Legal

Privacy Policy

Last updated: 15 April 2025

Contents

  1. Who We Are
  2. Products Covered by This Policy
  3. Data We Collect
  4. How We Use Your Data
  5. Google & Search Console Data
  6. HubSpot App Data
  7. Data Storage & Security
  8. Third-Party Services
  9. Data Retention
  10. Your Rights
  11. Cookies
  12. Children's Privacy
  13. Changes to This Policy
  14. Contact Us

1. Who We Are

GSC Dojo ("we", "us", "our") is an independent software product. We are not affiliated with, endorsed by, or in any way officially connected with Google LLC. You can reach us via our contact form.

2. Products Covered by This Policy

This Privacy Policy applies to all GSC Dojo products, including:

  • The GSC Dojo Chrome Extension — a browser extension that overlays Google Search Console to provide enhanced filtering, exports, and opportunity detection.
  • The GSC Dojo Web Tool — a web application (gscdojo.com) that connects to Google Search Console via OAuth for analysis and reporting.
  • The GSC Dojo HubSpot App — a HubSpot CRM card integration that surfaces Google Search Console data within HubSpot portals.
  • The gscdojo.com website — our marketing site, including the waitlist form.

3. Data We Collect

3.1 Account & Identity Data

  • Email address (when you sign up, subscribe, or join the waitlist).
  • Google account identity (your Google user ID and email address, obtained via OAuth when you connect your Google account).
  • HubSpot portal identity (your HubSpot portal ID and associated account details, obtained via OAuth when you install the HubSpot app).

3.2 Google Search Console Data

When you grant GSC Dojo access to your Google account, we access your Google Search Console data via Google's official Search Console API. This includes:

  • Search query (keyword) data — clicks, impressions, CTR, and average position.
  • Page-level performance data.
  • Date-range comparisons.
  • Site URL(s) verified in your GSC account.

We access this data solely to provide the features you request. We do not sell, share, or use your GSC data for advertising, profiling, or any purpose other than operating the product for you.

3.3 HubSpot Portal Data

When you install the GSC Dojo HubSpot App, we obtain OAuth tokens that allow us to:

  • Read your HubSpot portal ID and account information.
  • Display CRM card data within your HubSpot portal (read-only access to contact/company records as needed to render cards).
  • Write GSC performance data to HubSpot Custom Objects (if you enable the data warehouse feature) — this stores historical GSC metrics in your own HubSpot portal.

3.4 Usage & Technical Data

  • Browser type and version (Chrome extension telemetry).
  • Pages visited on gscdojo.com.
  • Feature usage events (e.g., "export triggered", "filter applied") — aggregated and anonymised where possible.
  • Server access logs (IP address, request timestamps).

3.5 Payment Data

Payments for the Chrome extension subscription are handled by Stripe. We do not store your full card number, CVV, or other sensitive payment credentials. Stripe provides us with a billing identifier, subscription status, and email address. See Stripe's Privacy Policy for how they handle payment data.

4. How We Use Your Data

We use the data we collect to:

  • Provide and operate the GSC Dojo products you have requested.
  • Process subscription payments and manage your account.
  • Sync your Google Search Console data into HubSpot Custom Objects (HubSpot app users only, when enabled).
  • Send transactional emails (account, billing, feature updates you requested).
  • Notify waitlist members when the free web tool launches.
  • Debug issues and improve product reliability.
  • Comply with legal obligations.

We do not use your data for advertising, retargeting, or selling to third parties.

5. Google & Search Console Data

GSC Dojo's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only request the minimum OAuth scopes required to operate the product (read-only access to Google Search Console data via https://www.googleapis.com/auth/webmasters.readonly).
  • We do not use Google user data to develop, improve, or train generalised AI or machine learning models.
  • We do not transfer Google user data to third parties except as necessary to provide the product (e.g., storing tokens in our encrypted database, rendering data in your HubSpot portal).
  • We do not allow humans to read your Google user data except where you have given explicit permission or where necessary for security investigation.

OAuth tokens obtained from Google are encrypted at rest using AES-256-GCM and stored in our database. You may revoke access at any time via your Google Account permissions page.

6. HubSpot App Data

The GSC Dojo HubSpot App is installed via HubSpot's OAuth flow. When you install the app:

  • We store your HubSpot portal ID and encrypted OAuth access/refresh tokens in our database (Supabase Postgres).
  • We use these tokens to authenticate API requests to HubSpot on your behalf (e.g., rendering CRM cards, creating Custom Objects).
  • We do not access HubSpot contact data beyond what is required to render the CRM card view.
  • HubSpot OAuth tokens are encrypted at rest using AES-256-GCM.

You may uninstall the HubSpot app at any time from your HubSpot account settings. Upon uninstall, we delete your portal's stored tokens from our database.

7. Data Storage & Security

  • Database: We use Supabase Postgres (hosted in the EU/US depending on configuration) to store account data and encrypted OAuth tokens.
  • Encryption: All OAuth tokens (Google and HubSpot) are encrypted at rest using AES-256-GCM before storage.
  • Transport: All data in transit is encrypted via HTTPS/TLS.
  • Access control: Only authorised personnel (currently the product owner) have access to the production database.
  • Serverless infrastructure: Our API runs on Vercel's serverless platform. We do not operate persistent servers that cache your GSC data beyond what is required to serve a request.

No security system is impenetrable. If we become aware of a data breach that affects your personal data, we will notify you as required by applicable law.

8. Third-Party Services

We share data with the following third parties only as necessary to operate the product:

  • Google LLC — OAuth authentication and Search Console API access.
  • HubSpot, Inc. — CRM card rendering and Custom Object storage (HubSpot app users).
  • Stripe, Inc. — Payment processing and subscription management.
  • Supabase — Hosted Postgres database.
  • Vercel, Inc. — Serverless hosting and edge infrastructure.

We do not sell your data to any third party. We do not share your data with advertisers or data brokers.

9. Data Retention

  • Account data: Retained while your account is active. You may request deletion at any time.
  • OAuth tokens: Deleted when you disconnect your Google account or uninstall the HubSpot app.
  • Waitlist emails: Retained until the waitlist closes or until you unsubscribe.
  • Server logs: Retained for up to 30 days for security and debugging purposes.
  • HubSpot Custom Object data: Stored inside your own HubSpot portal — deletion is governed by your HubSpot account settings.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your personal data ("right to be forgotten").
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to certain uses of your data.
  • Withdrawal of consent: Revoke OAuth access via your Google or HubSpot account settings at any time.

To exercise any of these rights, please use our contact form. We will respond within 30 days.

If you are in the European Economic Area or United Kingdom, you also have the right to lodge a complaint with your local data protection authority.

11. Cookies

The gscdojo.com website uses only essential cookies required for authentication and session management. We do not use advertising or tracking cookies. The Chrome extension does not set cookies on third-party sites.

12. Children's Privacy

GSC Dojo is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify active users by email. Continued use of GSC Dojo after changes constitutes acceptance of the revised policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

GSC Dojo
Contact Form