Privacy Policy

01 Who We Are

GBPcentral is a software-as-a-service platform for managing Google Business Profile locations, including scheduled posts, analytics, team collaboration, and related features. The platform is owned and operated by Stackvate Inc., a corporation incorporated in the State of New York, United States.

References in this policy to “we,” “us,” or “our” mean Stackvate Inc. References to “you” mean the individual or entity that accesses or uses the GBPcentral platform (the “Service”).

02 Scope and Definitions

This policy applies to personal information we process when you visit gbpcentral.com, create an account, subscribe to a paid plan, or otherwise use the Service. It does not apply to third-party websites, applications, or services that you access through the Service, which are governed by their own privacy policies.

When an agency, reseller, or business customer (the “Customer”) uses the Service to manage Google Business Profiles or collaborate with end users (including other team members or the Customer’s own clients), the Customer acts as the data controller for the information it uploads, configures, or processes through the Service, and we act as a data processor on the Customer’s behalf. For end users interacting directly with us (such as visitors to our marketing site or account holders managing their own profiles), we act as the data controller.

Personal information

Any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, to an identified or identifiable natural person.

Processing

Any operation performed on personal information, whether automated or not, including collection, storage, access, disclosure, and deletion.

Controller

The party that determines the purposes and means of processing personal information.

Processor

The party that processes personal information on behalf of a controller.

Subprocessor

A third party engaged by a processor to assist in processing personal information on behalf of a controller.

03 Information We Collect

3.1 Information You Provide

• Account information: your email address, password (stored as a cryptographic hash only), first and last name, business name, phone number, timezone, and avatar image, as you choose to provide them.
• Authentication and security data: records of successful and failed sign-in attempts, your last-known sign-in IP address, account lock status, and, if you enable it, two-factor authentication secrets and recovery codes.
• Billing information: your billing contact details and the metadata returned by our payment processor (such as card brand and the last four digits). Full card numbers are never transmitted to or stored on GBPcentral systems.
• Google account data: when you connect your Google account, we receive OAuth tokens and the Google Business Profile metadata you authorize, which may include business names, locations, categories, hours, media, posts, insights, reviews, questions, and verification status. OAuth tokens are stored encrypted at rest.
• Content you create: posts, media uploads, templates, scheduled publication data, and any other content you create or upload to the Service.
• Collaboration data: team member invitations, role assignments, and activity associated with team features.
• Support communications: support tickets, email correspondence, and any information you provide when contacting us.

3.2 Information Collected Automatically

• Service and audit logs: records of key actions within the Service (such as posts created, accounts connected, or billing events), including the associated user identifier, IP address, user-agent string, and before-and-after values for changes we audit.
• Device and connection data: IP address, browser type and version, operating system, device identifiers, referrer URL, and pages viewed.
• Cookies and similar technologies: limited to cookies strictly necessary for session management, authentication, and security, as described in Section 13. We do not use third-party advertising, analytics, or behavioral-tracking cookies.

3.3 Information From Third Parties

• Google: the Business Profile data described above, subject to the permissions you grant at authorization.
• Payment processor: payment status, invoice metadata, and dispute or refund records returned to us by Stripe.
• Email delivery provider: delivery status for transactional emails (such as bounces or failures) from Resend.

3.4 Sensitive Information

We do not intentionally collect information that is classified as “sensitive” or “special category” data under applicable privacy laws (such as government identifiers, precise geolocation, biometric data, racial or ethnic origin, religious beliefs, health information, or financial account credentials). Please do not submit such information through the Service.

04 How We Use Information

We process personal information only for the purposes described below. For users in the European Economic Area, United Kingdom, or Switzerland, the table indicates the lawful basis we rely on under the General Data Protection Regulation (GDPR) and the UK GDPR.

05 How We Share Information

We do not sell personal information, and we do not share personal information with third parties for their own advertising or cross-context behavioral advertising purposes. We share personal information only in the categories below.

