Features Why Us Case Studies FAQ Contact
Login Get Started
Privacy & Data Protection

Privacy Policy

Learn how GMB Toolkit collects, uses, protects, and manages your data while helping you manage your Google Business Profile.

Effective Date: May 13, 2025

Who we are. GMB Toolkit ("we", "us", "our") provides software to connect and manage your Google Business Profile (GBP) locations from a single dashboard — including viewing and replying to reviews, publishing posts, and analyzing insights.

This Policy explains what data we collect, how we use it, how it is protected, and the choices you have. By using our services, you agree to the practices described here.

1 Data Controller & Contact

GMB Toolkit is the data controller for personal data processed through the app. For questions or requests, contact: privacy@gmbtoolkit.com

2 Data We Collect

  • Account Data: name, email, password (hashed), organization info, and user role.
  • Authentication Data: Google OAuth tokens required to access GBP on your behalf. We do not store your Google password.
  • GBP Content: business profile metadata, locations, hours, posts, media, reviews, review replies, Q&A, and insights returned by Google APIs.
  • Operational Data: automation rules, reply templates, posting schedules, message logs, webhook payloads, audit logs, and support communications.
  • Usage & Device Data: IP address, browser, pages viewed, and product telemetry for security and performance.
  • Billing Data: plan, invoices, and transaction references handled by our payment processor. We do not store full card details.

3 Google API Access & Scopes

We use Google OAuth 2.0 to request the minimum necessary access to your GBP. Depending on features you enable, we may request the following scope:

https://www.googleapis.com/auth/business.manage

This allows GMB Toolkit to manage your Business Profile locations, posts, reviews, and insights.

You can review and revoke our access anytime at myaccount.google.com/permissions

4 How We Use Data

  • Authenticate your account and connect your GBP locations.
  • Display GBP content such as reviews, posts, and insights in your dashboard.
  • Create and publish posts, and send review replies only when you instruct us manually or through automations you configure.
  • Provide analytics, alerts, and reports you opt into.
  • Secure the service through fraud prevention, debugging, auditing, and abuse monitoring.
  • Comply with legal obligations and enforce our Terms.

5 AI Features

When you use AI-assisted replies or suggestions, the text you provide — such as a review and your brand tone — may be sent to our AI processing provider strictly to generate the requested output.

We do not allow providers to train on your identifiable data. You may disable AI features at any time.

6 Legal Bases Under GDPR

  • Contract: to deliver the services you request.
  • Legitimate Interests: product improvement, security, and fraud prevention.
  • Consent: where required for marketing communications and certain analytics.
  • Legal Obligation: to meet compliance and record-keeping duties.

7 Data Retention

We retain personal data for as long as your account is active or as needed to provide the service.

You can request deletion of your account and associated data. We will delete or anonymize data not required for legal or security purposes within 30 days, and backups within 90 days.

8 Data Sharing & Sub-processors

We never sell your personal data. We share data only with vetted service providers who act on our instructions, such as cloud hosting, email delivery, logging, monitoring, analytics, payment processing, and AI processing.

A current list of sub-processors is available on request. Where required, we have Data Processing Agreements in place.

9 International Transfers

Data may be processed in countries other than your own. Where we transfer data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms.

10 Security

  • Encryption in transit using TLS and encryption at rest for sensitive data, including OAuth tokens and refresh tokens.
  • Least-privilege access controls, audit logs, and regular security reviews.
  • Network isolation and automated backups.
  • Incident response process with notification to affected users if required by law.

11 Cookies & Tracking

We use strictly necessary cookies for authentication and session management, and optional analytics cookies to improve the product.

You can manage preferences through your browser settings and in-app controls where available.

12 Your Rights

Depending on your location, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to processing.

To exercise these rights, contact privacy@gmbtoolkit.com. We will verify requests and respond within applicable timelines.

13 Google API Services User Data Policy

Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We request only the scopes necessary for the features you enable and do not use Google data for advertising.

14 Children's Privacy

Our services are not directed to children under 16, and we do not knowingly collect their personal data.

If you believe a child has provided us data, contact us to delete it.

15 Managing Your Data

  • Disconnect Google: revoke access at myaccount.google.com/permissions or from the in-app connection page.
  • Export: request a machine-readable export of your content and configuration in JSON or CSV format.
  • Delete: request account deletion anytime by emailing privacy@gmbtoolkit.com

16 Changes to This Policy

We will post any privacy changes on this page and update the effective date.

Material changes will be notified through email or in-app notices.

17 Contact

Questions or concerns? Email privacy@gmbtoolkit.com