Home / Privacy Policy

Privacy Policy

Last updated: March 1, 2026

1. Information We Collect

We collect information you provide directly to us when you create an account, use our services, or communicate with us. This includes:

  • Account Information: Name, email address, and password (or Google account identifier for OAuth sign-in).
  • Business Information: Business name, address, phone number, website, categories, hours, and other Google Business Profile data you authorize us to access.
  • Content You Create: Posts, review replies, question answers, and other content created through our platform.
  • Usage Data: Log data, device information, and analytics about how you interact with our service.

2. Google API Services — User Data Policy Compliance

Storals's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

2.1 Google Data We Access

When you connect your Google Business Profile, we request access to the following scopes:

  • Email Address (userinfo.email): Used solely to identify your account and enable sign-in.
  • Profile Information (userinfo.profile): Used to display your name and avatar within the application.
  • Google Business Profile Management (business.manage): Used to read and manage your business profile data (posts, reviews, questions, insights) at your explicit request.

2.2 Limited Use Disclosure

Notwithstanding anything else in this Privacy Policy, our use of information received from Google APIs is subject to these additional restrictions:

  • We only use Google data to provide and improve user-facing features that are visible and prominent in our application's user interface.
  • We do not use Google data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not allow humans to read Google user data unless: (a) we have the user's affirmative agreement, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) our use is limited to internal operations and the data has been aggregated and anonymized.
  • We do not transfer Google data to any third party unless: (a) it is necessary to provide or improve user-facing features, (b) it is necessary for security purposes, (c) it is necessary to comply with applicable law, or (d) the user has provided explicit, affirmative consent.
  • We do not use or transfer Google data for determining creditworthiness or for lending purposes.

2.3 Third-Party AI Processing

When you use our AI-powered features (e.g., generating post content, review replies, or question answers), the text content you provide as input — along with relevant business context you have authorized — is sent to third-party AI providers (OpenAI, Anthropic/Claude, or Azure OpenAI) for real-time processing. This data is not used to train AI models, is not stored by these providers beyond the duration of the API request, and is governed by their respective data processing agreements. No Google OAuth tokens or raw Google API data are ever sent to AI providers.

3. How We Use Your Information

  • To provide, maintain, and improve our services.
  • To process your requests — publishing posts, replying to reviews, answering questions — on your Google Business Profile at your explicit direction.
  • To generate AI-assisted content at your request.
  • To send you service notifications (e.g., new reviews, weekly reports) based on your preferences.
  • To monitor and analyze usage trends and improve user experience.
  • To detect, prevent, and address technical issues and security threats.

4. Data Storage and Security

  • Encryption at Rest: All Google OAuth tokens are encrypted using AES-256 encryption (Laravel's built-in encryption) before being stored in our database.
  • Encryption in Transit: All data transmitted between your browser, our servers, and Google's APIs uses TLS 1.2 or higher.
  • Password Hashing: User passwords are hashed using bcrypt and are never stored in plaintext.
  • Access Controls: Role-based access controls ensure users can only access their own business data. Administrative actions are logged.
  • Token Management: OAuth tokens are automatically refreshed and are never exposed to client-side code.

5. Information Sharing

We do not sell, rent, or trade your personal information. We may share information only:

  • With service providers who perform services on our behalf (hosting, email delivery, payment processing, AI content generation) under strict data processing agreements.
  • When required by law, regulation, or legal process.
  • To protect the rights, property, or safety of our users or the public.
  • With your explicit consent.

6. Data Retention

  • Active accounts: Data is retained for as long as your account is active and you maintain an active subscription.
  • Deleted accounts: Upon account deletion, all personal data and Google-related data (tokens, business profiles, posts, reviews) are permanently deleted within 30 days.
  • OAuth tokens: Tokens are deleted immediately when you disconnect a business profile or delete your account.
  • Logs: Application and security logs are anonymized or deleted after 90 days.
  • Backups: Encrypted backups are retained for a maximum of 30 days, then permanently destroyed.

7. Your Rights and Choices

You have the following rights regarding your data:

  • Access & Portability: You can view and export your data from your account settings at any time.
  • Correction: You can update your personal information from your profile settings.
  • Deletion: You can delete your account and all associated data from your settings. You can also request deletion by contacting us.
  • Revoke Google Access: You can disconnect your Google Business Profile at any time from your dashboard. You can also revoke access from your Google Account settings.
  • Notification Preferences: You can control which notifications you receive from your notification settings.
  • Data Deletion Callback: If you revoke our access via Google, we automatically process a data deletion request to remove all Google-related data from our systems.

8. GDPR Compliance (EU Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis: We process your data based on your consent (OAuth authorization) and our legitimate interest in providing the service.
  • Right to Erasure: You may request complete deletion of your personal data. We will comply within 30 days.
  • Right to Restriction: You may request that we restrict processing of your personal data.
  • Right to Object: You may object to processing of your personal data for certain purposes.
  • Data Protection Officer: For GDPR-related inquiries, contact us at the email below.

9. CCPA Compliance (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights. You have the right to know what personal information we collect, to request deletion, and to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact us at the email below.

10. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies. You can configure your browser to refuse cookies, though this may affect your ability to use certain features.

11. Children's Privacy

Our service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will also send a notification to your registered email address. Your continued use of the service after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy, your data, or wish to exercise any of your rights, please contact us:

  • Email: privacy{{ request()->getHost() }}
  • Support: support{{ request()->getHost() }}
  • Data Deletion Requests: privacy{{ request()->getHost() }}

This Privacy Policy is effective as of March 1, 2026. For questions or concerns about your privacy, please contact our privacy team.