GBPAutopilotFree GBP AuditFree Audit
← Back to homeLegal

Privacy Policy

Effective date: May 30, 2026Last updated: May 28, 2026
Contents A note about the current state of our service
  1. 1. Who we are
  2. 2. Information we collect
  3. 3. How we use your information
  4. 4. Google user data — how we handle it
  5. 5. Service providers and data processors
  6. 6. Artificial intelligence processing
  7. 7. Data retention
  1. 8. Your rights and choices
  2. 9. California privacy rights
  3. 10. Data security
  4. 11. Children's privacy
  5. 12. International users
  6. 13. Changes to this policy
  7. 14. Contact Information

GBP Autopilot is a service offered by BCMW Holdings, LLC (“BCMW Holdings,” “we,” “us,” or “our”). GBP Autopilot is a registered trade name of BCMW Holdings, LLC in the State of Oklahoma. This Privacy Policy explains what information we collect from you, why we collect it, how we use and protect it, and the choices you have. It applies to our website at gbpautopilot.com, our free audit tool, and the additional services described below.

We have written this policy in plain English wherever possible. Where legal precision is required — for example, the disclosures Google requires of every application that connects to a Google Business Profile — we use the specific language those rules call for. If anything is unclear, please contact us at the address in Section 14.

A note about the current state of our service

GBP Autopilot is being built and launched in stages. This policy describes both what is live today and what is planned for the next stage of our service. We have organized it so you can tell the difference at a glance:

  • Sections describing what is live today are written in the present tense and apply to your interactions with us as of the effective date above.
  • Sections describing planned functionality are clearly labeled with the heading [GBP Manage tier — taking effect at public launch]. The practices described in those sections are not in effect today. Before any such practice begins, we will update this policy and, where appropriate, notify you and ask you to consent to the changes.

This is the live state as of the effective date:

  • The free audit report (Tier 1) is live. Anyone can request a free audit at gbpautopilot.com/audit.
  • The Google Business Profile connect flow is live. After receiving an audit, you may choose to connect your Google Business Profile to GBP Autopilot in preparation for our paid subscription product. Connecting authorizes us to manage your listing on your behalf when that product launches; we do not currently use the connection for anything other than holding the authorization securely.
  • The paid subscription product (GBP Autopilot Manage) is in development and is not yet available to the public.

1. Who we are

The data controller for the service is:

BCMW Holdings, LLC (operating as GBP Autopilot)
820 W Danforth Rd, Unit #777
Edmond, OK 73003
United States
Email: privacy@gbpautopilot.com

BCMW Holdings, LLC is a US-based limited liability company organized under the laws of Oklahoma. “GBP Autopilot” is a registered trade name of BCMW Holdings, LLC. The service is offered for use by businesses operating in the United States. We do not knowingly market the service to residents of the European Union, the United Kingdom, or other jurisdictions outside the United States (see Section 12).

2. Information we collect

2.1 Free audit (Tier 1) — live today

When you submit the audit form at gbpautopilot.com/audit, you provide and we collect:

  • Business name you enter in the form
  • City of the business
  • Business category (e.g., “roofing contractor,” “chiropractor”)
  • Website URL, if you provide one (optional)
  • Email address to which the report should be sent
  • Technical metadata generated automatically when you submit the form, including your IP address, browser type and version, and a Google reCAPTCHA v3 score used to distinguish human submissions from automated ones

We then run an automated pipeline that retrieves publicly available data about the business from third-party sources to assemble the audit report. Specifically, we:

  • Query the Google Places API (New) to confirm the business exists and obtain its public profile information (name, rating, number of reviews, photo count, hours, address, phone number, and similar public fields). This uses only the public Places API — no Google Business Profile owner credentials are involved at this stage.
  • Fetch and parse the homepage and about page of the website URL we identify (either the one you submitted or the one Google returned), extracting page titles, meta descriptions, and the first several headings and paragraphs. We do not log into any website or bypass any access control.
  • Run a small number of search queries via Serper.dev to retrieve publicly visible competitor listings, review snippets, and industry information.

