Privacy policy
How Agency Book collects, uses, stores, secures, and shares data, including the Google data agencies connect on behalf of their clients.
01Overview and roles
Agency Book is a local SEO platform for marketing agencies, operated by Xegents AI, a company based in Pakistan ("Agency Book", "we", "us", "our"). This policy explains what data we handle, including Google user data, and how we use, store, secure, share, retain, and delete it.
Our customers are marketing agencies. An agency connects its own clients' Google accounts to Agency Book so the agency can track rankings, monitor Google Business Profiles, and report on results from a single dashboard. For the personal and business data those agencies process, the relationship works as follows:
- The agency is the data controller.The agency decides why and how its clients' data is processed and is responsible for having authorization from each client.
- Agency Book is the data processor.We process that data only to provide the service, on the agency's documented instructions, and for nothing else.
- The agency's clients are the data subjects and business owners. The underlying Google Business Profiles, analytics properties, and search-console properties belong to them.
For our direct relationship with the agency itself, for example its account, billing, and support records, Agency Book acts as a controller. Where an agency is established in the EU, UK, or a jurisdiction with comparable law, a Data Processing Agreement governs our role as processor and is available on request through the Terms of Service.
02Data we collect
Account data
Information the agency provides to create and run its account: name, work email, agency name, password credentials (stored only as a salted hash), team-member details, white-label branding assets, and support correspondence.
Billing data
Plan, billing cycle, and invoice records. Card details are handled by our payment processor and are not stored on Agency Book servers.
Usage data
Logs and diagnostics generated as the product runs: pages used, features invoked, device and browser type, IP address, and error traces. We use this to operate, secure, and improve the service.
Google user data
When an agency connects a client's Google account, we access a narrow, read-focused set of Google data through the scopes listed in the next section. We request the narrowest scopes the product needs to function.
03Google scopes we request
Agency Book requests the following Google OAuth scopes. Each is listed with the data it covers and the plain-language reason we need it. We do not request scopes the product does not use.
- Google Business Profile - read and write (.../auth/business.manage)
- This is a Google restricted scope. We read the connected client's business profile, reviews, ratings, posts, and performance metrics so the agency can monitor and report on them. We use the write capability for a single purpose: to post replies to reviews on the client's behalf, and only with the client's prior express authorization, as described under "Review replies and consent" below.
- Google Analytics 4 - read (.../auth/analytics.readonly)
- Read-only access to GA4 reporting metrics (traffic, sessions, conversions) so the agency can include website performance in its client dashboards and reports. We do not modify GA4 configuration or data.
- Google Search Console - read (.../auth/webmasters.readonly)
- Read-only access to Search Console search-performance data (queries, clicks, impressions, positions) so the agency can report on organic search visibility. We do not submit, modify, or remove anything in Search Console.
Of these, only Google Business Profile carries write access, and that write is limited to posting review replies. Analytics and Search Console are read-only.
04Google API Services User Data Policy - Limited Use
Google API Services User Data Policy
Agency Book's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
05How we use Google data
For each Google data type, this is precisely how it is accessed, used, stored, and shared:
- Accessedthrough Google's official APIs, using the OAuth scopes above, only after the agency connects an account and only for the connected properties.
- Used to power the user-facing features of Agency Book: rank tracking, geo-grid scans, Business Profile monitoring, GA4 and Search Console reporting, alerts, and the white-label client dashboards and reports the agency configures. Business Profile write access is used only to post review replies the client has authorized.
- Storedon our infrastructure as described under "Storage, retention, and deletion". Google Business Profile content is stored only temporarily, for no more than 30 calendar days, is stored securely, and is not aggregated or manipulated.
- Sharedonly as needed to provide the service: with the agency that connected the account, with that agency's designated client through their white-label dashboard, and with the sub-processors listed below. We do not share Google user data with anyone else.
06Storage, retention, and deletion
Data is stored on managed cloud infrastructure with encryption in transit and at rest. OAuth tokens are encrypted at the application layer and decrypted only inside an isolated worker when a job runs. Each agency's data is isolated at the database level.
- Google Business Profile content is stored temporarily for no more than 30 calendar days, then refreshed or removed. It is not aggregated or manipulated, in line with the Google Business Profile API policies.
- GA4 and Search Console metrics are retained as reporting history for as long as the connection is active, so agencies can show trends over time, and are deleted on disconnection or account closure.
- Account, billing, and usage records are retained for the life of the account and for a limited period afterward where required for legal, tax, or dispute-resolution purposes.
On disconnection of an integration, or on account closure, the associated Google user data and tokens are deleted within 30 days, except where a longer period is required by law. To request deletion of your data, or to revoke Agency Book's access to a Google account, contact us at admin@agencybook.io or revoke access directly in your Google Account security settings at myaccount.google.com/permissions.
