GBP Poster

Privacy Policy

Effective Date: March 15, 2026

This Privacy Policy ("Policy") describes how Matt Kundo Digital Marketing, doing business as GBP Poster ("MKDM," "we," "us," or "our"), collects, uses, stores, shares, and protects your personal information when you access or use the GBP Poster platform at gbppost.com and all related services (collectively, the "Service").

By using the Service, you consent to the practices described in this Policy. If you do not agree with this Policy, you must not use the Service.

1. Data Controller

The data controller responsible for your personal data is:

Matt Kundo Digital Marketing
Email: privacy@gbppost.com
Website: gbppost.com

For all privacy-related inquiries, data access requests, or complaints, please contact us at the email address above.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: When you register for an account, we collect your name, email address, and password. If you sign up using a third-party authentication provider (such as Google), we receive your name and email address from that provider.
  • Business Information: Information about your business as provided through your Google Business Profile connection, including your business name, address, category, and location identifiers.
  • Content Data: Blog URLs you submit for AI summary generation, post content you create or edit, and any other content you input into the Service.
  • Communications: Information you provide when you contact us for support, submit feedback, or otherwise communicate with us.

2.2 Information Collected Through Google OAuth

  • Google OAuth Tokens: When you connect your Google Business Profile, we receive OAuth 2.0 access tokens and refresh tokens through Google's authentication flow. These tokens are stored in encrypted form and are used exclusively to authenticate API requests to manage your Google Business Profile posts.
  • Google Business Profile Data: Through the authorized Google Business Profile API scope (business.manage), we access your business listing information, including business name, location details, and existing posts. We access only the data necessary to provide the Service and do not access other Google account data such as Gmail, Google Drive, or Google Calendar.

2.3 Payment Information

When you subscribe to a paid plan, payment processing is handled entirely by Stripe, Inc. We do not receive, process, or store your full credit card number, debit card number, or bank account details. Stripe provides us with limited payment information, including the last four digits of your card, card brand, expiration date, billing address, and transaction history, for the purposes of account management, invoicing, and fraud prevention.

2.4 Automatically Collected Information

  • Usage Data: We collect information about how you interact with the Service, including pages visited, features used, posts created and published, timestamps of actions, and session duration.
  • Device and Technical Data: We collect your IP address, browser type and version, operating system, device type, screen resolution, and referring URL.
  • Log Data: Our servers automatically record information when you access the Service, including request details, error logs, and system activity.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: To create and manage your account, authenticate your identity, connect to your Google Business Profile, generate AI-powered post summaries, and publish posts on your behalf.
  • Processing Payments: To manage subscriptions, process billing, issue invoices, and handle payment-related communications through Stripe.
  • Improving the Service: To analyze usage patterns, identify and fix bugs, optimize performance, develop new features, and improve the overall user experience.
  • Communication: To send you transactional emails (account confirmations, billing receipts, service notifications), respond to your inquiries, and provide customer support.
  • Security and Fraud Prevention: To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity, and to protect the security and integrity of the Service.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Google API Data Usage

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4.1 Scope of Access

We request the Google Business Profile management scope (business.manage) to read your business listing information and to create, update, and manage posts on your Google Business Profile. We do not request or access any other Google scopes or services.

4.2 Token Security

Google OAuth access tokens and refresh tokens are encrypted at rest using industry-standard encryption algorithms before storage in our database. Tokens are decrypted only at the time of use to authenticate API requests. Access to stored tokens is restricted to application-level service processes and is not accessible to MKDM personnel in plaintext form.

4.3 Data Minimization

We access only the Google Business Profile data strictly necessary to provide the Service. We do not read, store, or process your Google emails, files, contacts, calendar events, or any other Google account data. We do not sell, share, or transfer Google user data to third parties except as necessary to provide the Service (for example, transmitting post content to the Google Business Profile API for publication).

5. Third-Party Services

We use the following third-party services to operate the Service. Each processes data in accordance with their own privacy policies:

  • Supabase, Inc. (Database and Authentication): Hosts our database infrastructure, including user accounts, encrypted OAuth tokens, post data, and usage records. Supabase processes data in accordance with their privacy policy available at supabase.com/privacy.
  • Stripe, Inc. (Payment Processing): Processes all subscription payments, manages billing, and handles payment card data. Stripe is PCI-DSS compliant. See their privacy policy at stripe.com/privacy.
  • Anthropic, PBC (AI Content Generation): Blog content submitted for AI summary generation is processed by Anthropic's Claude AI service. We transmit the text content of blog URLs to generate post summaries. Anthropic's privacy practices are described at anthropic.com/privacy.
  • Google LLC (Google Business Profile API): We interact with Google's APIs to manage your business profile posts. Google's processing of your data is governed by the Google Privacy Policy.
  • Vercel, Inc. (Hosting and Infrastructure): The Service is hosted on Vercel's platform. Vercel may process technical data such as IP addresses and request logs. See their privacy policy at vercel.com/legal/privacy-policy.

6. Data Retention

6.1 Active Accounts

We retain your personal data, account information, Google OAuth tokens, and usage data for as long as your account remains active and as necessary to provide the Service to you.

