Privacy Policy
GNexis Privacy Policy
Last updated: April 24, 2026
1. Introduction
GNexis ("GNexis", "we", "us", or "our") provides an AI-powered SEO operations platform that helps businesses and marketing agencies plan keywords, monitor Google Search performance, generate content, and publish blog posts to WordPress. This Privacy Policy explains what personal data and business data we collect, how we use and share it, the legal bases on which we rely, and the rights you have over your data.
By creating an account, connecting a Google account, connecting a WordPress site, or otherwise using GNexis (the "Service"), you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Service.
2. Who we are
GNexis is operated by the GNexis team. For privacy questions, data subject requests, or to exercise any of the rights described below, contact us at [email protected].
3. Data we collect
We collect the following categories of data:
- Account data — name, email address, hashed password (for admin accounts), role, login timestamps, and the workspace/client ID you belong to.
- Google account data (via OAuth) — your Google profile (name, email, profile picture, Google ID), an OAuth refresh token, and access tokens issued by Google. We request the following scopes:
openid,email,profile— to identify your account.webmasters.readonly— to read Google Search Console performance data for properties you own.analytics.readonly— to read Google Analytics 4 metrics for properties you own.
- Search Console & Analytics data — aggregated query, page, click, impression, CTR, position, session, and conversion metrics retrieved from Google APIs for the properties you link to a client workspace.
- Business profile data — your business name, website URL, industry, brand colors, fonts, content archetypes, posting preferences, time zone, services, products, contact channels, and any company knowledge you enter or that we extract by crawling your public website.
- WordPress connection data — site URL, username, application password (or connector token), and post/page metadata returned by your WordPress REST API.
- Generated content — keywords, blog posts, outlines, briefs, approval state, activity logs, and metadata produced or edited inside the Service.
- Usage and device data — IP address, user agent, pages visited inside GNexis, feature usage, error logs, and timestamps. We use this for security, debugging, and analytics.
- Consent records — when you opt in to auto-publishing or other policy-gated features, we store the policy version, consent text, IP address, user agent, and timestamp.
4. How we use your data
We use the data we collect to:
- Operate, secure, and improve the Service.
- Authenticate you and maintain your session.
- Sync metrics from Google Search Console and Google Analytics into your dashboard.
- Generate keyword ideas, content briefs, and blog posts using AI models.
- Publish or schedule content to your connected WordPress site, only when you direct us to.
- Detect and prevent abuse, fraud, and unauthorized access.
- Communicate transactional messages (account, billing, security, service alerts).
- Comply with legal obligations and enforce our Terms.
5. Google API Services User Data Policy (Limited Use)
GNexis's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide and improve user-facing features within GNexis (dashboards, keyword tracking, content generation, reporting).
- We do not sell Google user data, transfer it for advertising purposes, or use it for credit-worthiness or lending purposes.
- We do not allow humans to read your Google user data unless: (a) you give us explicit consent for specific data; (b) it is necessary for security purposes such as investigating abuse; (c) it is necessary to comply with applicable law; or (d) the data is aggregated and used for internal operations and only in accordance with applicable rules.
- Aggregated, de-identified Search Console and Analytics metrics may be used to improve AI prompts, ranking heuristics, and reporting templates.
You can revoke GNexis's access to your Google account at any time at myaccount.google.com/permissions. Revoking access stops future syncs but does not automatically delete data already imported into GNexis. To request deletion, contact [email protected].
6. AI processing
GNexis uses third-party large language models (LLMs) to generate keywords, briefs, outlines, blog posts, and other content. Today, the Service routes prompts to OpenAI (GPT family) and Anthropic (Claude family). The data we send to these providers is limited to the inputs needed to fulfill your request (your business profile summary, keywords, target query, prior post draft, etc.) and does not include your Google OAuth refresh token, your WordPress credentials, or unrelated user data.
OpenAI and Anthropic process this data under their respective business/API terms and do not use API inputs to train their public foundation models by default. We do not control their infrastructure but we select providers that offer enterprise-grade data handling commitments.
8. Storage and security
Data is stored in managed Postgres (Supabase) with encryption in transit (TLS) and at rest. Secrets such as Google refresh tokens and WordPress application passwords are stored with the is_secret flag and access-restricted via row-level controls and the service role key. We follow least-privilege principles for staff access and use audit logging for sensitive actions. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
9. Retention
We retain account and configuration data for as long as your workspace is active. Search Console and Analytics syncs are retained for the lifetime of the workspace to power historical reporting, unless you delete a client or request deletion. Backups may persist for up to 30 days after deletion. Logs are retained for up to 90 days for security and debugging.
10. Your rights
Depending on where you live, you may have the right to access, correct, port, restrict, or delete your personal data, and to object to certain processing or withdraw consent. To exercise any of these rights, email [email protected] from the address associated with your account. We will respond within the time frames required by applicable law (typically within 30 days).
You can also disconnect a Google account from GNexis by removing access in your Google Account settings (see Section 5), and you can disconnect a WordPress site from the dashboard at any time.
12. International data transfers
GNexis operates from Malaysia and uses cloud infrastructure that may process data in regions outside your country, including the United States and the European Union. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses for transfers from the EEA, UK, or Switzerland.
13. Children
The Service is not directed to children under the age of 16, and we do not knowingly collect data from them. If you believe a child has provided us data, contact us and we will delete it.
14. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the latest version. Material changes will be communicated through the Service or by email to the workspace owner.
15. Contact
For privacy questions, data subject requests, or to report a concern, contact [email protected].