The audit lead record we store in our database contains:

  • The information you submitted on the form (business name, city, category, optional website URL, email address)
  • The Google Place ID we identified for your business
  • Public business contact information retrieved from Google Places (such as the listed phone number and website URL, where these were not submitted by you)
  • Your locale
  • Our derived audit findings (overall audit score, identified opportunities, competitive context, and similar derived analytics)
  • A reference to where the generated PDF report is stored
  • Operational metadata related to the audit job (status, delivery confirmation, opt-out timestamps)

We do not retain the website crawl content or the search-result payloads beyond what is needed to generate and email the report. Intermediate pipeline data is held in our background job queue and expires automatically, typically within hours.

2.2 Connecting your Google Business Profile — live today

After you receive your audit report, you may choose to connect your Google Business Profile to GBP Autopilot. You initiate this by clicking a “Connect your Google Business Profile” link in the audit confirmation page or audit delivery email. Doing so will take you to Google's standard OAuth consent screen, where Google itself collects your consent and confirms your identity. We do not see, receive, or store your Google password.

If you grant consent, Google returns to us:

  • An access token — a short-lived credential that proves to Google's servers that you have authorized us to act on your behalf
  • A refresh token — a longer-lived credential that allows our system to obtain new access tokens when the current one expires, without requiring you to log in again

We associate these credentials with the email address you used in the audit form so that we can identify you when the Manage tier becomes available to you.

Section 4 of this policy describes in detail what we do with these credentials, what we do not do with them, and how you can revoke our access at any time.

2.3 [GBP Manage tier — taking effect at public launch] Subscription account data

When the paid Manage tier becomes available and you choose to subscribe, we will collect additional information necessary to operate the subscription:

  • Account profile information (name, email, password stored only as a salted hash)
  • Business details for each location you manage with us (address, phone, hours, services, brand voice, frequently asked questions, owner name, and similar context you choose to provide)
  • Reviews, posts, and Q&A content that we read from or write to your Google Business Profile through the access you have authorized
  • Snapshot history of your listing's fields, used to detect unauthorized changes
  • Activity within the service (which AI drafts you approved, which you edited, which alerts you acknowledged)
  • Subscription and billing metadata (we will use Stripe to process payment; card numbers will be collected and stored by Stripe, never by us)
  • Communications with our support team

This section is forward-looking and describes practices that will be in effect when the Manage tier launches publicly. None of these practices are in effect today.

2.4 Information collected automatically

Whenever you use our service, we automatically collect:

  • IP address, approximate location derived from IP, browser type, device type, operating system, and language settings
  • Pages viewed, links clicked, forms submitted, and the date/time of each event
  • Referrer URL (the page you came from)
  • A small number of cookies and similar technologies that are strictly necessary to operate the service (session tokens, CSRF tokens, anti-abuse signals from Google reCAPTCHA)

We do not currently use third-party analytics or advertising trackers that follow you across the web. If we add such tools, we will update this policy and, where required, request your consent.

2.5 Information we do not collect

We want to be explicit. We do not collect:

  • Credit card numbers, expiration dates, CVV codes, or bank account details. Payment for any future paid service will be processed by Stripe; we will never see your card details.
  • Social Security numbers, tax identification numbers, driver's license numbers, or government-issued IDs.
  • Health, biometric, or genetic information.
  • Precise geolocation (GPS coordinates). We work only with the business address you provide; that is the only location data we use.
  • Children's information. The service is for businesses, not children (see Section 11).

3. How we use your information

We use the information described above for the following specific purposes, and only those purposes.

