Privacy Policy

1. About this app

MaxGrowth Agency Portal ("the App") is an operations tool operated by MaxGrowth Agency for use by its agency team and clients. It is hosted at app.maxgrowthagency.com. Clients use the App to view their own SEO, analytics, and local-search performance; agency staff use it to manage SEO and local-search work on behalf of clients under signed agency agreements.

2. Data we access

With your explicit consent via Google's OAuth flow, the App accesses the following Google services on your behalf:

• Google Analytics 4 — read only: traffic, sessions, page and conversion data (scope: analytics.readonly)
• Google Search Console — read only: search-performance data, top pages, top queries (scope: webmasters.readonly)
• Google Ads — read only: campaign performance, clicks, impressions, conversions, cost (scope: adwords)
• Google Business Profile — read and write: business information, performance metrics, reviews, posts, and photos (scope: business.manage). What we read and write under this scope is described in detail in section 3a.

3. How we use your data

Data accessed through Google OAuth is used solely to:

• Display analytics dashboards and reports within the App to authorised agency staff and clients
• Generate periodic reports on SEO, traffic, paid media, and local-search performance
• Allow authorised agency staff to manage your Google Business Profile on your behalf, when explicitly initiated by a human user inside the App (see section 3a)
• Provide the agency team with insights to improve client outcomes

We do not sell, rent, or share your data with third parties. We do not use it for advertising, for training generative AI or machine-learning models, or for any purpose unrelated to providing agency services. The App makes no automated changes to your Google data; every write action listed in section 3a is initiated by an authorised human user clicking a button inside the App.

3a. Use of the Google Business Profile business.manage scope

The App uses the business.manage scope to give agency staff a single dashboard for managing client Business Profiles. This is a read-and-write scope. The sections below describe exactly what the App does with it.

What the App reads

• List of Business Profile accounts and locations the connected user manages (Account Management API)
• Business information for the selected location: name, primary phone, website, categories, address, regular hours, special hours, description, attributes, photos, language code, store code (Business Information API)
• Daily performance metrics for the selected location: search and Maps impressions (desktop / mobile), call clicks, website clicks, direction requests (Business Profile Performance API)
• Reviews for the selected location, including reviewer name, star rating, comment, timestamp, and any owner reply (My Business v4 reviews API)
• Local Posts and media (photos) attached to the location (My Business v4 localPosts and media APIs)

What the App can write — only when an authorised user clicks the corresponding button inside the App

• Edit business information — update the business name, primary phone, website, regular hours, and description, via narrow updateMask PATCH requests (Business Information API). Each edit covers a single field group and is reviewable by Google before it goes live.
• Reply to reviews — create, edit, or delete a public owner reply on a review (My Business v4 reviews/reply API). The reply text is supplied by the agency staff member at the time of submission. The App does not auto-generate or auto-post replies.
• Publish or schedule Local Posts — create a new Local Post with text and an optional call-to-action button. Posts may be published immediately or scheduled by passing Google's native scheduledTime field (My Business v4 localPosts API). Authorised users can also delete posts they no longer want.
• Upload or remove photos — submit a photo to the location via Google's sourceUrl upload (the image is fetched by Google from a publicly accessible URL the user supplies); delete existing photos (My Business v4 media API).

What the App never does under this scope

• It never creates, claims, verifies, transfers, suspends, or deletes a Business Profile listing.
• It never modifies or deletes customer-written reviews; it only replies to them on the owner's behalf.
• It never creates or answers Q&A entries on the listing.
• It never edits special hours, services, attributes, opening dates, or service-area boundaries (these are out of scope for the current implementation).
• It never performs any write action automatically, on a schedule (other than Local Post publishing at the user-chosen scheduledTime), or without an authorised human user explicitly clicking a button inside the App.
• It never shares Business Profile content with parties other than the agency staff and client portal users authorised on the specific client account.

4. Data storage

OAuth access tokens, refresh tokens, the selected GA4 property / GSC site / Google Ads customer / GBP location identifiers, and cached metric snapshots are stored in our MySQL database hosted on Hostinger. Tokens are stored encrypted at rest. Database access is restricted to authenticated agency users of the App.

For Google Business Profile specifically, we cache only daily performance metrics in the gbp_performance table (one row per day per location). Reviews, posts, and photos are not persisted in our database — they are fetched live from Google on each dashboard load and cached in process memory for at most one hour. Edits, replies, posts, and photo uploads are passed through to Google's APIs and never stored in our database except as activity-log entries (timestamp, user, action) for audit purposes.

5. Data retention

Cached metrics are retained while the connected account remains active. When you disconnect a Google account from the App or revoke our OAuth grant, the App immediately deletes the corresponding access and refresh tokens, and removes cached performance metrics within 30 days. Activity-log entries are retained for 12 months for accountability.

6. Your rights

You may at any time:

• Revoke OAuth access via your Google Account permissions page
• Disconnect a service inside the App, which deletes the corresponding tokens immediately
• Request deletion of cached data by contacting us at the email below
• Request a copy of data we hold about you

7. Google API Services User Data Policy

MaxGrowth Agency Portal's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Google user data to third parties except as needed to provide or improve the App's user-facing features for the user from whom the data originated, and we do not use it to serve advertisements or train generalised AI / ML models.

8. Contact

Questions or requests regarding this policy can be sent to support@maxgrowthagency.com.