Legal

Privacy Policy

Last updated: 2026-04-28

Curbrank ("we," "us," "our") respects your privacy. This policy explains what data we collect, how we use it, and your rights. If anything is unclear, email [email protected] and we'll explain.

1. Who we are

Curbrank is operated by Pro Shine Elite LLC in San Diego, California, providing website development and Google Business Profile management to service and general contractors in San Diego and Riverside Counties, California.

Contact for privacy questions: [email protected].

2. What data we collect

Information you give us directly

  • Audit requests: business name, service area, your name, email, phone (optional), vertical, optional pain-point text.
  • Contact form submissions: name, email, subject, message.
  • Client onboarding: business address, phone numbers, billing details (collected via Stripe, see "Third-party processors" below).

Information from Google services (clients only)

When you become a Curbrank client and authorize us to manage your Google Business Profile, we access, through Google's official APIs and only with your explicit OAuth consent:

  • Your Google Business Profile listing data (name, address, hours, categories, reviews, photos, posts, Q&A)
  • Google Business Profile Insights (call counts, click counts, direction request counts)
  • Google Search Console performance data (impressions, clicks, ranking positions for your queries)
  • OAuth refresh tokens (encrypted at rest, used to authenticate API calls on your behalf)

We do not access your Gmail, Google Drive, Google Photos, Google Calendar, YouTube account, Google Ads, or any Google service unrelated to managing your Business Profile. The OAuth scopes we request are limited to what's necessary to deliver the service.

Information from third parties

  • Public Google Business Profile data (when generating audits for prospects who haven't signed up, this is publicly visible information)
  • Public website performance data via Google PageSpeed Insights API
  • Public Google Maps / Places data (business names, addresses, ratings) for competitive analysis

Information collected automatically

  • Standard web server logs: IP address, browser type, referring URL, pages visited, timestamps. Retained 30 days for security and abuse prevention.
  • Cookies: this website uses no third-party tracking cookies. We may set a session cookie for form submissions only.

3. How we use your data

  • Deliver the audit you requested (one email containing the audit; no follow-up sequence).
  • Respond to your contact form submission.
  • Provide our services to clients: posting to your GBP, replying to reviews, generating reports, managing Q&A, fixing your website.
  • Invoice and payment processing via Stripe.
  • Email you about your account (transactional only, invoices, scheduled reports, account changes). We do not send marketing emails.
  • Improve our service: aggregated, anonymized usage analytics. No individual data is shared.
  • Comply with law: respond to subpoenas, court orders, or other legal requirements.

We do not sell, rent, or trade your personal information. Ever. To anyone.

4. Use of Google user data

Curbrank's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We use Google user data only to provide the service the user signed up for (Google Business Profile management).
  • We do not transfer Google user data to third parties for advertising, analytics, or any other purpose.
  • We do not use Google user data to train any model or share it with third parties for advertising or analytics.
  • Humans on our team only access Google user data for: (a) security investigations, (b) abuse prevention, (c) complying with legal requirements, (d) with the user's explicit consent, or (e) for operations strictly necessary to deliver the service (e.g., reviewing a draft post before publishing it on your behalf).

5. Third-party processors

We use a small number of vendors to operate Curbrank. Each is bound by a data processing agreement and is GDPR/CCPA compliant:

  • Stripe, payment processing. We don't store your full credit card number; Stripe does. Stripe privacy policy.
  • Cloudflare, DNS, CDN, website hosting. Cloudflare privacy policy.
  • Google, Business Profile API, Search Console API, PageSpeed Insights API, Places API. Google privacy policy.
  • Google (Gemini), third-party content drafting service used by our team to produce first drafts of GBP posts, review responses, and audit narratives, which a person on our team reviews and edits before anything is published. Google does not use this data for advertising or to train other Google products. Google privacy policy.
  • Call-tracking provider, used to provision tracking phone numbers and store call logs for clients on our SEO retainer. Provider's privacy policy available on request.
  • FormSubmit, used to deliver audit and contact form submissions to our inbox until our backend is fully self-hosted. FormSubmit privacy policy.

6. Data retention

  • Audit requests: kept for 12 months from request date, then deleted unless you become a client.
  • Contact form submissions: kept until resolved + 12 months.
  • Client account data: kept for the duration of the engagement plus 7 years for tax/legal purposes (then deleted).
  • OAuth refresh tokens: deleted within 30 days of account termination or upon request, whichever is sooner.
  • Web server logs: 30 days.
  • Backups: 90 days encrypted, then deleted.

7. Data security

  • All data in transit is encrypted via TLS 1.3.
  • OAuth refresh tokens are encrypted at rest using AES-256-GCM with keys stored in a separate secrets manager.
  • Database backups are encrypted.
  • Access is limited to authorized personnel on a need-to-know basis. Multi-factor authentication is required for all administrative access.
  • We use a Tailscale-protected administration network, no public-facing admin endpoints.
  • If we discover a breach affecting your data, we will notify you within 72 hours and disclose the scope and our response.

8. Your rights

You have the right to:

  • Access a copy of your personal data we hold.
  • Correct inaccurate data.
  • Delete your data (right to be forgotten).
  • Export your data in a portable format.
  • Restrict or object to certain processing.
  • Revoke OAuth access at any time via your Google Account settings, this immediately stops our access to your Business Profile.
  • Withdraw consent for any processing based on consent.

To exercise any of these rights, email [email protected]. We respond within 30 days.

9. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know what personal information we collect, use, disclose, and sell.
  • Right to delete personal information we collected from you.
  • Right to opt out of the sale of personal information. Curbrank does not sell personal information.
  • Right to non-discrimination for exercising these rights.
  • Right to correct inaccurate information.
  • Right to limit use and disclosure of sensitive personal information.

10. EU/UK residents (GDPR)

If you are in the European Union, United Kingdom, or European Economic Area, you have rights under GDPR/UK-GDPR including those listed in section 8 plus the right to lodge a complaint with your data protection authority. Our legal basis for processing personal data:

  • Performance of a contract (delivering the services you signed up for).
  • Legitimate interests (running our business, security, fraud prevention).
  • Consent (audit requests, marketing communications, for which there are none).
  • Legal obligations (tax records, responding to lawful requests).

11. Children's privacy

Curbrank's services are intended for businesses, not individuals under 18. We do not knowingly collect data from children. If you believe we have collected data from a child, email [email protected] and we will delete it.

12. International data transfers

Curbrank's data is hosted in the United States and the European Union (Germany). If you access our services from outside these regions, your data will be transferred to and processed in these locations. We use standard contractual clauses where required.

13. Changes to this policy

We may update this policy occasionally. Material changes will be communicated via email to active clients at least 30 days before taking effect. The "Last updated" date at the top of this policy reflects the most recent revision. Old versions are available on request.

14. Contact

Questions, concerns, requests, or to exercise any of your rights:

Email: [email protected]
General: [email protected]
Address: available on request.