3.1 Today, for the free audit and Google Business Profile connect

PurposeCategories of information used
Generating and delivering the free audit report you requestedForm submission fields, public Google Places data, website crawl content, search results
Sending the audit report by emailEmail address, business name, audit findings
Holding your authorization to manage your Google Business Profile securely, in anticipation of the Manage tier launchEncrypted Google OAuth tokens, association with your email address
Operating, securing, and improving the serviceActivity logs, IP addresses, error reports (with secret scrubbing applied where supported)
Responding to your support, legal, or rights requestsWhatever information is necessary to answer the request
Detecting and preventing fraud, abuse, and security incidentsActivity logs, IP addresses, reCAPTCHA scores
Complying with our legal obligations (tax, accounting, lawful requests, etc.)Whatever information is required by applicable law

3.2 [GBP Manage tier — taking effect at public launch] Additional uses when the Manage tier launches

When the Manage tier becomes available and you begin using it, we will additionally use the information described in Section 2.3 to:

  • Generate, schedule, and (with your permission) post AI-drafted review responses, posts, and Q&A answers on your behalf
  • Monitor your Google Business Profile for unauthorized changes and alert you
  • Calculate and display your monthly GBP Health Score
  • Process your subscription payment through Stripe
  • Send you transactional emails (review alerts, approval requests, listing change notifications, billing receipts, security notices)

3.3 What we will never do with your information

We do not, and will not, use your information to:

  • Sell or rent it to third parties.
  • Build advertising profiles or serve interest-based ads.
  • Train any general-purpose AI or machine-learning model. This restriction is described in detail in Section 4 and Section 6.
  • Determine credit-worthiness or any lending decision.
  • Conduct any activity prohibited by the Google API Services User Data Policy.

4. Google user data — how we handle it

This is the most sensitive category of data we handle, and the section Google requires us to provide clearly to anyone who connects their Google account to our service. Please read it carefully before connecting your Google Business Profile.

4.1 What we ask Google for permission to access, and why

We offer GBP Autopilot as a service to help small and medium-sized businesses manage their Google Business Profile listings. To do that, we need permission to act on your behalf with Google. When you connect your Google account to GBP Autopilot, we request a single OAuth scope:

  • https://www.googleapis.com/auth/business.manage — permission to read and update your Google Business Profile listings (the same surfaces you can manage at business.google.com).

You grant this permission, if you grant it, through Google's standard OAuth consent screen. You can revoke it at any time. We do not request any other scopes, and we do not access any Google service other than your Google Business Profile.

4.2 What we receive from Google

When you authorize GBP Autopilot through Google's consent flow, Google returns to us two credentials:

  • An access token — a short-lived credential that proves to Google's servers that you have authorized us to act on your behalf
  • A refresh token — a longer-lived credential that allows our system to obtain new access tokens when the current one expires, without requiring you to log in again

We do not receive your Google password. We do not receive access to your Gmail, Drive, Calendar, Contacts, or any other Google service.

4.3 How we store and protect your tokens — live today

Your access and refresh tokens are sensitive: a stolen token would allow an attacker to make changes to your Google Business Profile listing. We treat them with the highest level of care our infrastructure supports:

  • Encryption at rest. Each token is encrypted with AES-256-GCM envelope encryption before storage. The master encryption key used for this is held in our production environment as a secret — separate from the database itself — and managed under our key management procedures. Tokens are never stored in plain text on disk, in logs, in error reports, in queue payloads, or anywhere outside of the encrypted database column dedicated to them.
  • No logging or transmission in clear. We have technical and policy controls in place to prevent OAuth tokens from appearing in application logs, error monitoring data, HTTP responses, or any other channel.
  • Pre-commit credential scanning. Every change to our codebase is scanned by an automated credential scanner before it can be committed, to reduce the risk of accidental exposure of secrets in source code.

4.4 What we do with your tokens — current state

As of the effective date of this policy, and ahead of the public launch of the GBP Autopilot Manage tier: when you connect your Google account, we store the encrypted token and confirm to you that the connection succeeded. We do not currently use the token to read from or write to your Google Business Profile. When the GBP Autopilot Manage tier becomes generally available, we will notify you, and at that point you may begin using the features that the token authorizes us to provide. The functions of those features are described in Section 4.5.

