Contents
1. Introduction
Local Boost Lab ("LBL," "Local Boost Lab," "we," "us," or "our") is committed to protecting the privacy and security of our clients' personal and business information. This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights regarding your data. It applies to all LBL clients, website visitors, and anyone whose information we process in connection with providing our Google Business Profile management services.
LBL serves US-based businesses. If you are located in California, the California Consumer Privacy Act (CCPA) grants you additional rights described in Section 9. LBL does not intentionally collect data from EU residents; if you are an EU resident and use our services, please contact us before subscribing.
2. Information We Collect
2.1 Information You Provide Directly
- Business owner name and email address
- Business name, address, phone number, and service area
- Google Business Profile URL and location identifier
- Brand voice description, service list, and content preferences
- Business photos and images (uploaded to designated Google Drive/Cloud folder)
- Payment information (processed by Stripe; LBL never stores raw card data)
- Email communications sent to LBL
2.2 Information Collected Automatically
- Google OAuth refresh tokens (encrypted AES-256-GCM)
- GBP Insights data (profile views, phone calls, website clicks, direction requests)
- Review content from your GBP (publicly visible ratings and text)
- Review response content generated and published by LBL on your behalf
- Post content and publication logs
2.3 Information We Do Not Collect
- Payment card numbers (handled entirely by Stripe)
- Personal data about your customers beyond what is publicly visible on GBP
- Website analytics or tracking cookies
- Customer purchasing behavior or private communications
3. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Service delivery: posting to your GBP, responding to reviews | GBP OAuth token, business info, voice settings, photos | Contract performance |
| Account management: onboarding, support, notifications | Name, email, business details | Contract performance |
| Billing: processing subscription payments | Email (passed to Stripe); Stripe handles card data | Contract performance |
| Service improvement: analyzing aggregate performance trends | Anonymized post/review metrics | Legitimate interest |
| Legal compliance: record keeping | Billing records, service logs | Legal obligation |
4. Data Sharing and Third Parties
We share your data only with the following processors, solely to deliver our services. We do not sell your data.
| Processor | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, billing address |
| Google (GBP API) | Publishing posts, reading and responding to reviews | OAuth token, post content |
| Anthropic (Claude API) | AI content generation for posts and review drafts | Business info, voice settings (no PII) |
| Google Gemini API | AI image generation for posts | Business type, service keywords |
| Railway.app | Application hosting and infrastructure | Encrypted application data |
| Supabase | Database (US East region) | All account and service data |
| Resend.com | Transactional email delivery | Email address, message content |
| Wise | Payment disbursements (if applicable) | Business name, bank details |
We do not share your data with advertising networks, analytics platforms, data brokers, or any third party not listed above without your explicit consent.
5. Data Security
We implement industry-standard security measures to protect your data:
- Encryption at rest: All OAuth tokens and sensitive credentials encrypted using AES-256-GCM
- Encryption in transit: All data transmitted over TLS 1.2 or higher
- Database security: Supabase hosted in US East region with row-level security enabled
- Payment security: All payment processing handled by Stripe, which is PCI DSS Level 1 certified. LBL never stores, transmits, or has access to raw card data.
- Breach notification: In the event of a data breach affecting your personal information, we will notify you within 72 hours of discovery by email to your registered address.
- Access controls: LBL staff access to client data is restricted to those with a business need. All access is logged.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information (name, email, business details) | 12 months after subscription cancellation, then deleted |
| Google OAuth refresh tokens | Deleted immediately upon account termination or revocation |
| Post content and review response logs | 12 months, then deleted or anonymized |
| Payment records and billing history | 7 years (required by US tax law) |
| Email communications | 3 years |
| Business photos uploaded to Cloud Storage | Duration of active subscription + 30 days after cancellation |
7. Your Rights
You have the following rights regarding your personal data. To exercise any of these rights, email grow@localboostlab.com with your request. We will respond within 30 days.
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Correction: Request correction of inaccurate or incomplete data.
- Right to Deletion: Request deletion of your personal data. Note: we may retain data required by law (e.g., billing records).
- Right to Portability: Request your data in a machine-readable format.
- Right to Object: Object to our processing of your data for legitimate interest purposes.
8. Cookies and Website
The Local Boost Lab website uses essential cookies only. These cookies are strictly necessary for the website's checkout and onboarding functionality to work. We do not use:
- Analytics cookies (e.g., Google Analytics)
- Advertising or retargeting cookies
- Third-party tracking cookies
Essential cookies include session cookies that allow you to complete checkout and the onboarding form. These cookies expire at the end of your browser session or within 30 days, whichever comes first.
9. California Residents: CCPA Rights
If you are a California resident, the California Consumer Privacy Act of 2018 (CCPA) grants you specific rights regarding your personal information:
- Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to Opt-Out of Sale: LBL does not sell personal information. This right is not applicable to our services.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, please contact us at grow@localboostlab.com. We will verify your identity before processing your request.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address at least 30 days before the changes take effect. Your continued use of our services after the effective date constitutes acceptance of the updated policy.
For non-material changes (such as clarifications or corrections), we may update the policy without prior notice. The "Effective Date" at the top of this page will always reflect the date of the most recent revision.
11. Contact
Questions or requests?
Email us at grow@localboostlab.com. We respond to all privacy-related inquiries within 30 days.
Local Boost Lab · Data Controller · United States