Privacy Policy
Last updated: April 30, 2026
1. Who We Are
This Privacy Policy explains how Assurgit LLC (“Assurgit,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you visit assurgit.com or subscribe to the Assurgit Service (the “Service”).
Two categories of people are described:
- Customers — businesses that subscribe to Assurgit.
- End users — visitors to a Customer’s website that we operate (typically the Customer’s prospective clients).
This policy covers both. The Terms of Service govern the contractual relationship; this Privacy Policy explains data practices.
2. Information We Collect
From Customers (during signup and operation of the Service):
- Business name, owner name, business email, business phone
- Business address (used for GBP, schema, citations)
- Service offerings, target service area, hours, photos you provide
- Existing accounts you authorize us to manage (Google Business Profile, Google Search Console, GA4, Bing Webmaster Tools, social platforms — see Section 4)
- Billing information processed by Stripe (we do not store card numbers; we store Stripe customer/subscription IDs only)
- Communications with us (email, support tickets, intake call notes)
From End users of the Customer’s site:
- Standard server-log data (IP address, user agent, referrer, timestamps)
- Page views and interactions (via Google Analytics 4 if the Customer has it enabled)
- Form submissions (name, email, phone, message — only when the End user voluntarily submits a contact or booking form)
- Cookies set by Google Analytics, Google Tag Manager, and any third-party booking widget the Customer chooses to embed (Booksy, Fresha, Cal.com, etc.)
3. How We Use Information
- Build and operate the Customer’s website, GBP, and citations
- Process payments and recurring subscriptions through Stripe
- Send the Customer transactional emails (receipts, scheduling, monthly reports, cancellation handoffs) via Resend
- Forward End-user form submissions to the Customer for follow-up
- Improve our internal tooling and templates (in aggregate, not at the per-Customer level)
- Comply with legal obligations and enforce our Terms
We do not sell personal information. We do not share End-user form submissions with anyone other than the Customer who operates the site that received them.
4. Platform-Specific Data Access
When you authorize Assurgit to operate accounts on platforms below, we receive an OAuth token (or, where appropriate, are added as a Manager) and use it strictly to perform the Service for your tier.
Google services
Google Business Profile (Manager access — never Owner), Google Search Console (read + sitemap submission), Google Analytics 4 (read), Google Indexing API (URL submission), Google Maps Platform (where applicable for embeds). We never request Customer Owner transfer of GBP and you can revoke our Manager access at any time from your Google account settings.
Bing Webmaster Tools
Sitemap submission and Bing IndexNow ping for new pages. No personal browsing data flows to us from this integration.
Cloudflare
Site hosting (Workers + R2 + D1), DDoS / WAF, automatic SSL. Cloudflare processes End-user request metadata as our infrastructure provider; see Cloudflare’s privacy notice for details on its handling.
Stripe
All payment processing. Stripe receives card and billing-address data directly from the Customer; we receive only Stripe-issued customer and subscription IDs, last-4 / brand of card (for display), invoice metadata, and webhook events. See Stripe’s privacy notice for their data handling.
Resend
Transactional email delivery (receipts, intake scheduling, monthly reports, no-deposit subscribe links). Resend stores recipient email addresses and message metadata for delivery logging.
Booking platforms
We embed your existing booking widget (Booksy, Fresha, Square Appointments, Cal.com, Vagaro, GlossGenius, Calendly). Bookings submitted through these widgets are processed by the booking provider you chose; their privacy notice governs that data.
Citation directories
When we submit your business listing to directories such as Yelp, Apple Maps, Bing Places, Foursquare, Yellow Pages, BBB, Manta, CitySquares, Nextdoor, Tupalo, Patch, Thumbtack, Angi, OpenStreetMap, Wikidata, and similar, we transmit your published name / address / phone / website / hours / category — the same data already public on your site and GBP. Each directory’s privacy practices are governed by that directory.
Social media platforms (Growth/Scale tiers)
Where you authorize us to operate social posting on your behalf, we use OAuth-scoped access to Instagram (Meta Graph API), Facebook Pages, TikTok Content Posting API, Reddit, YouTube Data API, and other platforms as added. We post on your behalf only; we do not read direct messages and do not download your followers list except where required by the platform’s API to perform the publishing action.
5. YouTube API Services
Where the Customer authorizes the YouTube integration, the Service uses YouTube API Services in accordance with the YouTube Terms of Service and the Google Privacy Policy. Customers may revoke our access at any time via the Google security settings page. We use YouTube Data API only to upload videos you authorize, retrieve titles / descriptions / thumbnails of those uploads, and read aggregate analytics. We do not use YouTube data for any purpose other than performing the Service.