If you choose not to subscribe to the Manage tier when it launches, or if 12 months pass from the date you connected your Google account without the Manage tier becoming generally available, we will delete the encrypted token from our records and notify you. You may also delete it at any time by emailing us at privacy@gbpautopilot.com or by revoking access directly through your Google account.

4.5 [GBP Manage tier — taking effect at public launch] What we will use your tokens for

When the Manage tier is available to you and you have begun using it, the OAuth access we hold will let our platform do the following, all on your behalf and within the surfaces of your Google Business Profile:

  • Read your existing reviews and post replies, including AI-drafted replies you have approved or that your settings authorize us to post automatically on your behalf
  • Create, schedule, and publish posts (Updates, Offers, Events) to your listing
  • Read and (with your settings) answer Questions and Answers
  • Read and update your listing's fields (name, address, phone, categories, hours, services, attributes), and detect when those fields are changed by anyone other than us so we can alert you
  • Read performance metrics from Google to calculate and display your GBP Health Score and analytics

These are the functions for which we requested the business.manage scope. We do not, and will not, use the access for any purpose outside this list.

4.6 Limited Use — required disclosure

GBP Autopilot's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

In plain language, this means we will:

  1. Use Google user data only to provide and improve the user-facing features described in this policy.
  2. Transfer Google user data to others only as needed to provide those features — for example, to vetted service providers under written contracts that bind them to equivalent protections (see Section 5), to comply with applicable law, or as part of a merger or acquisition (with notice to you).
  3. Not use Google user data to serve advertising of any kind, including personalized, contextual, or retargeting advertising.
  4. Not allow humans to read your Google user data, except (a) with your explicit consent, (b) to comply with applicable law, (c) for security investigations such as abuse or fraud, or (d) when the data has been aggregated and anonymized for internal operations.
  5. Not sell or transfer Google user data to data brokers, advertising networks, information resellers, or any party that would use it for credit, lending, or insurance decisions.
  6. Not use Google user data — and we contractually require our AI processor not to use Google user data — to create, train, fine-tune, or improve any generalized AI or machine-learning model.

4.7 Your ongoing control

At any time you may:

  • Revoke our access from your Google account directly at https://myaccount.google.com/permissions. Find “GBP Autopilot” in the list of authorized applications and click “Remove access.” Google will immediately invalidate the token on its end.
  • Email us at privacy@gbpautopilot.com and request that we delete the encrypted token from our side. We will do so within 7 business days and confirm by email.

5. Service providers and data processors

We use a small number of vetted third-party service providers to operate the service. Each one receives only the data needed to perform its function, and each is bound by terms requiring it to handle data consistent with this policy and applicable law. The table below lists the providers currently active in our infrastructure as of the effective date.

ProviderWhat it doesWhat it receives
Google LLCPlaces API for business validation in the audit pipeline; Business Profile OAuth flow for connecting your account; reCAPTCHA v3 for bot detection on our formsBusiness name and address you submit; OAuth consent and browser signals from your interactions with Google's consent screen
Anthropic, PBC (Claude API)Generates the narrative content of the free audit report from the data we collect about a businessPublic business profile data, public search results, and website excerpts. We do not currently send any data that is not publicly available to Anthropic.
Serper.dev (search API)Retrieves public search results for competitor research in audit reportsSearch queries containing the business name, city, and category
Postmark (operated by ActiveCampaign)Transactional email delivery — audit report emails and any other notification email we send youRecipient email, sender, subject, body content of the email, delivery status
Neon, Inc. (PostgreSQL on AWS)Hosts our primary application databaseAll persisted application data, encrypted in transit and at rest at the storage layer
Cloudflare, Inc. (R2 storage, CDN)Stores generated PDF audit reports and serves static assetsThe PDF reports themselves, accessed only through short-lived signed URLs
Upstash, Inc. (Redis)Backs our background job queue and rate-limiting controlsEphemeral job payloads (purged automatically — typically within hours)
Railway Corp.Hosts our API servers, our PDF rendering service, and our PII screening serviceApplication code and runtime; data flows through in normal request handling
Vercel, Inc.Hosts our public websiteThe frontend application code and runtime; user-facing page requests
Anytime MailboxOperates the physical mailing address listed in Section 14, used for compliance correspondenceAny physical mail we receive at that address

