Google API Services User Data Policy

1. Google services GrayLeads uses

GrayLeads integrates with the following Google API Services:

2. What Google user data we access

Google Sign-In

• Google account ID — used to uniquely identify your Google account for login matching.
• Email address — used to match your Google account to your GrayLeads account.
• Display name — shown in the GrayLeads interface when you sign in.
• Profile photo URL — may be displayed in the GrayLeads interface.

Gmail sender connection

• Email address and name — used to identify the connected Gmail sender in GrayLeads.
• OAuth refresh token — stored in encrypted form on our servers to maintain the connection. Used only to obtain short-lived access tokens for sending emails.
• gmail.send permission — used exclusively to send emails that you compose or approve in GrayLeads. GrayLeads does not read, search, modify, or delete any emails in your Gmail inbox.

Google Maps

• Search queries and location parameters you enter into GrayLeads search features.
• Business data returned by Google Maps APIs (business names, addresses, phone numbers, websites, ratings, categories, and place IDs).

3. How we use Google user data

GrayLeads uses Google user data strictly for the following purposes:

• Authentication: To sign you in, verify your identity, and link your Google account to your GrayLeads account.
• Email sending: To send emails from your connected Gmail account when you compose or approve an email in GrayLeads.
• Lead discovery: To search for and display business information from Google Maps based on your search queries.
• Account display: To show your name, email, and profile photo within the GrayLeads workspace.

GrayLeads does not use Google user data for:

• Advertising, retargeting, or interest-based profiling.
• Selling or renting to third parties.
• Training machine learning or AI models.
• Any purpose unrelated to the core features described above.

4. How we store Google user data

• Google account ID is stored in the users database table, linked to your GrayLeads user record.
• Gmail OAuth refresh tokens are encrypted before storage using a dedicated encryption secret and are stored in the application's system configuration database. They are never exposed to frontend code or logs.
• Email addresses and profile names from Google are stored as part of your user profile and connected sender account records.
• Google Maps search results are stored as contact/lead records in your company workspace database.
• All data is transmitted over HTTPS/TLS. Database access is restricted by role-based controls.

5. How we share Google user data

GrayLeads does not sell, rent, or share Google user data with third parties except as follows:

• With Google: OAuth tokens are sent back to Google APIs to authenticate requests (e.g., sending an email through Gmail API).
• Within your workspace: Administrators in your GrayLeads company workspace can see the connected sender accounts and sent email logs.
• Legal requirements: We may disclose data if required by law, court order, or valid legal process.

Google user data obtained via Google Sign-In or Gmail API is never shared with advertising networks, data brokers, AI model training pipelines, or any information resellers.

6. Google API Services Limited Use Disclosure

Specifically, GrayLeads:

• Only uses Google data for the stated purposes. Data obtained from Google APIs is used exclusively to provide and improve the user-facing features described in this disclosure (authentication, email sending, and lead discovery).
• Does not transfer Google user data to others unless (a) necessary to provide or improve the user-facing features, (b) required for security purposes, (c) required to comply with applicable law, or (d) as part of a merger/acquisition/asset sale with prior notice to users.
• Does not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
• Does not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (e.g., investigating abuse), it is necessary to comply with applicable law, or the data is aggregated and anonymized for internal operations.

7. Gmail API — specific disclosures

GrayLeads requests the gmail.send scope. This is the minimum scope required for the connected Gmail sender feature.

• GrayLeads can only send emails through your Gmail account. It cannot read, list, search, modify, delete, or organize your existing emails.
• Emails are only sent when you explicitly compose or approve an email in the GrayLeads interface, or when an email campaign you configured is executed.
• The Gmail refresh token is stored encrypted. It is used only to obtain short-lived access tokens from Google on demand.
• You can disconnect your Gmail account at any time from GrayLeads Settings. Disconnecting revokes GrayLeads' access and deletes the stored refresh token.
• GrayLeads does not scan, index, or process the content of your Gmail inbox.

8. Google Sign-In — specific disclosures

• Google Sign-In is optional. You can always create and use a GrayLeads account with email and password.
• When you sign in with Google, we receive a one-time ID token containing your Google account ID, email, name, and profile photo.
• We store your Google account ID to link it to your GrayLeads account so future Google Sign-In attempts are recognized.
• You can link or unlink your Google account at any time from Settings → Account Security.
• Unlinking removes the Google account ID association from your GrayLeads account.
• GrayLeads does not receive or store your Google account password.

9. Data retention and deletion

• Google Sign-In data: Your Google account ID is retained as long as your GrayLeads account exists or until you unlink Google.
• Gmail connection data: Encrypted refresh tokens and sender profile data are retained until you disconnect the Gmail account or delete your GrayLeads account.
• Google Maps data: Business information imported into your workspace is retained as CRM records until you delete them or delete your account.
• Account deletion: When you delete your GrayLeads account, all associated Google user data (Sign-In links, Gmail tokens, and imported records) is deleted from our systems.

You can also revoke GrayLeads' access to your Google account at any time from your Google Account Permissions page.

10. Security measures for Google data

• All communication between GrayLeads and Google APIs uses HTTPS/TLS encryption.
• Gmail OAuth refresh tokens are encrypted using a dedicated secret before database storage.
• Access tokens are short-lived and obtained on demand; they are not persisted.
• Google Sign-In ID tokens are validated server-side using the Google OAuth2 client library before acceptance.
• Database access is protected by role-based access controls and authentication requirements.
• GrayLeads does not log, expose, or transmit Google OAuth tokens to frontend code, browser console, or third-party services.

11. Your controls

You remain in control of your Google data at all times:

• Unlink Google Sign-In: Settings → Account Security → Unlink Google Account.
• Disconnect Gmail sender: Settings → Google Email Accounts → Disconnect.
• Revoke access from Google: Visit Google Account → Security → Third-party apps and remove GrayLeads.
• Delete your account: Contact contact@softwareforge.agency to request full account and data deletion.

12. Google's own policies

Your use of Google services is also governed by Google's own policies:

• Google Privacy Policy
• Google Terms of Service
• Google API Services User Data Policy

13. Contact

For questions about how GrayLeads uses Google API data, contact us at contact@softwareforge.agency.