6. Where Data Lives
- Cloudflare D1 (SQLite at the edge) — Customer billing state (subscriptions, invoices), business profile data, citations queue, post schedule.
- Cloudflare R2 — Customer-uploaded media (photos, logos) and site-export bundles at cancellation.
- Postgres (operated by Assurgit) — research-pipeline data: keyword scores, competitor crawls, SERP signals, voice-of-customer extracts. Used internally to generate the deliverables you receive (monthly reports, content, etc.).
- Stripe — payment processing and subscription state of record.
- Resend — transactional email delivery logs (~30 days).
All data is stored in US regions of the listed providers. Communications between the browser and our infrastructure are TLS-encrypted.
7. Data Sharing
We share information only as needed to operate the Service:
- With sub-processors listed in Section 4 (Cloudflare, Stripe, Resend, Google, Bing, social platforms, citation directories, booking platforms)
- With the Customer who operates a site, when an End user submits a form on that site
- To comply with subpoenas, court orders, or other legal requests; we will notify you of any such request unless prohibited by law
- In connection with a business transfer (merger, acquisition, asset sale), under confidentiality protections at least as strong as those in this policy
We do not sell personal information. We do not share End-user data for advertising targeting outside the Customer’s own marketing of their business.
8. Data Retention
- Customer billing data — kept for the duration of the subscription plus 7 years (federal/state tax recordkeeping).
- Customer business data (NAP, services, content drafts, citations list) — kept while the subscription is active. After cancellation, exported to the Customer and deleted from production within 30 days unless retention is needed for a dispute.
- End-user form submissions — held in our system for up to 90 days after delivery to the Customer, then purged. Customers are responsible for retention in their own systems thereafter.
- Server logs — typically 30 days, or longer where required by an upstream provider (Cloudflare).
- OAuth tokens — stored only while you authorize the integration; revoked when you cancel or remove our access.
9. Data Deletion & Customer Rights
Customers may request deletion at any time by emailing hello@assurgit.com from the email on file. We will:
- Provide a complete export of your business content (zip or git push)
- Remove our Manager access from your GBP and any other authorized accounts
- Revoke any OAuth tokens we hold for your accounts
- Delete your records from our production databases within 30 days, except for minimal records we’re legally required to retain (billing/tax)
See also our Data Deletion page for the platform-specific deletion request flow required by Meta and similar platforms.
10. Cookies & Analytics
On assurgit.com we use Google Analytics 4 to understand how visitors reach and move through the marketing site. GA4 sets first-party cookies that record anonymous device/browser fingerprints; we have not enabled cross-site advertising features.
On Customer-operated sites we ship GA4 (linked to the Customer’s property), Google Search Console verification, and any embed the Customer requests (booking widget, review widget, map). Each Customer site discloses these in its own footer cookie notice.
You may opt out of analytics by enabling Do-Not-Track / Global Privacy Control in your browser, or by installing the official Google Analytics opt-out add-on.
11. Security
We follow industry-standard practices: TLS in transit, encryption at rest where the upstream provider supports it (Cloudflare R2/D1, Stripe, Resend), least-privilege access controls, and rotation of API tokens on suspected exposure. Cardholder data is handled exclusively by Stripe (PCI-DSS Level 1). No system is perfectly secure; if a breach affects your data we will notify you within 72 hours of confirmation, in accordance with applicable law.
12. Children’s Privacy
The Service is intended for businesses operated by adults. We do not knowingly collect personal information from anyone under 13 (or under 16 in the EEA). If we learn we have inadvertently collected such information, we will delete it.
13. EU/EEA & UK Residents (GDPR / UK GDPR)
If you are in the EEA, UK, or Switzerland, you have rights under GDPR / UK GDPR including: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Our lawful bases for processing are (i) performance of a contract with you (the Service), (ii) legitimate interests in operating and improving the Service, and (iii) compliance with legal obligations.
To exercise any of these rights, email hello@assurgit.com. You also have the right to lodge a complaint with your local data protection authority.
14. California Residents (CCPA / CPRA)
California residents have the right to know what personal information we collect, the sources of that information, the purposes of collection, and the categories of third parties with whom we share it (all described above). You also have the right to delete, to correct, and to non-discrimination for exercising your rights.
We do not sell personal information and do not share it for cross-context behavioral advertising. To exercise CCPA rights, email hello@assurgit.com with subject line “CCPA request.”
15. International Transfers
We are based in the United States and our infrastructure providers (Cloudflare, Stripe, Resend, Google) operate primarily in the US. If you access the Service from outside the US, you understand that your information will be transferred to and processed in the US, where data-protection laws may differ from those in your jurisdiction.
16. Changes to This Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated to Customers via email at least 30 days before they take effect.