an agency managing GMB for clients), you may require a Data Processing Agreement with us.

Request a DPA
Email privacy@gmbtoolkit.com with subject "DPA Request" and we will provide a signed DPA within 5 business days.

9 Security Measures

  • Encryption in transit — all data transmitted using TLS 1.2 or higher.
  • Encryption at rest — OAuth tokens and sensitive fields are encrypted using AES-256.
  • Access controls — least-privilege access, role-based permissions, and audit logging.
  • Regular reviews — periodic security assessments and dependency vulnerability scanning.
  • Incident response — breach notification to affected users and supervisory authorities within 72 hours where required by GDPR Article 33.

10 Sub-processors

We use trusted third-party sub-processors to operate our services. All sub-processors are bound by Data Processing Agreements and provide adequate GDPR protections.

  • Cloud Hosting — server infrastructure and database storage
  • Email Delivery — transactional email sending (OTP, notifications)
  • AI Processing — Anthropic Claude API for AI-generated review replies
  • Payment Processing — billing and subscription management
  • Error Monitoring — application error tracking and performance monitoring

A full list of sub-processors is available on request at privacy@gmbtoolkit.com

11 Privacy by Design

We integrate data protection into our development process from the start:

  • New features are assessed for privacy impact before development begins.
  • We default to the most privacy-protective settings where technically feasible.
  • Personal data is pseudonymized or anonymized wherever possible in analytics and logs.
  • We do not build advertising profiles or sell data to third parties under any circumstances.

12 Supervisory Authority & Complaints

If you are in the EU/EEA and believe we have not handled your data in compliance with GDPR, you have the right to lodge a complaint with your local supervisory authority.

We ask that you first contact us at privacy@gmbtoolkit.com so we can attempt to resolve the issue directly.

A list of EU supervisory authorities is available at edpb.europa.eu

13 Children's Data

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided data to us, please contact us immediately and we will delete it promptly.

14 Changes to This Page

We may update our GDPR compliance information as our platform evolves or regulations change. Material updates will be communicated via email or in-app notice. We encourage you to review this page periodically.

15 Contact Our Data Protection Contact

For all GDPR-related requests, questions, or concerns:

  • Email: privacy@gmbtoolkit.com
  • Subject line: "GDPR Request — [Your Request Type]"
  • Response time: Within 30 days as required by GDPR Article 12
  • Address: SAER Technologies, Jaipur, Rajasthan, India
Last Updated: May 13, 2025
privacy@gmbtoolkit.com
Privacy Policy
Terms of Service
Cookie Policy