LocalMCP Privacy Policy

Effective date: May 20, 2026

LocalMCP helps business owners and authorized representatives understand and improve their Google Business Profile presence. LocalMCP connects to Google Business Profile with the user's permission, displays profile and review information, drafts review replies, and audits the landing page associated with a business profile.

Contact: For privacy, security, or deletion requests, contact the LocalMCP project owner through the support channel listed with the app or repository. This page will be updated with a dedicated support email before broader public launch.

Information we collect

We collect information you provide directly, information created when you use LocalMCP, and information we access from Google only after you authorize access.

Account and authentication information, including your LocalMCP account identifier, email address, and authentication status.
Google OAuth tokens needed to keep your Google Business Profile connection active.
Google Business Profile accounts and locations you are authorized to manage.
Location profile metadata such as business name, category, address, phone number, and website URL.
Reviews, ratings, reviewer display names, review text, review timestamps, and existing owner replies.
Reply text that you ask LocalMCP to draft or publish.
Landing page audit information, including website URL, PageSpeed Insights results, SEO/accessibility checks, NAP consistency, scores, issue categories, and suggested fixes.
Technical and operational information needed to operate, secure, and debug the service.

How we use information

Connect your Google Business Profile account after you authorize access.
List the business locations you are authorized to manage.
Show profile, review, and sentiment summaries.
Generate draft replies to reviews.
Publish review replies only when the user explicitly confirms that action.
Audit the landing page associated with a business profile and provide prioritized recommendations.
Maintain security, prevent abuse, debug errors, improve reliability, and comply with legal obligations.

We do not use Google user data for advertising, retargeting, personalized ads, credit decisions, lending decisions, or sale to data brokers.

Google API data use and Limited Use

LocalMCP uses Google APIs only to provide and improve user-facing features that are visible in the LocalMCP experience. LocalMCP's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

LocalMCP requests the Google Business Profile scope https://www.googleapis.com/auth/business.manage. This scope is used to read Business Profile accounts, locations, reviews, and profile data. If the user chooses to publish a review reply, LocalMCP uses the same authorized connection to submit that reply to Google Business Profile on the user's behalf.

How we share information

We do not sell Google user data. We may share information only with infrastructure providers that process data for LocalMCP, when the user directs LocalMCP to take an action, to investigate abuse or security incidents, to comply with law, or as part of a business transaction subject to appropriate safeguards.

Service providers must use information only to provide services to LocalMCP and protect it appropriately.

AI processing

LocalMCP may send review text, business name, rating, tone choice, and related context to an AI model provider to generate draft review replies or recommendations. Drafts are shown to the user for review. LocalMCP should not publish an AI-generated reply unless the user explicitly confirms the action.

Data retention

Google OAuth connection records are stored until the user disconnects the account or the LocalMCP account is deleted.
Google refresh tokens are encrypted at rest.
Cached Business Profile location summaries are used to reduce repeated Google API calls.
Audit results are retained for recent history. The current cleanup policy keeps the most recent 30 audits per user/location and removes audit rows older than 90 days when the cleanup job is scheduled.
Server logs are retained according to the hosting/logging provider's configured retention period.

Data deletion and account disconnection

Users may request deletion of their LocalMCP data through the support channel listed with the app or repository. Users may also revoke LocalMCP access from their Google Account permissions page. Revoking access prevents future Google API calls but may not automatically delete data already stored in LocalMCP.

When a LocalMCP account is deleted, database records tied to that user are designed to cascade delete through Supabase Auth relationships.

Security

We use reasonable administrative, technical, and organizational safeguards to protect information. These include HTTPS in transit, server-side token handling, encrypted Google refresh tokens, row-level database access controls, and server-side access to sensitive keys.

No system is perfectly secure. Users should contact the LocalMCP project owner if they believe their account or data has been accessed without authorization.

Your choices

Choose whether to connect a Google Business Profile account.
Revoke Google access through Google Account settings.
Ask LocalMCP to delete account data.
Review and edit AI-generated review replies before publishing.
Stop using LocalMCP at any time.

Children's privacy

LocalMCP is intended for business use and is not directed to children. We do not knowingly collect personal information from children.

Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes to how we use Google user data, we will update this policy and, where required, ask users to consent before using data in the new way.