Self-hosted services that run on our own infrastructure (and therefore are not separate processors, but are listed here for completeness):

  • A PDF rendering service (Python/Flask/ReportLab) that converts our audit JSON into the report PDF you receive by email.
  • A PII screening service (built on Microsoft Presidio, an open-source library) that runs in our pipeline and will be used at Manage-tier launch to screen review text before it is processed by the AI; see Section 6.

We do not currently transfer personal data to any provider outside the United States. Some of the providers listed above operate globally, but each operates US data centers, and we configure our use of them to keep data in the United States to the extent the provider supports that configuration.

We will update this list when we add, remove, or materially change any service provider. The following providers are part of our planned infrastructure for the Manage tier and will be added to this list when they are integrated: Stripe (for subscription payment), WorkOS (for customer authentication), and one or more error-monitoring and log-aggregation services.

6. Artificial intelligence processing

6.1 What we use AI for today

The free audit report uses Anthropic's Claude API to synthesize the narrative portions of the report from the data we collect about the business. The data we send to Anthropic for this purpose is:

  • Public information about the business retrieved from the Google Places API
  • Public search results retrieved through Serper.dev
  • Excerpts of the business's own website that we fetched during the crawl

We do not send any of the following to Anthropic in the audit pipeline:

  • OAuth tokens, encryption keys, account passwords, or any other credentials
  • Email addresses other than the business email collected for delivery (where it is part of the report context — for example, the contact email shown on a Google Business Profile)
  • Any data that is not publicly visible on the open web or on Google's public surfaces

6.2 [GBP Manage tier — taking effect at public launch] AI generation of review responses, posts, and Q&A answers

When the Manage tier launches, we will additionally use the Claude API to draft customer-facing content on your behalf — primarily responses to your customer reviews, drafts of posts and offers for your Google Business Profile, and answers to Questions and Answers on your listing. The prompts we will construct for these purposes will contain the specific input that triggered generation (for example, the text of one customer review you have authorized us to respond to) along with the minimum business context needed (your category, business name, and the knowledge base entries relevant to the request).

Before customer review text is sent to the AI, it is screened for sensitive information. When sensitive content is detected, the text is not sent to the Anthropic API.

6.3 No training on your data

Our use of the Claude API is governed by Anthropic's Commercial Terms of Service. Under those terms, Anthropic does not use API inputs or outputs to train its models by default, and we have not opted into any program that would change that. As required by Google's Limited Use rules, we contractually and technically prevent your Google Business Profile data — and any data derived from it — from being used to develop, train, fine-tune, or improve any generalized AI or machine-learning model.

If we ever change AI providers, or sign up for an AI program that would alter this commitment, we will update this policy and notify subscribers before any data is processed under the new arrangement.

7. Data retention

We keep your information only as long as we need it to operate the service and to meet our legal and operational obligations.

Category of dataRetention
Free audit lead records (email, business, audit score, derived findings, PDF reference)Retained for operational and regulatory purposes for as long as needed to operate the audit service. You may request deletion at any time by emailing privacy@gbpautopilot.com; we will honor your request within the timelines described in Section 8.
Generated audit PDF in Cloudflare R2Each click on a report link generates a fresh short-lived (approximately 5-minute) access URL. The underlying PDF files are retained in storage for approximately 90 days after generation, after which they are automatically deleted from R2 storage. You may request deletion sooner.
Google OAuth tokens — current state (held pre-Manage-tier launch)Deleted immediately on revocation by you (through Google or by emailing us). Otherwise, automatically deleted 12 months from the date you connected your account if the Manage tier has not become generally available by then.
Application logs (sanitized, no secrets)Retained for 30 days by default, then deleted. Specific log entries may be retained longer if needed for an active security investigation.
Support correspondenceRetained for 3 years after the matter is resolved.
BackupsDatabase backups are encrypted, retained for 30 days, and then purged. Deletion of your data from production is reflected in backups when those backups roll off this schedule.