• Subprocessors: we engage a small set of vendors that process personal information on our behalf under written contracts that require confidentiality and appropriate safeguards. See Section 6.
• Within your organization: if you use team or collaboration features, other members of your team and your account’s administrators may view activity, posts, and settings you create within the team workspace.
• Compliance and enforcement: we may disclose information where required by applicable law, valid legal process (such as a subpoena or court order), or when we reasonably believe disclosure is necessary to protect the rights, property, or safety of Stackvate Inc., our customers, or the public.
• Corporate transactions: in the event of a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of the transaction, subject to the terms of this policy or a successor policy at least as protective.
• With your direction: we share information with third parties when you direct us to, such as when you connect your Google account, enable a white-label integration, or authorize an export.

06 Subprocessors

The following subprocessors support the operation of the Service. Each is bound by contractual obligations to use personal information only for the purpose of providing the services we have contracted them for, and to implement appropriate technical and organizational safeguards.

We review our subprocessor list periodically. We will update this section and, where required by law or contract, provide notice of material changes prior to engaging a new subprocessor. A standalone, referenceable version of this list (suitable for inclusion in a data processing agreement or due-diligence questionnaire) is published at https://gbpcentral.com/subprocessors.

07 Google API Services User Data

GBPcentral’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We access Google user data only to provide the features you have requested: authenticating and linking your Google Business Profile locations, reading profile metadata, publishing posts, and retrieving performance insights. We do not use Google user data for advertising, do not sell Google user data, and do not allow humans to read Google user data except (i) with your explicit consent, (ii) for security investigations, (iii) to comply with applicable law, or (iv) where the data has been aggregated and anonymized for internal operations. You may disconnect your Google account at any time from within the Service, which revokes our OAuth tokens and stops further access.

08 Excellence Award Public Registry

8.1 What we publish on the registry

The GBPcentral Excellence Award™ maintains a public registry at https://gbpcentral.com/certified that lists businesses we have recognized. For each recognized business, the public certificate page shows the following information drawn from publicly available Google Business Profile data observed at the time of evaluation: business name, business address, business category, business website, business phone number, the audit score, the Google rating, and the count of Google reviews. The page also shows the certificate’s issuance date, validity period, tier, and unique serial number, together with structured data (schema.org) that helps search engines index the page.

Because Google Business Profile information is by its nature publicly available, the legal basis for our publication is our legitimate interest in operating an independent recognition program and the public’s interest in being able to verify a Recipient’s certificate. We do not publish customer review text, individual reviewer names, internal admin notes, opt-out submissions, or any other non-public material on the public registry page.

8.2 What we collect when you submit forms on the registry

Two public forms on the registry collect personal information beyond what we publish:

• Opt-out form at https://gbpcentral.com/certified/opt-out: collects the certificate Serial Number, the business name, the requestor’s name, email address, role, optional business phone, optional reason, and submitter IP address and browser user-agent. The form also captures, depending on which verification path the submitter chooses, the email address and stable subject identifier of the Google account used for Google Business Profile-manager verification, the email address used for business-domain email verification, or a free-text statement provided to a human reviewer for manual verification. We use this information to confirm the submitter’s authority to act on behalf of the business, deliver the confirmation email containing the rescind link, prevent re-issuance for the named Place ID, and maintain a record sufficient to defend the request if it is later disputed. We do not persist any one-time verification codes, OAuth access tokens, or OAuth refresh tokens generated during the verification round trip.
• Free printed-copy request form on each public certificate page: collects the requestor’s name and email address, the ship-to name and street address, and an authorization acknowledgement. We also record the request IP and browser user-agent. We use this information solely to print, address, ship, and track the printed copy, to send confirmation and shipped-status emails, and to defend against fraudulent or duplicative requests.

Both forms are submitted only by people who choose to submit them. Both confirm a transaction the submitter initiated, and we do not use this information for marketing or sell it to any third party.