07No sale, no ads, no surveillance
Agency Book does not, and will not:
- transfer or sell Google user data to third parties such as advertising platforms, data brokers, or information resellers;
- transfer, sell, or use Google user data for serving advertising, including retargeting, personalized, or interest-based advertising;
- transfer, sell, or use Google user data to determine creditworthiness or for lending purposes;
- use Google user data for any form of surveillance, or make it available to any party conducting surveillance.
For agencies and clients in the United States: Agency Book does not "sell" or "share" personal information as those terms are defined under the California Consumer Privacy Act, as amended by the CPRA. We act as a service provider and process personal information only to deliver the service under a written contract that restricts any other use.
08Human access to data
Agency Book personnel do not read your Google user data. The only exceptions, each narrow and limited, are where:
- you have given affirmative agreement to view specific data;
- it is necessary for security purposes, such as investigating a bug or abuse;
- it is necessary to comply with applicable law; or
- the data has been aggregated and is used for internal operations in line with applicable privacy requirements.
09Sub-processors
We rely on a small set of vetted sub-processors to run the service. Each is bound by contract to data-protection obligations at least equivalent to those in this policy and may use the data only to perform services for Agency Book.
- Google LLC - Google APIs (Business Profile, Analytics 4, Search Console)
- Source of the connected Google user data Agency Book reads and, for review replies, writes.
- Supabase - database and authentication
- Primary database, storage, and authentication for account and product data.
- Cloud hosting and compute provider
- Application hosting and the isolated worker environment that runs scheduled jobs.
- AI model provider
- Generates report commentary under a zero-retention configuration. Personally identifying client contact details are stripped before any content is sent for generation.
We maintain a current list of sub-processors and will provide notice of material changes to active customers. The full list is available on request at admin@agencybook.io.
10Review replies and consent
Where Agency Book posts replies to reviews on behalf of an agency's end client, it does so only after the agency has received that client's prior, specific, and express authorization. We do not automate or trigger review replies, profile edits, or other write actions without that consent. All review replies must comply with Google's Prohibited and restricted content policies.
11Disconnecting and regaining control
An agency or its client can disconnect a Google Business Profile from Agency Book and our developer project at any time, from within the product or by revoking access in their Google Account permissions. On request, we will disassociate the account from our services and developer project, returning exclusive control to the client, within seven business days.
12International data transfers
Agency Book is operated from Pakistan and processes data there and on managed cloud infrastructure. Because Pakistan is not currently the subject of an adequacy decision under EU or UK data-protection law, transfers of personal data from the EU or UK to Agency Book rely on appropriate safeguards: the European Commission's Standard Contractual Clauses (controller-to-processor module) and, for UK data, the UK International Data Transfer Addendum, together with a transfer impact assessment. These safeguards are incorporated into our Data Processing Agreement and are available to controllers on request.
13Your privacy rights
Depending on where the relevant individual is located, the following rights may apply. Because agencies are the controllers of their clients' data, requests from a client or end user are facilitated through the agency that connected the account; Agency Book assists the agency in responding.
EU and UK GDPR
Individuals may request access, rectification, erasure, restriction, portability, and may object to processing. As a processor, Agency Book processes personal data only on the controller's documented instructions, assists with data-subject requests and with security, breach-notification, and impact-assessment obligations, and deletes or returns personal data at the end of the service.
California (CCPA/CPRA)
California residents have the right to know the categories and purposes of personal information collected, used, and shared, to request deletion or correction, and to opt out of any sale or sharing. Agency Book does not sell or share personal information. We honor verifiable requests and offer at least two methods to submit one: email to admin@agencybook.io and the contact form on this site.
How to exercise a right
Contact us at admin@agencybook.io. We will verify the request and respond within the timeframe required by the applicable law.
14Security
We apply technical and organizational measures appropriate to the risk: encryption in transit and at rest, application-layer encryption of OAuth tokens, database-level tenant isolation, least-privilege access controls, and audit logging. Because Agency Book uses a Google restricted scope, the application is subject to an annual independent security assessment under Google's CASA framework, in addition to our own ongoing review. No method of transmission or storage is perfectly secure, but we work continuously to protect your data and to keep these measures current.
16Children
Agency Book is a business-to-business product intended for use by marketing agencies and their business clients. It is not directed to children, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us personal information, contact us and we will delete it.
17Changes to this policy
We may update this policy as the product and the applicable law evolve, and we keep it current. Material changes will be communicated to active customers, and the "Last updated" date at the top of this page will always reflect the current version. Where Pakistan's Personal Data Protection Bill is enacted into law, we will update our practices and this policy to comply.
18Contact us
For any privacy question, request, or concern, contact us:
Xegents AI (operator of Agency Book)Email: admin@agencybook.io
Web: agencybook.io