Privacy Policy

This Privacy Policy explains how [COMPANY] handles personal data for GTM Easy. GTM Easy provides lead discovery, social scheduling, AI drafting, and growth analytics tools for customer workspaces.

GTM Easy is generally the controller for account, billing, workspace, and product-usage data. For end-user event data that customers send through the Growth Analytics SDK, GTM Easy acts as a processor or service provider on behalf of the customer, and the customer remains responsible for its own privacy notices and lawful basis.

Account data includes email address, authentication records, workspace membership, role, plan, billing status, settings, and transactional email history.

Workspace data includes product names, positioning, websites, sources, lead records, scan results, drafts, social accounts, scheduled posts, API keys, SDK keys, alert settings, and related configuration.

Growth analytics data may include installation, session, app, event, attribution, paywall, subscription, purchase, and product-usage events submitted by customers through SDKs or APIs.

Operational data includes logs, security events, error reports, feature flag exposure, product analytics, device or browser metadata, IP-derived request metadata, and support communications.

We use data to provide and secure the service, authenticate users, process payments, enforce plan limits, discover leads, generate drafts, schedule social posts, process SDK events, send transactional emails, debug errors, prevent abuse, improve product quality, and comply with legal obligations.

We may use workspace content and customer-provided context to generate AI classifications, summaries, recommendations, and drafts requested by the customer.

Stripe processes payments, subscriptions, invoices, taxes, customer portal sessions, and related billing records.

Resend sends transactional email such as login codes, billing notices, and operational messages.

Sentry self-hosted captures application errors, stack traces, worker failures, and diagnostic context needed to operate the service.

PostHog processes product analytics that help us understand usage, onboarding, and conversion.

Statsig provides feature flags, experiments, and related exposure events.

Cloudflare provides tunnel, routing, DNS, network security, and email worker infrastructure.

Azure OpenAI processes prompts and context used for AI drafting, classification, scoring, and summarization.

Postgres stores core application data. ClickHouse stores analytics and event data used for reporting and product insights.

Account, workspace, billing, and security records are kept while the account or workspace is active and for a reasonable period afterward for backup, audit, tax, fraud-prevention, dispute, and legal purposes.

Growth analytics event data is retained for up to 24 months by default, matching the ClickHouse event retention policy, unless a shorter retention period is configured or required.

OAuth tokens, SDK keys, and secrets are encrypted at rest. Deleted or revoked credentials may be retained in logs or backups for a limited time but are no longer used for active service access.

GTM Easy uses cookies and similar storage for session authentication, security, and product operation. Email OTP login stores the email address and verification state needed to authenticate the account.

We may use analytics and feature-flagging technologies to understand product usage and improve the service.

We share data with subprocessors only as needed to provide, secure, bill, monitor, and improve GTM Easy. We may also disclose data if required by law, to protect rights and safety, to prevent abuse, or as part of a merger, acquisition, financing, or sale of assets.

Customers control the workspace content and end-user event data they submit. Customers are responsible for honoring their own end-user requests and legal obligations for data they control.

Depending on your location, you may have rights to access, correct, export, delete, object to, or restrict processing of personal data. GDPR Article 17 may provide a right to erasure in applicable circumstances.

Self-serve account deletion is available in Settings → Account for the sole owner of a single workspace. The workspace is blocked immediately, paid web subscriptions are canceled before deletion is scheduled, and permanent purge runs after a short grace period. Other deletion requests can be sent to [CONTACT EMAIL]. We may need to verify your identity and workspace authority before acting on a request. Some records may be retained where required for security, billing, legal, backup, or legitimate operational reasons.

GTM Easy and its subprocessors may process data in countries other than where you or your users are located. Where required, transfers are handled using appropriate contractual or legal safeguards.

We use access controls, encryption for sensitive credentials, audit-oriented logs, and operational monitoring to protect the service. No system is perfectly secure, and customers must keep their users, devices, connected accounts, SDK keys, and API keys protected.

We may update this Privacy Policy as GTM Easy changes. Material updates will be posted in the product or on this page. Privacy questions and rights requests can be sent to [CONTACT EMAIL].