8.3 Removal from the registry

Any Recipient may request removal at any time, for any reason, at no cost, through the public opt-out form. The form requires the submitter to confirm authorization to act on behalf of the business through one of three verification paths before any removal is scheduled: (i) signing in with the Google account that manages the business’s Google Business Profile, where we read the manager list of the business profile to confirm the relationship and discard the access token immediately afterwards; (ii) entering a one-time verification code emailed to an address at the business’s own website domain (extracted from the certificate’s frozen website snapshot), where we store only a one-way hash of the code and never persist the code itself; or (iii) submitting a short statement for review by a GBPcentral administrator where neither self-service path is available, with a target review time of 72 hours. Once authorization is confirmed, the certificate enters a 7-day pending-removal hold, during which the certificate’s public page displays a removal notice and a separate authorized representative has a window to rescind the request via a single-use link emailed to the submitter. After 7 days, the certificate is permanently revoked and the business is removed from the public directory. Revocations are irreversible by design.

8.4 Retention of registry-related personal information

Personal information submitted through the opt-out form is retained for two years from submission and then automatically pruned, except for the operational fields needed to maintain the issuance blocklist (Place ID, source, verification method, role, business name, authorization acknowledgement, and the date received). Personal information held on the verification record itself (intake fields, OAuth identity captured during Google verification, the email address used for business-domain email verification, and any free-text statement submitted for manual review) is treated as part of the same retention pool and pruned on the same schedule; one-time verification codes are never persisted in plaintext form and are cleared from the record as soon as the code is verified, expires, or is locked out by the per-record attempt cap. Personal information submitted through the free printed-copy request form is retained for one year after the request reaches a terminal state (delivered or cancelled) and then automatically pruned, except for the operational fields needed to maintain a fulfilment audit trail (status, timestamps, tracking number, ship-to state, ship-to country). The retention schedule below summarizes this in tabular form. We will honor any longer retention period that is legally required (for example, to defend a legal claim).

8.5 Your rights

Your privacy rights with respect to registry-related personal information are the same as for the rest of the Service. See Section 11 for how to make a request. Requests for access, deletion, correction, or restriction relating to a public registry page can also be addressed through the opt-out form, which is the simplest path for the most common request (removal of the listing). Privacy rights requests under GDPR Articles 15 to 22 may also be sent directly to privacy@gbpcentral.com; rights requests submitted through that channel are processed under our identity-verification framework for data-subject rights requests rather than the business-authorization framework on the opt-out form, so a data subject who is not the business owner does not need to demonstrate business authority to exercise their rights.

8.6 Non-US businesses and EU/UK data protection law

The Excellence Award Program does not restrict eligibility by country, and consequently a business located in the European Economic Area (EEA), the United Kingdom, or Switzerland may appear on the public registry. Where the registry causes us to process personal information of natural persons located in the EEA or the United Kingdom, we treat that processing as falling within the territorial scope of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and the UK General Data Protection Regulation (the UK GDPR as defined in the UK Data Protection Act 2018, together the “UK GDPR”) under Article 3(2)(a) and (b), and we comply with the applicable obligations as set out in this Section 8.6.

Categories of data subjects

Most fields published on a public certificate page describe a business entity rather than a natural person and therefore do not constitute personal data under GDPR Article 4(1). A business’s name, address, category, audit score, Google rating, review count, and certificate metadata are corporate identifiers, not personal data. However, three categories of fields can, in particular factual contexts, identify or relate to a natural person and are therefore treated as personal data:

• Business phone number, where the listed number is a sole-trader’s personal mobile or otherwise reasonably linkable to a single individual.
• Business website, where the website’s domain or content reveals the identity of a sole trader, freelancer, or natural person operating under a business name.
• Business name itself, where the business name contains a natural person’s given or family name (for example “Jane Smith Architects”).

Personal information collected through the public opt-out form and the public printed-copy request form (requestor name, email, role, IP address, and any free-text reason) is also processed under this Section 8.6 when submitted by data subjects located in the EEA or the United Kingdom.

