Privacy Policy

1. Introduction

Gracia AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our automated review reply service for Google Business Profiles.

We comply with applicable data protection laws including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Information We Collect

Personal Information

• Name and email address
• Google account information (via OAuth)
• Business name and location details
• Payment information (processed securely via Stripe)

Business Data

• Google Business Profile information
• Customer reviews and ratings
• Your replies to reviews
• Business preferences and settings

Usage Data

• Log data (IP address, browser type, pages visited)
• Service usage patterns and preferences
• Performance metrics and analytics

3. How We Use Your Information

We use your information to:

• Provide and maintain our Service
• Generate AI-powered review responses
• Post replies to your Google Business Profile (with your permission)
• Process payments and manage subscriptions
• Send service-related notifications
• Improve and optimize our Service
• Comply with legal obligations
• Detect and prevent fraud or abuse

4. Legal Basis for Processing

We process your data based on:

• Contract: To provide the services you've subscribed to
• Consent: For optional features and communications
• Legitimate Interests: To improve our services and prevent fraud
• Legal Obligations: To comply with applicable laws

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your data with:

• Service Providers: Including Google (for GMB integration), OpenAI (for AI processing), Stripe (for payments), and Supabase (for data storage)
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger or acquisition
• With Your Consent: When you explicitly agree to sharing

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS/SSL) and at rest
• Secure authentication and access controls
• Regular security audits and updates
• Limited access on a need-to-know basis
• Secure data centers with physical security

7. Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

• Account data: Until account deletion plus legal retention period
• Review data: As long as you maintain an active subscription
• Payment records: As required by tax and accounting laws
• Analytics data: Aggregated and anonymized after 24 months

8. Your Rights and Choices

Under GDPR (EEA residents)

• Access your personal data
• Correct inaccurate data
• Request deletion (right to be forgotten)
• Restrict or object to processing
• Data portability
• Withdraw consent
• Lodge a complaint with supervisory authorities

Under CCPA (California residents)

• Know what personal information we collect
• Request deletion of personal information
• Opt-out of sale (we do not sell personal information)
• Non-discrimination for exercising rights

To exercise these rights, contact us at privacy@gracia-ai.com

9. Cookies and Tracking

We use essential cookies to maintain sessions and preferences. We may also use:

• Analytics cookies to understand usage patterns
• Performance cookies to optimize the service
• Functional cookies to remember your settings

You can control cookies through your browser settings, but disabling essential cookies may affect functionality.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions where applicable
• Privacy Shield certification (where applicable)

11. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover we have collected data from a child, we will promptly delete it.

12. Third-Party Services

Our Service integrates with third-party services that have their own privacy policies:

• Google: For Google Business Profile access
• OpenAI: For AI-powered content generation
• Stripe: For payment processing
• Supabase: For data storage and authentication

We encourage you to review their privacy policies to understand how they handle your data.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or prominent notice within the Service. The "Last updated" date at the top indicates the most recent revision.

14. Contact Us

For questions, concerns, or to exercise your rights, please contact us: