Privacy Policy

1. Personal Data Categories We Process

We collect and process the following categories of personal and business data:

• Account Information: Name, email address, profile picture URL, and login identifiers shared during Google OAuth signup.
• Google Business Profile (GBP) Data: Location IDs, business names, physical addresses, telephone numbers, user reviews, posts, and analytics metrics accessed via Google My Business API.
• System & Usage Logs: Access logs, IP addresses, session identifiers, action history, and automated rule configurations.
• Transactional & Billing Records: Payment logs, invoice history, and billing plan parameters (no raw credit card details are stored locally).
• Support Correspondence: Technical tickets, demo bookings, and communications sent to our support channels.

2. Purposes of Data Processing

FigureOut processes your personal data only for specific, lawful purposes under your consent:

• To sync customer reviews from Google APIs and display them on your dashboard.
• To draft AI-generated review responses using local Gemini AI integrations.
• To schedule and automatically publish posts to your Google Business Profiles.
• To monitor local listing performance and deliver monthly reports.
• To secure your account sessions, authenticate identity, and prevent malicious actions.
• To log legal requests and coordinate customer support queries.

3. Authorized Subprocessor Disclosures

To deliver our services, we transfer limited personal data to select processors. They are contractually bound to process data only under our instructions and in compliance with security standards:

• Payment Processing: Razorpay Software Private Limited (India) — Processes subscription charges, payments, and billing details under PCI-DSS guidelines.
• Cloud Hosting & Databases: Hostinger International Ltd (Tier-III Datacenters in India) — Hosts our web applications, audit tables, and encrypted token databases.
• Google APIs: Google LLC (USA) — Interfaced to request user credentials via OAuth 2.0 and execute GMB review/post syncing.
• AI Processing: Google DeepMind Gemini API — Programmatically queried to draft review reply recommendations. Business review strings are not stored or used by Google for public model training.
• Email Delivery: Local server SMTP services — Dispatches security alerts, account updates, and verification emails.

4. Consent Withdrawal & Retention

Under DPDP rules, you have the right to withdraw your consent to data processing at any time. Consent withdrawal can be initiated via these mechanisms:

• Disconnecting GBP Locations: Deleting synced business locations from the FigureOut dashboard removes all cached review histories and scheduled post queues immediately.
• OAuth Revocation: Revoke FigureOut's token access directly inside your Google Account Security console. This stops all background syncing instantly.
• Account Deletion: Clicking "Delete Account" in settings triggers a hard delete of your database workspace, user record, and AES-keys within 24 hours.

Retention limits: Free inactive profiles and associated OAuth tokens are automatically purged by daily cron jobs 90 days after subscription expiry. Transaction history is kept for 7 years for compliance with tax auditing rules in India.

5. Google API Services Compliance

FigureOut's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We do not share, sell, or transfer your Google Business Profile data to advertising networks, third-party brokers, or external analytics firms. View our detailed Google API Compliance disclosure.

6. Your Rights as a Data Principal (DPDP)

Under the DPDP Act 2023, you possess strong rights over your personal data. You can exercise these rights through our dedicated portals or by contacting our Grievance Officer:

• Right to Access: Request a summary of your personal data processed by FigureOut. Requests are manually reviewed and processed. Access Portal →
• Right to Correction & Update: Request correction of inaccurate, outdated, or incomplete records. Correction Portal →
• Right to Portability & Export: Request a structured, machine-readable export of your data. Data export requests are processed manually to guarantee accuracy and safety. Export Portal →
• Right to Erasure (Withdraw Consent): Request deletion of your personal data. View our Data Deletion Policy to start deletion.
• Right to Nominate: You have the right to nominate another individual to exercise your rights under the DPDP Act in the event of death or incapacity. To file a nomination, please email privacy@figureout.in with subject DPDP Nomination Request, detailing your nominee's name, email, and relation.

7. Security Safeguards & Breach Notifications

We deploy AES-256-GCM encryption for Google OAuth tokens at rest, isolate database structures by customer account ID, and mandate TLS 1.3 encryption for all data in transit.

In the event of a verified security breach affecting your personal data, FigureOut will execute a rapid containment response and notify both affected users and regulatory authorities (including CERT-In) within 72 hours. For details, view our Security Page.

8. Grievance Officer Contact (DPDP)

For grievances, nomination requests, or queries regarding data processing, contact our designated Grievance Officer:

FigureOut Privacy & Data Protection Desk
Email: privacy@figureout.in
Response SLA: Acknowledgement within 72 hours; resolution within 30 days.