Lawful basis

We rely on Article 6(1)(f) of the GDPR and the UK GDPR (legitimate interests pursued by the controller or by a third party) as the lawful basis for processing personal information in connection with the public registry. Our legitimate interests are: (i) operating an independent recognition program that surfaces high-performing Google Business Profile listings to the benefit of consumers, prospective customers, and the recognized businesses themselves; (ii) maintaining the integrity, accuracy, and verifiability of the public registry as a trustworthy reference; (iii) deterring and detecting fraud or impersonation in connection with the certificate; and (iv) operating, securing, and improving the Service. We have conducted a balancing test under Article 6(1)(f) and concluded that these legitimate interests are not overridden by the interests, fundamental rights, or freedoms of the data subjects identified above, because (a) the underlying source data is publicly available on Google Business Profile and is therefore already broadly accessible without our action; (b) we publish no information that is not already public on Google; (c) the program serves a clear public-interest function in independent recognition; and (d) every business that is the subject of a public registry entry has a low-friction opt-out mechanism with multiple self-service verification paths and a manual-review fallback for cases where neither self-service path is available, with the 7-day pending-removal hold beginning immediately on a successful self-service verification and within a target 72-hour review window for manual-review submissions. Data subjects may at any time object to processing under Article 21 of the GDPR or the UK GDPR through the channels in Subsection “Your rights” below; an Article 21 objection in connection with the registry is processed under our identity-verification framework for data-subject rights requests, so a data subject who is not the business owner does not need to demonstrate business authority to exercise the right to object.

Data minimization and purpose limitation

We collect only the personal information necessary for the purposes stated above. We do not collect or process special-category data within the meaning of Article 9 of the GDPR or the UK GDPR in connection with the registry. We do not collect data on criminal convictions or offences within the meaning of Article 10. We do not subject any data subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects the data subject within the meaning of Article 22, in connection with the registry; the eligibility evaluator surfaces candidates, but every certificate is reviewed and approved by a human administrator before issuance.

Your rights under GDPR and UK GDPR

If you are a data subject located in the EEA or the United Kingdom, you have the rights granted by Articles 12 to 22 of the GDPR and the corresponding articles of the UK GDPR, including:

• Right of access (Article 15): obtain confirmation of whether we are processing personal data about you, a copy of that data, and the supplementary information listed in Article 15(1);
• Right to rectification (Article 16): obtain rectification of inaccurate personal data and completion of incomplete personal data;
• Right to erasure (Article 17): obtain deletion of personal data without undue delay where one of the grounds in Article 17(1) applies, including where you successfully object under Article 21 and we have no overriding legitimate ground;
• Right to restriction of processing (Article 18): restrict our processing of your personal data in the circumstances listed in Article 18(1);
• Right to data portability (Article 20): where applicable, receive personal data you have provided to us in a structured, commonly used, and machine-readable format and transmit it to another controller;
• Right to object (Article 21): object at any time, on grounds relating to your particular situation, to processing based on Article 6(1)(f). Where you object, we will no longer process the personal data unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms or for the establishment, exercise, or defence of legal claims. As stated above, an Article 21 objection submitted in connection with the registry will be treated as a removal request;
• Right not to be subject to automated decision-making (Article 22): the registry does not produce decisions affecting you based solely on automated processing, but you retain this right;
• Right to lodge a complaint with a supervisory authority (Article 77): lodge a complaint with the data protection authority of the EEA Member State of your habitual residence, place of work, or the place of the alleged infringement, or with the United Kingdom Information Commissioner’s Office (the ICO) in the United Kingdom.

To exercise any of these rights, contact us at privacy@gbpcentral.com. The public opt-out form at https://gbpcentral.com/certified/opt-out is also available where the most appropriate response to your rights request is removal of a public registry listing, but please note that the form’s verification step is designed to confirm authority to act on behalf of a business; if you are a data subject whose rights request is not best served by removal (for example, an access or rectification request), or if you are unable to satisfy any of the business-authorization paths on the opt-out form, please use privacy@gbpcentral.com directly and we will process your request under our identity-verification framework for data-subject rights requests instead. We will respond without undue delay and in any event within one month of receiving the request, as required by Article 12(3); we may extend that period by two further months where necessary, taking into account the complexity and number of requests, and will inform you of any such extension within one month of receipt. We do not charge a fee for processing rights requests except where they are manifestly unfounded or excessive (Article 12(5)). We may request information necessary to verify your identity before responding to a rights request.

