Reputafy

Reputafy / Legal

Privacy Policy — Google My Business API integration

Last updated 11 May 2026

This page is the dedicated Privacy Policy URL that VelocityNet LLC provides to Google for Reputafy's integration with the Google My Business API (now branded as the Google Business Profile API). It is the URL referenced by the "Application privacy policy link" field of Reputafy's Google Cloud OAuth consent screen and is the policy Google reviewers and end-users see when consenting to Reputafy's access. Google's own handling of user data is separately governed by the Google Privacy Policy.

This page restates, in one place, exactly how Reputafy accesses and uses data obtained through the Google My Business API. The clauses below are reproduced verbatim from our Privacy Policy and apply to every Reputafy Customer who connects a Google My Business (Google Business Profile) account.

1. Which Google APIs we access

Reputafy integrates exclusively with the Google My Business API (the API used to manage Google business listings on behalf of their owners; formally rebranded by Google as the "Google Business Profile API"). We use it through Google's official OAuth 2.0 authorization flow.

The specific APIs and endpoints we call are:

  • My Business Account Management API — to list the Business Profile accounts and locations the connecting Google user manages.
  • My Business Business Information API — to read location metadata (name, address, hours, categories) for the locations the Customer has explicitly authorized.
  • My Business Reviews endpoints— to read reviews and to write replies on the Customer's instruction.
  • My Business Q&A API— to read questions and publish answers on the Customer's instruction.
  • My Business Posts API— to read and publish Local Posts on the Customer's instruction.
  • Google OAuth 2.0 (Sign-In and consent screen) — to authenticate the connecting user and obtain authorization.

Three separate policy documents are relevant to this integration, each governing a different party:

  • The Google Privacy Policy — governs Google's own collection, use and retention of user data, including data Google receives during the OAuth flow. Reputafy is not a party to this policy; it is Google's.
  • The Google API Services User Data Policy — governs how third-party applications such as Reputafy must handle data received from Google APIs, including the Limited Use requirements. Reputafy adheres to it in full (see Section 4 below).
  • This page and our Privacy Policy — govern what VelocityNet LLC (the operator of Reputafy) does with the data we receive from the Google My Business API after the Customer authorizes the connection.

2. What data we request

For locations a Customer explicitly authorizes, Reputafy reads and, on the Customer's instruction, writes the following:

  • Business profile information (name, category, description, hours, contact details)
  • Location metadata (address, geolocation, identifiers)
  • Reviews and review replies posted to the location
  • Questions and answers (Q&A) on the location
  • Local Posts associated with the location

We do not request access to Gmail, Drive, Calendar, Contacts, Photos, YouTube, Search Console, or any other Google service.

3. OAuth scopes we request and the purpose of each

ScopePurpose
https://www.googleapis.com/auth/business.manageThe single scope the Google My Business API (Google Business Profile API) exposes for owner/operator workflows. Required to list the Business Profile locations the Customer manages, read reviews and replies for those locations, post replies on the Customer's behalf, and synchronize posts and Q&A. We use it only for locations the Customer explicitly selects in the Reputafy UI.
openidUsed to identify the Google account the Customer is connecting so that we can attribute connected locations to the right person inside the Customer's Reputafy workspace.
https://www.googleapis.com/auth/userinfo.emailUsed to display which Google account is connected inside the Reputafy UI so administrators can verify they connected the correct account, and to send security notifications about that account.
https://www.googleapis.com/auth/userinfo.profileUsed to display the connected user's name and avatar in the Reputafy UI for the same identity-verification purpose as above.

We request only the scopes listed above. We do not request additional scopes opportunistically and we do not retain refresh tokens beyond the period needed to operate the connection the Customer has authorized.

4. Limited Use disclosure

Reputafy's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We do not allow humans to read Google user data unless: (a) we have obtained the user's affirmative agreement to view specific messages; (b) it is necessary for security purposes such as investigating abuse; (c) it is necessary to comply with applicable law; or (d) the data is aggregated and used for internal operations in compliance with applicable privacy and other jurisdictional legal requirements.
We do not sell, rent, or transfer Google user data to third parties for advertising, credit-worthiness assessment, or any unrelated purpose.

5. AI and machine-learning use of Google data

We do not use Google user data to train, develop, or improve generalized or non-personalized AI/ML models. Any AI features (such as suggested replies) operate only on the specific Customer's data, on a per-request basis, and outputs are not retained for model training.

5.1 How AI features handle Google data in practice

When Reputafy drafts a suggested reply to a Google review, the request to our AI providers contains: (i) the review text, (ii) the location's brand-voice settings configured by the Customer, and (iii) up to five operator-defined reply examples. The request does not include credentials, billing data, end-user identifiers from other platforms, or unrelated Customer Content.

Our AI subprocessors operate under zero-data-retention agreements: they do not store request or response data beyond the time required to return a response, and they do not use Reputafy traffic to train their models.

6. How users disconnect

Customers can disconnect Reputafy from the Google My Business API at any time:

  • Inside Reputafy — Settings → Connected accounts → Google My Business (Business Profile) → Disconnect.
  • Inside your Google account myaccount.google.com/permissions → select Reputafy → Remove access.

Disconnection immediately revokes our access tokens and stops all ongoing polling of the disconnected account.

7. Storage and retention of Google data

  • Google API access and refresh tokens are encrypted at rest using envelope encryption (AES-256) and rotated automatically.
  • Review, reply and Q&A content fetched from Google is stored in the Customer's Reputafy workspace and treated as Customer Content under our Data Processing Addendum.
  • On disconnection or account termination, Google data is deleted on the Customer's instruction or, by default, within 30 days after termination.

8. Contact

For any question about how Reputafy uses Google APIs, contact amine@reputafy.com. You can also contact our Data Protection Officer at amine@reputafy.com.