Skip to main content
Skip to main content

Privacy Policy

Last updated: April 2026

1. Information We Collect

We collect information you provide directly, such as your name, email address, and payment information when you create an account or subscribe to our services. We also collect information about the subjects of reputation management campaigns, including publicly available online content.

2. How We Use Your Information

We use your information to provide, maintain, and improve our services, including discovering and analyzing online content, generating strategies, creating and publishing content, and monitoring search results. We also use your information to communicate with you about your account and our services.

3. Data Security

We implement industry-standard security measures to protect your data. All data is encrypted at rest and in transit. Access to campaign data is restricted on a need-to-know basis. Credentials for third-party platforms are stored using AES-256 encryption with key rotation.

4. Data Retention

We retain your account data for as long as your account is active. Campaign data, including published content records and SERP tracking history, is retained for the duration of your subscription plus 90 days. You may request deletion of your data at any time.

5. Third-Party Services

We use third-party services for payment processing (Stripe), AI content generation (Anthropic, OpenAI), and email delivery. These services have their own privacy policies. We do not sell your personal information to third parties.

5b. SMS / Mobile Messaging Privacy

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All other categories of personal information exclude text messaging originator opt-in data and consent — this information will not be shared with any third parties.

Messages sent on behalf of our business clients. When you provide your mobile phone number and consent to receive SMS messages through one of our business clients, we collect and use your phone number solely for the purpose of delivering survey and feedback messages on behalf of that business. Your phone number is used exclusively to send the messages you have consented to receive (such as customer feedback surveys and follow-up reminders).

Messages sent by BrandAmplifi to our own account holders. Separately, BrandAmplifi LLC sends a limited set of transactional SMS messages directly to people who hold a BrandAmplifi platform account — password reset codes, 2FA codes, trial and billing reminders, login security alerts, and support ticket notifications. You opt in during signup or in your Notification Settings at brandamplifi.com. Frequency is up to 4 messages per month per account.

We do not sell, rent, share, or otherwise disclose your mobile phone number, mobile opt-in data, SMS consent records, or any personal information collected via SMS with any third parties or affiliates for their marketing or promotional purposes. Mobile information including phone numbers and SMS consent data is never shared with any third parties for cross-context behavioral advertising or marketing. You may opt out at any time by replying STOP to any message. For more information, see our SMS Terms of Service.

5c. Google API Services User Data Policy Disclosure

BrandAmplifi's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

About BrandAmplifi

BrandAmplifi is a multi-tenant SaaS platform operated by BrandAmplifi LLC (Sheridan, Wyoming, USA) that helps multi-location businesses manage their online reputation, local listings, customer feedback, and review responses across Google, Facebook, Instagram, LinkedIn, Apple Maps, Bing, Yelp, and other directories. Our customers are agencies and brands that operate multiple physical locations and have authorized our platform to act on their behalf.

Which Google API We Use

BrandAmplifi requests access to the Google Business Profile API(formerly “Google My Business API”) so that authenticated customers can manage their own Google Business Profile locations from inside the BrandAmplifi dashboard.

OAuth Scopes Requested

We request a single Google OAuth scope:

https://www.googleapis.com/auth/business.manage

This is a Google-classified sensitive scope. It is the minimum scope required to read and write to a Google Business Profile location that the connecting Google account already has permission to manage. We do not request any other Google scopes (no Drive, Gmail, Calendar, Contacts, YouTube, Photos beyond what GBP itself surfaces, or Search Console).

What Data We Read

From the Google Business Profile API, we read:

  • Account & location list the connecting Google account already manages
  • Location profile fields (name, categories, address, phone, hours, attributes, service area, website, opening date)
  • Reviews left on the location (reviewer display name, star rating, comment text, timestamp, owner reply if any)
  • Posts, photos, Q&A, and call-to-action buttons published on the location
  • Performance Insights (impressions, calls, direction requests, website clicks, photo views) at the daily aggregate level Google exposes
  • Verification status, suspension status, and duplicate-listing flags

What Data We Write

Back to Google Business Profile, we write only what the customer (or the customer's authorized AI agent inside BrandAmplifi) explicitly creates inside our dashboard:

  • Replies to reviews
  • Posts (announcements, offers, events) the customer drafts and approves
  • Photos the customer uploads
  • Q&A answers the customer authors
  • Profile field updates (hours, attributes, description) the customer edits

Every write is initiated by the customer or their delegated user inside BrandAmplifi and is logged in our audit trail with the user identity, timestamp, source IP, and the exact payload sent to Google. Customers can review or revoke autonomous AI behavior at any time from the BrandAmplifi dashboard.