International transfers

Stackvate Inc. is established in the United States. Personal information processed in connection with the registry, including registry-related submissions from EEA or UK data subjects, is therefore transferred to the United States. Where required, we rely on appropriate safeguards under Articles 44 to 49 of the GDPR and the corresponding provisions of the UK GDPR, including the European Commission’s Standard Contractual Clauses (the 2021 SCCs, Module 4 where applicable) and the UK International Data Transfer Addendum, supplemented by the technical and organisational measures described in Section 15. Section 9 of this policy describes our international-transfer practices in further detail.

EU/UK representative

Stackvate Inc. has not appointed a representative in the European Union under Article 27 of the GDPR or in the United Kingdom under Article 27 of the UK GDPR. The volume and nature of our processing of EEA or UK personal data in connection with the public registry is currently below the thresholds at which an Article 27 representative is, in our reasonable assessment, required, and the processing is occasional, does not involve large-scale processing of special-category or criminal-conviction data, and is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature, context, scope, and purposes of the processing. We will appoint an EU representative and a UK representative as required if our processing of EEA or UK personal data exceeds the relevant Article 27 thresholds. EEA or UK data subjects may exercise their rights and lodge complaints with us directly through the channels in this Section in the meantime.

Children’s data

The Service and the registry are not directed to children. We do not knowingly process the personal data of any data subject under 16 in connection with the registry; if we become aware that we have processed such data without an appropriate lawful basis, we will delete it without undue delay.

Records of processing

We maintain records of our processing activities concerning the registry as required by Article 30 of the GDPR and the UK GDPR. A summary of those records is available to data subjects and to supervisory authorities on request through privacy@gbpcentral.com.

8.7 Printed copies are sent only within the United States

Even though the public registry is global, the optional free printed copy of a certificate is dispatched only to addresses within the United States. The print-request form does not accept non-US shipping addresses, the carrier we use does not handle international parcels under this program, and we do not export print artefacts. A non-US business that appears on the registry receives the same digital certificate, public page, QR code, and Open Graph share image as a US business; only the optional physical copy is geographically limited.

09 International Data Transfers

Stackvate Inc. is based in the United States, and personal information processed in connection with the Service is primarily stored and processed in the United States. Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a jurisdiction that has not been recognized as providing an adequate level of data protection, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), together with supplementary measures commensurate with the data and the transfer.

You may request a copy of the safeguards that apply to a specific transfer by contacting us at privacy@gbpcentral.com.

10 Data Retention

We retain personal information only as long as necessary to provide the Service, fulfill the purposes described in this policy, comply with our legal obligations, resolve disputes, and enforce our agreements. Retention periods are summarized below.

Where we are legally required to retain information for longer (for example, to defend or bring a legal claim, or to comply with a regulator), we will retain the information for the longer of the applicable period and the period described above.

11 Your Privacy Rights

Subject to applicable law and certain exceptions, you may have the following rights regarding the personal information we hold about you:

• Access: obtain confirmation of whether we process your information and a copy of that information.
• Correction: request that we correct inaccurate or incomplete information.
• Deletion: request that we delete your information, subject to legal retention obligations.
• Portability: receive a copy of certain information in a structured, commonly used, machine-readable format.
• Objection and restriction: object to or request that we restrict certain processing activities.
• Withdraw consent: where processing is based on your consent, withdraw that consent at any time.
• Non-discrimination: exercise your rights without being denied service or charged a different price solely for doing so.
• Complaint to a regulator: lodge a complaint with your local data-protection authority.

To exercise any of these rights, email privacy@gbpcentral.com from the address on file, or write to us at the postal address in Section 18. We will respond within the timeframes required by applicable law, typically within 30 days. We may need to verify your identity before fulfilling a request.

If a request concerns personal information that you uploaded or configured through the Service as a business customer’s authorized user, we may forward the request to that business customer, which acts as the data controller for such information.

