Privacy Policy

GNexis Privacy Policy

Last updated: April 24, 2026

1. Introduction

GNexis ("GNexis", "we", "us", or "our") provides an AI-powered SEO operations platform that helps businesses and marketing agencies plan keywords, monitor Google Search performance, generate content, and publish blog posts to WordPress. This Privacy Policy explains what personal data and business data we collect, how we use and share it, the legal bases on which we rely, and the rights you have over your data.

By creating an account, connecting a Google account, connecting a WordPress site, or otherwise using GNexis (the "Service"), you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Service.

2. Who we are

GNexis is operated by the GNexis team. For privacy questions, data subject requests, or to exercise any of the rights described below, contact us at [email protected].

3. Data we collect

We collect the following categories of data:

  • Account data — name, email address, hashed password (for admin accounts), role, login timestamps, and the workspace/client ID you belong to.
  • Google account data (via OAuth) — your Google profile (name, email, profile picture, Google ID), an OAuth refresh token, and access tokens issued by Google. We request the following scopes:
    • openid, email, profile — to identify your account.
    • webmasters.readonly — to read Google Search Console performance data for properties you own.
    • analytics.readonly — to read Google Analytics 4 metrics for properties you own.
  • Search Console & Analytics data — aggregated query, page, click, impression, CTR, position, session, and conversion metrics retrieved from Google APIs for the properties you link to a client workspace.
  • Business profile data — your business name, website URL, industry, brand colors, fonts, content archetypes, posting preferences, time zone, services, products, contact channels, and any company knowledge you enter or that we extract by crawling your public website.
  • WordPress connection data — site URL, username, application password (or connector token), and post/page metadata returned by your WordPress REST API.
  • Generated content — keywords, blog posts, outlines, briefs, approval state, activity logs, and metadata produced or edited inside the Service.
  • Usage and device data — IP address, user agent, pages visited inside GNexis, feature usage, error logs, and timestamps. We use this for security, debugging, and analytics.
  • Consent records — when you opt in to auto-publishing or other policy-gated features, we store the policy version, consent text, IP address, user agent, and timestamp.

4. How we use your data

We use the data we collect to:

  • Operate, secure, and improve the Service.
  • Authenticate you and maintain your session.
  • Sync metrics from Google Search Console and Google Analytics into your dashboard.
  • Generate keyword ideas, content briefs, and blog posts using AI models.
  • Publish or schedule content to your connected WordPress site, only when you direct us to.
  • Detect and prevent abuse, fraud, and unauthorized access.
  • Communicate transactional messages (account, billing, security, service alerts).
  • Comply with legal obligations and enforce our Terms.

5. Google API Services User Data Policy (Limited Use)

GNexis's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide and improve user-facing features within GNexis (dashboards, keyword tracking, content generation, reporting).
  • We do not sell Google user data, transfer it for advertising purposes, or use it for credit-worthiness or lending purposes.
  • We do not allow humans to read your Google user data unless: (a) you give us explicit consent for specific data; (b) it is necessary for security purposes such as investigating abuse; (c) it is necessary to comply with applicable law; or (d) the data is aggregated and used for internal operations and only in accordance with applicable rules.
  • Aggregated, de-identified Search Console and Analytics metrics may be used to improve AI prompts, ranking heuristics, and reporting templates.

You can revoke GNexis's access to your Google account at any time at myaccount.google.com/permissions. Revoking access stops future syncs but does not automatically delete data already imported into GNexis. To request deletion, contact [email protected].

6. AI processing

GNexis uses third-party large language models (LLMs) to generate keywords, briefs, outlines, blog posts, and other content. Today, the Service routes prompts to OpenAI (GPT family) and Anthropic (Claude family). The data we send to these providers is limited to the inputs needed to fulfill your request (your business profile summary, keywords, target query, prior post draft, etc.) and does not include your Google OAuth refresh token, your WordPress credentials, or unrelated user data.

OpenAI and Anthropic process this data under their respective business/API terms and do not use API inputs to train their public foundation models by default. We do not control their infrastructure but we select providers that offer enterprise-grade data handling commitments.

7. How we share data

We share your data only as described below, and never sell it.

  • Supabase — managed Postgres database and authentication storage.
  • Vercel — application hosting, edge networking, and logs.
  • Google — only to call APIs you have authorized (Search Console, Analytics, Keyword Planner).
  • OpenAI, Anthropic — to generate AI content as described above.
  • Your WordPress site — when you publish or schedule a post.
  • Email/notification providers — to send you transactional messages.
  • Law enforcement / authorities — when legally required, or to protect rights, property, or safety.
  • Successors — in connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections.

8. Storage and security

Data is stored in managed Postgres (Supabase) with encryption in transit (TLS) and at rest. Secrets such as Google refresh tokens and WordPress application passwords are stored with the is_secret flag and access-restricted via row-level controls and the service role key. We follow least-privilege principles for staff access and use audit logging for sensitive actions. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. Retention

We retain account and configuration data for as long as your workspace is active. Search Console and Analytics syncs are retained for the lifetime of the workspace to power historical reporting, unless you delete a client or request deletion. Backups may persist for up to 30 days after deletion. Logs are retained for up to 90 days for security and debugging.

10. Your rights

Depending on where you live, you may have the right to access, correct, port, restrict, or delete your personal data, and to object to certain processing or withdraw consent. To exercise any of these rights, email [email protected] from the address associated with your account. We will respond within the time frames required by applicable law (typically within 30 days).

You can also disconnect a Google account from GNexis by removing access in your Google Account settings (see Section 5), and you can disconnect a WordPress site from the dashboard at any time.

11. Cookies and similar technologies

We use a small number of strictly necessary cookies to keep you signed in (a session cookie set after login or Google OAuth) and to remember UI preferences. We do not use third-party advertising cookies. Disabling cookies will prevent the Service from functioning correctly.

12. International data transfers

GNexis operates from Malaysia and uses cloud infrastructure that may process data in regions outside your country, including the United States and the European Union. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses for transfers from the EEA, UK, or Switzerland.

13. Children

The Service is not directed to children under the age of 16, and we do not knowingly collect data from them. If you believe a child has provided us data, contact us and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the latest version. Material changes will be communicated through the Service or by email to the workspace owner.

15. Contact

For privacy questions, data subject requests, or to report a concern, contact [email protected].