Privacy Policy

1. Who We Are

Useful Goose is a software-as-a-service platform that helps small businesses and marketing agencies transform customer reviews into AI-generated marketing content, including social media posts, email sequences, SMS campaigns, and digital advertisements.

For the purposes of applicable data protection law, Useful Goose acts as the data controller for personal data you provide directly to us, and as a data processor for personal data contained in reviews or other content you upload on behalf of your own customers.

2. Data We Collect

Information You Provide Directly

• Account data: Name, email address, password (stored in hashed form), profile photo.
• Workspace and brand data: Business name, website URL, industry, brand voice preferences, logo.
• Review and feedback content: Text of customer reviews you import or enter, along with associated reviewer names, ratings, and dates.
• Marketing objectives: Campaign goals, target audiences, and tone preferences.
• Billing data: Billing name, email, and address. Payment method details are handled directly by Stripe and are not stored on our servers.
• Support communications: Messages you send via email or in-app support channels.
• Referral data: Referral codes and attribution for our referral and affiliate programme.

Data Collected Automatically

• Usage and log data: Pages visited, features used, content generated, session IDs, timestamps, and error logs.
• Device and browser data: IP address, browser type, operating system.
• Performance data: API response times, generation latency, and feature usage metrics.
• Cookies and session tokens: See Section 9 for details.

Data from Third-Party Integrations

When you authorise a third-party integration, we receive data from that service as described below and in Section 5.

• Google Sign-In: Your Google account email address, display name, and profile picture URL.
• Google Business Profile (GBP): Business location names and addresses; customer reviews (text, rating, reviewer display name, publish date) for locations you explicitly assign to your brands.
• Stripe: Payment confirmation events, subscription status, and your Stripe customer ID. We never receive or store raw card numbers.

We only request the permissions required to deliver the features you use. We do not request access to data to anticipate future functionality that has not yet been built.

3. How We Use Your Data

Service Delivery

• Authenticating you and maintaining your session.
• Operating your workspace, brands, and content library.
• Processing reviews and generating AI marketing content at your direction.
• Managing subscriptions, billing cycles, and plan entitlements via Stripe.
• Syncing reviews from connected Google Business Profile locations.

AI Content Generation

Your review text, brand settings, and campaign objectives are passed to AI language model providers to produce marketing content each time you initiate a generation. We do not use your content to train any AI model, and we do not share your content across customer accounts.

Brand Intelligence

We run an internal analysis process that examines your workspace's review content and brand settings to build a structured brand profile for your account. This profile is used exclusively to improve the relevance of content generated for your account. It is stored within your workspace, is accessible to you, and is not shared with other users or third parties.

Product Improvement and Safety

• Diagnosing errors, monitoring uptime, and debugging issues.
• Detecting fraud, abuse, and security incidents.
• Analysing aggregated, anonymised usage patterns to improve the platform.

Communications

• Transactional emails: account creation confirmations, password resets, billing receipts, and subscription changes.
• Product updates and feature announcements, which you may opt out of at any time.
• Responses to support requests.

Legal and Compliance

We may use or retain data as required to comply with applicable laws, enforce our Terms of Service, or respond to lawful requests from public authorities.

We do not sell your personal data, use your data to serve third-party advertising, build advertising profiles, or share your data with data brokers or ad networks.

4. Google API Data — Specific Disclosures

Useful Goose's use of information received from Google APIs — including Google Sign-In and the Google Business Profile API — complies with the Google API Services User Data Policy, including its Limited Use requirements.

Google Sign-In

When you sign in with Google, we receive your Google account email address (used as your account identifier), display name, and profile picture. We do not request access to Gmail, Google Drive, Google Calendar, your contacts, or any other Google service. We do not use your Google account data for any purpose other than account creation and authentication.

Google Business Profile Integration

If you connect a Google Business Profile location, we request only the OAuth scopes necessary to list your business locations and read customer reviews for the locations you assign to your brands. We do not request scopes to post review replies, modify your GBP listing, or access any data unrelated to reviews.

Limited Use Commitment

Data obtained via Google APIs is used exclusively to provide the features you requested within Useful Goose. Specifically:

• GBP review data is used only to populate your review library and to generate marketing content for your own account.
• GBP review data is never transferred, sold, or made accessible to third parties, except to AI model providers acting as processors at your direction.
• GBP review data is never used for advertising, retargeting, credit assessment, or surveillance purposes.
• Human access to GBP review data is limited to support and security purposes, and only where strictly necessary.
• We do not aggregate or share GBP data across customer accounts.

Revoking Google Access

You can disconnect your Google Business Profile integration at any time from Settings → Integrations within the platform. You may also revoke access directly from your Google Account permissions page. Disconnecting stops all future data syncing. Previously synced reviews remain in your account until you delete them or close your account.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data only in the circumstances described below.

Service Providers

We engage third-party service providers who process data on our behalf under contractual obligations to maintain appropriate security and to use data only for the purposes we specify.

• AI language model providers (Anthropic, OpenAI, Google): Your review text, brand context, and campaign prompts are sent to one of these providers each time you initiate a generation. We operate a provider-agnostic engine and route requests based on availability and configuration. Under our data processing agreements, content you submit is not used to train or improve their foundation models.
• Payment processor (Stripe): Processes payments and manages subscription billing. Stripe receives your billing name, email, address, and payment method. We do not store payment card data.
• Cloud infrastructure and hosting providers: We use reputable cloud infrastructure providers for database hosting, application hosting, and storage. These providers do not access or use your data for their own purposes.
• Transactional email provider: Used to deliver system emails such as account notifications, password resets, and billing receipts.

