Privacy Policy
Last updated: March 27, 2026
1. Information We Collect
Account information: name, email address, phone number, password (stored as encrypted hash). Business information: business name, address, type, Google Business Profile data, photos, captions, reviews. Usage data: login timestamps, feature usage, device information, IP address for security purposes. Payment information: processed securely by Stripe. We do not store credit card numbers. WhatsApp messages: photos and text sent to the GMBX bot for post creation. Identity verification: video or photo submitted during onboarding for account security.
2. How We Use Your Data
To create and publish Google Business Profile posts on your behalf. To generate AI captions tailored to your business voice. To manage your Google Business Profile (hours, description, reviews). To process payments and manage your subscription. To send you notifications about your account and posts. To improve our Service through anonymized usage analytics. To protect against fraud and unauthorized access.
3. Data Sharing
We do NOT sell, rent, or trade your personal data. We share data only with: Google: to publish posts and manage your Business Profile via authorized APIs. Stripe: for payment processing. Twilio: for WhatsApp messaging. OpenAI: for caption generation (no personal data is sent — only business context). Supabase: our database provider (data encrypted at rest and in transit). Vercel: our hosting provider (infrastructure in the United States). Resend: for transactional email delivery. We may disclose data if required by law or to protect our legal rights.
4. Data Security
Passwords encrypted with bcrypt (12 rounds). JWT session tokens with secure httpOnly cookies. All data transmitted over HTTPS/TLS. Database access restricted to service role only. Rate limiting on authentication endpoints. Account lockout after repeated failed login attempts. Regular security audits of our codebase. Content moderation on AI-generated outputs.
5. Data Retention
Active account data is retained for the duration of your subscription. After cancellation, data is retained for 30 days to allow reactivation. After 30 days, personal data and business content are permanently deleted via automated purge. Activity logs are retained for 90 days for security purposes. Anonymized analytics data may be retained indefinitely.
6. Your Rights
You have the right to: Access all data we hold about you. Correct inaccurate information. Export your data (posts, captions, business info) via the data export API. Delete your account and associated data via the data deletion API. Opt out of non-essential communications. Revoke team member access at any time. To exercise these rights, email maordayann@gmail.com or use the dashboard settings.
7. Cookies
We use a single essential cookie (g-agent-token) for authentication. This is a secure, httpOnly session cookie. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
8. Children
GMBX is not intended for use by anyone under 18 years of age. We do not knowingly collect data from minors.
9. Israeli Privacy Law (PPPA)
GMBX complies with the Israeli Protection of Privacy Law, 5741-1981 (PPPA). We maintain a registered database with the Israeli Law, Information and Technology Authority (ILITA) as required. Israeli users have the right to access, correct, and delete their personal data. We apply reasonable security measures as required under Israeli law. Data transfers outside Israel are protected by appropriate safeguards.
10. GDPR Compliance (EU/EEA Users)
For users in the European Economic Area: Data Controller: GMBX, operated by Maor Dayan, Israel. Legal Basis for Processing: Contract performance (providing the service), legitimate interests (security, fraud prevention), and consent (optional communications). DPO Contact: maordayann@gmail.com Data Transfers: Data may be transferred to the US (Vercel, Supabase, OpenAI). We rely on Standard Contractual Clauses (SCCs) for these transfers. Rights: Right to access, rectification, erasure, restriction of processing, data portability, and objection. You may also lodge a complaint with your local supervisory authority. See our Data Processing Agreement for enterprise details.
11. CCPA Compliance (California Users)
For California residents under the California Consumer Privacy Act: Categories of data collected: Identifiers (name, email, phone), commercial information (subscription data), internet activity (usage logs), professional information (business details). Right to Know: You can request what personal information we collect, use, and share. Right to Delete: You can request deletion of your personal information. Right to Opt-Out of Sale: We do not sell personal information. See our Do Not Sell page. Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. To exercise your rights, email maordayann@gmail.com or use the data export/delete features in your dashboard.
12. International Data Transfers
Data may be processed in the United States (Vercel, Supabase infrastructure) and other countries where our service providers operate. By using the Service, you acknowledge these transfers. We ensure appropriate safeguards are in place, including Standard Contractual Clauses for EU transfers.
13. Changes to This Policy
We may update this policy periodically. Material changes will be communicated via email or dashboard notification at least 14 days in advance. The "Last updated" date at the top reflects the most recent revision.
14. Contact
For privacy-related questions or requests, contact us at maordayann@gmail.com.