7.1 [GBP Manage tier — taking effect at public launch] Retention for subscription customer data

When the Manage tier launches, we will additionally retain:

  • Subscription customer account data, listing data, knowledge base content, and AI-generated drafts for the duration of your subscription plus 90 days after cancellation, then permanently deleted.
  • OAuth tokens for active subscribers for the duration of your subscription, then deleted within 7 business days of cancellation or revocation.
  • Token access logs (a record of every time your OAuth token is decrypted, including the system component requesting it, the purpose, and the time — but never the token itself) on an append-only basis, for 2 years for security and forensic purposes.
  • Billing and transaction records for 7 years to satisfy US tax and accounting obligations. Stripe maintains the underlying payment records under its own retention policy.

Where the law requires us to keep certain records longer (for example, tax or anti-fraud records), we will keep only the specific records the law requires, for only as long as the law requires.

8. Your rights and choices

You have meaningful control over the information we hold about you, regardless of where you live. This section describes the rights everyone has; Section 9 describes additional rights for California residents.

8.1 Rights available to all users

  • Access. You may ask us to confirm what information we hold about you and request a copy.
  • Correction. If any information we hold about you is inaccurate, you may ask us to correct it.
  • Deletion. You may ask us to delete information we hold about you. Some information must be retained for legal reasons (for example, billing records for tax purposes); we will tell you if any exceptions apply.
  • Portability. For information you have given us directly, you may request a machine-readable export.
  • Opt out of marketing emails. Every non-transactional email contains an unsubscribe link. You may also email us at privacy@gbpautopilot.com to opt out.
  • Revoke Google OAuth access. You can revoke our access to your Google account at any time from https://myaccount.google.com/permissions, or by emailing us.

8.2 How to exercise these rights

Email privacy@gbpautopilot.com from the email address associated with your audit submission or your account. We will respond within 30 days, or sooner where required by applicable law. We may need to verify your identity before acting on a request, particularly for access or deletion requests; we will ask for the minimum information necessary to do so.

We do not charge a fee to exercise your rights. We will not retaliate against you or change the service you receive because you exercised a right.

If you believe we have not handled your request appropriately, you have the right to lodge a complaint with the relevant data protection or consumer protection authority in your jurisdiction.

9. California privacy rights

If you are a California resident, the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), gives you specific rights regarding your personal information.

9.1 Categories of personal information we collect

In the 12 months preceding the effective date of this policy, we have collected the following categories of personal information, drawn from the categories enumerated in Cal. Civ. Code § 1798.140:

  • Identifiers (name, email address, IP address, online identifiers)
  • Customer records information (business contact details associated with an individual)
  • Internet and electronic network activity information (browsing within the service, interactions with our emails)
  • Geolocation data (approximate location derived from IP — we do not collect precise GPS)
  • Inferences drawn from the above (for example, the audit score and opportunities derived from your business data)

We do not collect: biometric information, sensitive personal information of the types enumerated in § 1798.140(ae) (such as Social Security number, driver's license, health information), or information about a child known to be under 16.

9.2 Sources, purposes, and sharing

  • Sources: directly from you when you submit our forms or interact with the service; automatically as you interact with the service; from Google when you authorize OAuth access; from public search results.
  • Business purposes for collection: see Section 3.
  • Categories of third parties we share with: see Section 5. Each provider listed there is a “service provider” under the CCPA — contractually restricted from using your information for any purpose other than performing the service we have engaged them to perform.