How We Use Google User Data

Google user data is used solely to deliver and improve the user-facing features the customer has connected. Specifically: to display the connected location's reviews, posts, photos, Q&A, and insights inside the BrandAmplifi dashboard for that customer; to write back content the customer authored; to surface alerts and analytics on that customer's data inside their own tenant; and to operate platform features like review-response autopilot, post scheduling, and reputation reporting that the customer has explicitly enabled.

We do not use Google user data for advertising, do not sell it, do not rent it, do not use it to train generalized machine-learning or AI models that benefit any party other than the data's owner, and do not share it with affiliates for marketing.

Storage, Encryption, and Retention

  • At rest: AES-256 encryption on managed PostgreSQL.
  • In transit: TLS 1.2+ for all Google API calls and all browser ↔ BrandAmplifi traffic.
  • Tenant isolation: every Google data row is tagged with the customer's organization ID and enforced multi-tenant scoping at the database layer.
  • OAuth tokens: stored encrypted, rotated on Google's schedule, never logged in plaintext.
  • Cache window: read data is refreshed from Google at most every 24 hours; cached data older than 30 days is re-fetched rather than served from cache.
  • Disconnect / account deletion: when a customer disconnects their Google Business Profile or closes their BrandAmplifi account, all Google user data and OAuth tokens for that customer are deleted within 30 days.

Third-Party Sub-processors That Touch Google Data

The only third parties that may process Google user data are the sub-processors strictly necessary to operate the platform: our cloud infrastructure provider (DigitalOcean), our error-monitoring provider, and the AI model providers (Anthropic, OpenAI) used to draft customer-authored review replies on the customer's behalf and at the customer's direction. AI providers receive only the specific review text and customer-supplied context required to draft the reply, never bulk Google data, and contractually do not use the data to train their models. The current sub-processor list is published in the Subprocessors section below.

User Control & Data Deletion

Customers can disconnect their Google Business Profile from BrandAmplifi at any time from Settings → Integrations → Google Business Profile. Disconnection immediately revokes BrandAmplifi's OAuth refresh token and triggers deletion of cached Google user data within 30 days. Customers can also revoke BrandAmplifi's access directly from their Google Account permissions page. To request expedited deletion or data export, customers can email [email protected].

Limited Use Compliance Statement

BrandAmplifi affirms that its use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements: Google user data is only used to provide or improve user-facing features visible in the requesting application's user interface, is not transferred to third parties except to provide or improve those user-facing features (and only with the customer's consent or where strictly necessary for security purposes or to comply with applicable law), is not used or transferred for advertising including retargeting, personalized advertising, or interest-based advertising, and is not read by humans except with the customer's explicit consent for specific messages, when necessary for security purposes such as investigating abuse, to comply with applicable law, or for the requesting application's internal operations and only when the data has been aggregated and anonymized.

5d. Subprocessors

BrandAmplifi uses carefully selected third-party service providers to deliver the platform. All sub-processors are contractually bound to process data only as instructed and in compliance with applicable data protection laws. A detailed sub-processor list and Data Processing Agreement (DPA) are available upon request by contacting [email protected].

6. Cookies

We use essential cookies required for the functioning of our website and authentication. We may also use analytics cookies to understand how users interact with our platform. You can control cookie preferences through your browser settings.

7. Your Rights

You have the right to access, correct, or delete your personal data. You may also request a copy of your data in a portable format. To exercise these rights, contact us at [email protected].

8. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by email or through a notice on our website.

9. Contact Us

If you have questions about this privacy policy, please contact us at [email protected].