Business Transfers

If Useful Goose is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will notify you by email and/or a prominent in-app notice before your data is subject to a different privacy policy.

Legal Requirements

We may disclose data where required by law, court order, or binding governmental request, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of Useful Goose, our users, or the public.

Aggregated or Anonymised Data

We may share aggregated, anonymised data that cannot reasonably identify you for industry research, analytics, or business reporting.

6. Data Retention

Backup copies may persist for up to 30 additional days before being overwritten.

7. Security

We implement reasonable and appropriate technical and organisational measures to protect your data, including:

• Encryption in transit: All data is transmitted using TLS 1.2 or higher. All API calls to third-party providers use HTTPS.
• Encryption at rest: Stored data is encrypted at the storage layer using AES-256.
• Authentication security: Passwords are hashed using bcrypt. Session tokens are short-lived. OAuth 2.0 is used for all Google integrations.
• Access controls: Production system access is limited to authorised personnel with a legitimate need. Database access is enforced at the row level — users can only access data belonging to their own workspaces.
• Secret management: API credentials are stored as environment secrets and are never exposed in client-side code or version control.

No method of electronic transmission or storage is 100% secure. If you become aware of a security concern, contact us at security@usefulgoose.com.

In the event of a data breach likely to result in risk to your rights and freedoms, we will notify affected users without undue delay and within the timeframes required by applicable law.

8. Your Rights

Depending on your location and applicable law, you may have some or all of the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Ask us to correct inaccurate or incomplete data.
• Erasure: Request deletion of your personal data. You can initiate this in-app under Settings → Account → Delete Account, or by contacting us.
• Data portability: Receive a structured, machine-readable export of your data.
• Restriction of processing: Ask us to limit how we process your data in certain circumstances.
• Objection: Object to processing based on our legitimate interests, including direct marketing.
• Withdraw consent: Where processing is based on consent (such as Google integrations or marketing emails), withdraw consent at any time without affecting prior processing.
• Lodge a complaint: Complain to your local data protection authority (for example, the ICO in the UK).

To exercise any of these rights, email privacy@usefulgoose.com with the subject line "Privacy Rights Request." We will respond within 30 days. We may need to verify your identity before acting. We will not discriminate against you or degrade our service if you exercise your privacy rights.

9. Cookies and Tracking

We use the following categories of cookies:

• Strictly necessary: Session authentication, CSRF protection, and load balancing. These cannot be disabled without breaking core functionality.
• Functional / preference: Remembering your UI preferences and settings. These persist for up to 1 year.
• Analytics: Aggregated usage statistics to improve the product and marketing site. On usefulgoose.com we use Google Tag Manager to load analytics tools (such as Google Analytics) that may set first-party analytics cookies when you visit our marketing pages.

We do not use advertising, retargeting, or cross-site tracking cookies on our marketing site. We do not participate in ad networks or sell your browsing data.

You can manage functional and analytics cookies through your browser settings. Disabling analytics cookies on the marketing site does not affect your signed-in app experience.

10. Legal Bases for Processing (GDPR)

If you are located in the EEA, United Kingdom, or Switzerland, we rely on the following legal bases:

11. International Data Transfers

Useful Goose is operated from the United States. If you access our services from the EEA, United Kingdom, or Switzerland, your data will be transferred to and processed in the United States. We implement appropriate safeguards for such transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission and UK International Data Transfer Agreements (IDTAs) where applicable.

You may request details of our transfer mechanisms by contacting privacy@usefulgoose.com.

12. California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, and disclose.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioural advertising. No opt-out is required.
• Right to Limit Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide our services.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise your California rights, email privacy@usefulgoose.com. We will respond within 45 days, with a possible extension of a further 45 days if necessary.

You may designate an authorised agent to make a request on your behalf. We will require proof of written authorisation and may verify your identity directly.

13. Children's Privacy

Useful Goose is a business-to-business platform not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18, and we do not use Google Sign-In or any Google API Service in a manner directed at children under 13, in compliance with COPPA.

If you believe we have inadvertently collected information from a minor, contact us at privacy@usefulgoose.com and we will delete it promptly.

14. AI and Automated Processing

• You initiate all AI processing. Content is sent to AI providers only when you explicitly trigger a generation. We do not run background AI analysis on your data without your instruction, except for the Brand Intelligence process described in Section 3.
• No automated profiling for legal or significant effects. We do not use automated decision-making to make legally significant decisions about you.
• AI output is your responsibility. Generated content reflects the AI model's interpretation of your inputs. You are responsible for reviewing and approving content before publishing.
• No training on your content. Under our agreements with AI providers, content you submit is not used to train or improve their foundation models.

15. Changes to This Policy

When we update this policy, we will update the "Last Updated" date above, send an email notification for material changes, and display an in-app notice for material changes. Where required by law — for example, for new uses of Google user data — we will prompt you to provide fresh consent before changes take effect.

Previous versions of this policy are available upon request.

16. Contact

For questions, concerns, or privacy rights requests:

• Email: privacy@usefulgoose.com
• Security issues: security@usefulgoose.com
• Website: usefulgoose.com

We aim to respond to all privacy inquiries within 5 business days, and no later than the legally required timeframe for formal rights requests.

Users in the EEA or UK who are not satisfied with our response have the right to lodge a complaint with the supervisory authority in their country of residence.