9.3 Sale and sharing for cross-context behavioral advertising

We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising. We have no actual knowledge of selling or sharing the personal information of any consumer under 16.

9.4 Your California rights

In addition to the rights described in Section 8, you have the right to:

  • Know what categories and specific pieces of personal information we have collected, the sources, and the purposes
  • Delete personal information we have collected from you, subject to certain exceptions
  • Correct inaccurate personal information
  • Opt out of any sale or sharing of personal information (we do not sell or share, but you have the right to confirm this)
  • Limit use of sensitive personal information (we do not collect SPI as defined by the CPRA, but the right is recognized)
  • Non-discrimination in the exercise of your rights

To exercise these rights, follow the process in Section 8.2. You may also designate an authorized agent in writing to make a request on your behalf; we will verify the agent's authority before acting.

10. Data security

Protecting your data is fundamental to operating this service. The technical and organizational measures we have in place today include:

  • Encryption in transit. All connections to our servers use TLS 1.2 or higher.
  • Encryption at rest. Database storage is encrypted at the storage layer by our database provider. Google OAuth tokens are additionally encrypted at the application layer with AES-256-GCM envelope encryption, using a master encryption key held separately from the database.
  • Access controls. Access to production systems is restricted to a small number of authorized personnel, secured with strong authentication, and logged.
  • Secrets management. API keys, encryption keys, and similar credentials are injected into our production environment as secrets — never committed to source control, never logged. Pre-commit credential scanning runs on every code change.
  • Bot detection. Public forms are protected by Google reCAPTCHA v3 and rate-limiting controls.
  • Vendor due diligence. Each service provider listed in Section 5 is evaluated for its security posture before we send it any data.
  • Incident response. We maintain an incident-response process, including the capability to revoke all stored OAuth tokens platform-wide in the event of a suspected compromise.

No system is perfectly secure. If we experience a data breach that affects your personal information, we will notify you and the relevant authorities as required by applicable law, without undue delay.

11. Children's privacy

The service is intended for use by businesses and the adults who operate them. It is not directed to children. We do not knowingly collect personal information from anyone under 18, and certainly not from anyone under 13 within the meaning of the Children's Online Privacy Protection Act (“COPPA”). If you believe a child has provided personal information to us, please contact us at privacy@gbpautopilot.com and we will promptly delete it.

12. International users

The service is hosted in the United States and intended for US businesses. If you access the service from outside the United States, your information will be transferred to, stored, and processed in the United States, which may have data protection laws different from those of your country.

We do not actively market the service to residents of the European Economic Area, the United Kingdom, or other jurisdictions outside the United States. If you are located in one of those jurisdictions and choose to use the service, you understand that you are doing so on the terms described in this policy. We will respond to good-faith requests to exercise rights under those frameworks (GDPR access requests, for example) on a reasonable-best-efforts basis, even though we may not be a controller subject to those laws.

13. Changes to this policy

We may change this Privacy Policy from time to time. In particular, we anticipate updating this policy when the GBP Autopilot Manage tier launches publicly, at which point the sections currently marked [GBP Manage tier — taking effect at public launch] will take effect, and additional service providers, retention rules, and security measures will be added or activated. We will also update this policy if we make any other material change — for example, expanding the categories of data we collect, adding a new service provider that receives sensitive data, or changing how we use Google user data.

When we make a material change, we will:

  • Update the “Last updated” date at the top of this page
  • Post a notice on the website
  • Email connected and subscribed users at least 30 days before the change takes effect, where the change is material and where doing so is feasible
  • Where the change requires it (in particular, a change in how Google user data is used), request your renewed consent before any data is processed under the new terms

We encourage you to check this policy periodically.

14. Contact Information

BCMW Holdings, LLC d/b/a GBP Autopilot
820 W Danforth Rd, Unit #777
Edmond, OK 73003

GBP Autopilot is a registered trade name of BCMW Holdings, LLC, an Oklahoma limited liability company. Privacy Policy v1.0.