12 Regional Privacy Notices

12.1 European Economic Area, United Kingdom, and Switzerland

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information in accordance with the GDPR and the UK GDPR. The lawful bases we rely on are identified in Section 4. You have the rights listed in Section 11, including the right to lodge a complaint with your local supervisory authority. Where the processing involves an international transfer, the safeguards described in Section 9 apply.

12.2 California (CCPA / CPRA)

California residents have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”). In the preceding 12 months, we have collected the categories of personal information described in Section 3, and we have disclosed those categories to the subprocessors listed in Section 6 for the purposes described in this policy. We have not sold or shared personal information for cross-context behavioral advertising purposes. California residents may exercise the rights to know, delete, correct, limit use of sensitive personal information (we do not intentionally process such data), and opt out of sale or sharing (not applicable to our practices). California residents may designate an authorized agent to submit requests on their behalf.

12.3 Virginia, Colorado, Connecticut, and Utah

Residents of Virginia (under the VCDPA), Colorado (under the CPA), Connecticut (under the CTDPA), and Utah (under the UCPA) have rights substantially similar to those described in Section 11, including rights of access, correction, deletion, portability, and opt-out of targeted advertising or sale (neither of which we engage in). We do not engage in “profiling in furtherance of decisions that produce legal or similarly significant effects” as those terms are defined under these laws. Residents of Virginia, Colorado, and Connecticut may appeal a denial of a privacy request by emailing privacy@gbpcentral.com with the subject line “Privacy Appeal.”

12.4 Other US States

Residents of other US states that have enacted or will enact comprehensive privacy legislation (including, but not limited to, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, and New Jersey) may have rights comparable to those described above. We extend the core rights of access, correction, deletion, and portability to all residents of the United States, regardless of their state of residence.

12.5 Global Privacy Control

Where required by applicable law, we treat opt-out preference signals such as the Global Privacy Control (GPC) as a valid request to opt out of the sale or sharing of personal information, to the extent any of our processing would otherwise qualify.

13 Cookies and Tracking Technologies

GBPcentral uses a small number of cookies strictly necessary to operate the Service. We do not use third-party advertising cookies, cross-site tracking, behavioral analytics, or retargeting pixels.

You can clear or block cookies through your browser settings. Blocking strictly necessary cookies will prevent you from signing in or using core parts of the Service.

14 Automated Decision-Making

We do not use personal information to make decisions based solely on automated processing that produce legal or similarly significant effects on you. Automated safeguards (such as account lockout after repeated failed sign-in attempts, or fraud-screening signals from our payment processor) are used only to protect the Service and are subject to human review upon request.

15 Security Program

We maintain administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. Controls include, without limitation:

• Encryption of data in transit using TLS 1.2 or higher, and encryption at rest for sensitive fields including credentials, tokens, and authentication secrets.
• Password hashing using industry-standard algorithms; plaintext passwords are never stored.
• Optional two-factor authentication for account holders.
• Least-privilege access controls, administrative role separation, and audit logging of privileged actions.
• Automated failed-login monitoring and account lockout.
• Strict Content Security Policy, server-side request forgery prevention, file upload scanning, and input validation at application boundaries.
• Routine patching, dependency monitoring, and vulnerability management.

16 Children’s Privacy

The Service is intended for business users and, as provided in our Terms of Service, requires users to be at least 18 years old. We do not target, market to, or knowingly collect personal information from anyone under the age of 18. This threshold is intentionally stricter than the minimum ages required under the United States Children’s Online Privacy Protection Act (COPPA) and the General Data Protection Regulation (GDPR). If you believe a minor has provided us personal information, contact us at privacy@gbpcentral.com and we will take steps to promptly delete it.

17 Changes to This Policy

We may update this policy from time to time to reflect changes in the Service, applicable law, or our practices. When we make material changes, we will update the “Effective” date above and, where required by law or contract, provide advance notice by email or through the Service. Your continued use of the Service after an updated policy takes effect constitutes your acceptance of the updated policy, to the extent permitted by applicable law.

18 Contact Us

For questions about this policy or our privacy practices, or to exercise any of your rights, please contact us using one of the channels below.