6.2 Account Deletion

When you delete your account or request account deletion, we will delete or anonymize your personal data within thirty (30) days, including:

  • Your account profile and credentials.
  • Stored Google OAuth tokens (immediately revoked and deleted).
  • Post history and content data.
  • Usage data associated with your account.

Certain data may be retained beyond the 30-day period where required by law (for example, billing records for tax compliance) or where necessary to resolve disputes, enforce our agreements, or protect our legal rights. Such retained data will be stored securely and used only for those limited purposes.

6.3 Backup Retention

Data in encrypted backups may persist for up to ninety (90) days after deletion from our primary systems, after which it is permanently removed through the normal backup rotation cycle.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@gbppost.com. We will respond to your request within thirty (30) days, or within the timeframe required by applicable law.

  • Right of Access: You have the right to request a copy of the personal data we hold about you, including the categories of data collected, the purposes of processing, and any third parties with whom data has been shared.
  • Right to Rectification: You have the right to request correction of any inaccurate or incomplete personal data we hold about you. You may also update certain information directly through your account settings.
  • Right to Deletion (Erasure): You have the right to request deletion of your personal data, subject to the retention exceptions described in Section 6. You can initiate account deletion through your account settings or by contacting us.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller where technically feasible.
  • Right to Object: You have the right to object to the processing of your personal data for certain purposes, including direct marketing. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
  • Right to Withdraw Consent: Where we process your data based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

8. Cookies and Tracking

8.1 Cookies We Use

We use a minimal set of cookies strictly necessary for the operation of the Service:

  • Authentication Session Cookies: Used to maintain your logged-in session and authenticate your requests. These are essential for the Service to function and cannot be disabled while using the Service.
  • Security Cookies: Used to prevent cross-site request forgery (CSRF) and other security threats.

8.2 What We Do Not Use

We do not use advertising cookies, third-party tracking cookies, analytics cookies, or social media tracking pixels. We do not participate in cross-site tracking or behavioral advertising.

9. Children's Privacy

The Service is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect, solicit, or maintain personal information from anyone under 18 years of age. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information promptly. If you believe that a person under 18 has provided us with personal data, please contact us at privacy@gbppost.com.

10. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your personal data will be transferred to, stored, and processed in the United States and potentially in other countries where our third-party service providers operate. These countries may have data protection laws that differ from those in your country of residence.

By using the Service, you consent to the transfer of your data to the United States and other jurisdictions as described in this Policy. Where required by applicable law (such as the GDPR), we rely on appropriate legal mechanisms for international data transfers, including Standard Contractual Clauses approved by the European Commission and/or the adequacy decisions of relevant data protection authorities.

11. Security Measures

We implement appropriate technical and organizational measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of Google OAuth tokens at rest using industry-standard encryption algorithms.
  • Encryption of data in transit using TLS (Transport Layer Security).
  • Access controls restricting data access to authorized application processes only.
  • Regular security reviews and updates to our infrastructure and application code.
  • Use of PCI-DSS compliant payment processing through Stripe.
  • Secure database hosting with encryption at rest through Supabase.

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your data.

12. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:

  • Contract Performance: Processing necessary to perform our contract with you (providing the Service, managing your account, processing payments).
  • Legitimate Interests: Processing necessary for our legitimate interests (improving the Service, ensuring security, preventing fraud), where those interests are not overridden by your rights and freedoms.
  • Consent: Where you have provided explicit consent (for example, connecting your Google Business Profile account).
  • Legal Obligation: Processing necessary to comply with applicable legal requirements (tax and accounting records, regulatory compliance).

13. Data Sharing

We do not sell your personal data to third parties. We share your data only in the following circumstances:

  • Service Providers: With the third-party service providers identified in Section 5, solely to the extent necessary for them to perform services on our behalf.
  • Legal Requirements: When required to do so by law, regulation, legal process, or enforceable governmental request.
  • Protection of Rights: When we believe disclosure is necessary to protect the rights, property, or safety of MKDM, our users, or the public.
  • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, in which case your data may be transferred to the successor entity. We will notify you of any such transfer and any choices you may have regarding your data.
  • With Your Consent: In any other circumstance where you have provided explicit consent to the sharing.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or by posting a prominent notice within the Service at least thirty (30) days before the changes take effect. The "Effective Date" at the top of this Policy indicates when it was last revised.

Your continued use of the Service after any changes take effect constitutes your acceptance of the revised Policy. If you do not agree to the updated Policy, you must stop using the Service.

15. California Privacy Rights (CCPA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including:

  • The right to know what personal information we collect, use, and disclose.
  • The right to request deletion of your personal information.
  • The right to opt out of the sale of your personal information. We do not sell personal information.
  • The right to non-discrimination for exercising your privacy rights.

To exercise your California privacy rights, contact us at privacy@gbppost.com.

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Matt Kundo Digital Marketing
Email: privacy@gbppost.com
Website: gbppost.com

If you are located in the EEA and believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with the supervisory authority in your country of residence.

This Privacy Policy was last updated on March 15, 2026.