Privacy Policy

In short

GSC PAP is a hosted bridge that lets AI assistants (Claude, Cursor, and any other MCP-compatible client) read your Google Search Console data on your behalf, and gives you a long-term archive of that data so you can query it beyond Google's 16-month native limit.

• We store your Google email and an encrypted OAuth refresh token so we can call Search Console for you on demand.
• Your Personal Archive: we keep a copy of the Search Console data we fetch on your behalf. Only you see this data. No other GSC PAP user can access your data - ever.
• We (the operator) also process this data internally for product research, aggregate analytics, debugging, abuse detection, and to build features for future versions of the product. This processing is audited (see §9). We may, at some point in the future, surface anonymized aggregate insights back to users (e.g. "industry benchmarks") - when we do, the policy will be updated and we will notify you in advance.
• We also keep a per-call usage log (tool name, parameters, latency, timestamp - 90 days) so the product works and we can debug.
• You can revoke access and delete your account anytime - all personally identifiable data is purged within 30 days.

1. Who we are

GSC PAP (this site) is operated by GSC PAP (Personal project (independent operator)). Contact: support@gscpap.com.

For the purposes of GDPR, KVKK and similar regulations, we are the data controller for the data described below.

2. Data we collect

2.1 At sign-in (Google OAuth)

• Google account ID (the stable sub claim)
• Email address (verified by Google)
• Display name (if your Google profile has one)

2.2 OAuth tokens

Google issues your account a refresh token at consent. We store it AES-256-GCM encrypted at rest using envelope encryption (per-row data key, master key kept outside the database). We need this token to call Google's Search Console API on your behalf when an AI client makes a request.

2.3 MCP session tokens

When you click Generate token, we mint a random bearer token, show it to you once, and store only its SHA-256 hash. The plaintext bearer never lives in our database. The hash is what we look up when an AI client connects.

2.4 Usage log (tool calls)

Each MCP tool call is logged with: tool name, the parameters you sent (e.g. site URL, date range), result status (ok / error), and latency. We retain this for 90 days, then it is permanently deleted.

2.5 Personal Search Console Archive

We fetch your Search Console data via Google's API and store a copy in our database. This includes: search-analytics rows (query, page, country, device, date, clicks, impressions, CTR, position), URL inspection results, and sitemap metadata. The archive is the value-add - it lets you query data beyond Google's 16-month limit, drill into history, and retain trend information that GSC itself eventually drops.

Visibility: this data is associated with your account and visible only to you through the product UI. No other GSC PAP user can access it. Our operators may access it for the narrow purposes listed in §9 (support, security, debugging, aggregate analytics). Every operator access is logged in our audit trail.

Retention: kept while your account is active, deleted within 30 days of account deletion. You can request deletion of specific properties or date ranges any time by emailing support.

2.6 Internal operator processing

We (the operator) also process the data described above for our own internal purposes:

• Product research and roadmap decisions
• Aggregate usage analytics (which tools are popular, where do users hit errors)
• Debugging and incident response
• Abuse and fraud detection
• Building features for future versions of the product (which may include surfacing anonymized aggregate insights back to users - see below)

We do not share, sell, or expose any individual user's data to any other GSC PAP user, third party, or external system. Internal processing is audited the same way operator access is (§9).

Future plans: we may eventually surface aggregated, anonymized insights back to users - for example, "sites in your industry at position 5 see an average CTR of 4.2%". When and if we do, this policy will be updated with the exact aggregation guarantees (k-anonymity threshold, identifier stripping, etc.) before any such feature ships, and we will notify you in advance.

Legal basis: legitimate interests (GDPR Art. 6(1)(f)) for the continued development and integrity of the Service. You can object to this processing at any time by deleting your account.

2.7 Audit log

High-level account events (sign-in, token regeneration, account deletion, operator data access) are kept indefinitely for security incident response. They do not contain your Search Console data.

2.8 Technical data

IP address (sometimes truncated to /24 for fingerprinting), browser User-Agent, and timestamps. Used to bind your OAuth flow to your browser session and to scope rate limits.

3. What we do NOT do

• We do not show your data to other GSC PAP users. Your Personal Archive is yours alone - there is no user-to-user visibility, no "leaderboard", no "see what others are doing" feature.
• We do not sell or share your individual data with any third party. The data stays inside our infrastructure.
• We do not use your data to train AI models. We comply with Google's API Services User Data Policy, including the Limited Use requirements.
• We do not run analytics, marketing, or tracking scripts. No Google Analytics, no Meta Pixel, no Mixpanel, no LogRocket, no advertising cookies.
• We do not surface aggregate insights to other users today. If we ever do, the data will be anonymized first (k-anonymity threshold, identifiers stripped) and this policy will be updated before the feature ships.

4. Why we collect what we collect

• Google account ID, email, refresh token: needed to provide the service. Without these we cannot call the GSC API for you.
• MCP session token hashes: needed to authenticate incoming MCP requests.
• Usage log (90d): needed for debugging, abuse detection, and the activity dashboard you see on your account page.
• Personal Archive: needed to provide the value-add of long-term historical search analytics beyond Google's 16-month limit.
• Internal operator processing: our legitimate interest in improving the Service, debugging, fraud detection, and building future features. No third-party sharing.
• Audit log (indefinite): needed for security incident response and compliance.
• Technical data: needed for OAuth security (binding state to a browser session) and rate-limiting.

Legal basis under GDPR Art. 6(1): performance of contract (b) for Personal Archive and core service delivery, legitimate interests (f) for internal operator processing, security, and abuse prevention.

5. Cookies and analytics

We use two categories of cookies and one third-party analytics provider. No marketing pixels, no advertising networks, no profile-selling.

Essential cookies (no consent required):

• gscpap_session - signed session set after Google sign-in. HttpOnly, SameSite=Lax, Secure, expires in 1 year.
• gscpap_known - non-secret companion flag (1/0) so the static landing renders the right header button on first paint.
• gscpap_oauth_nonce - short-lived OAuth flow nonce. HttpOnly, scoped to /auth/google, expires in 10 minutes.
• cf_clearance - set by Cloudflare Turnstile after a human-verification challenge to prevent bot floods. Required for the API to accept requests.

Analytics (Google Analytics 4):

• We send aggregate page-view events to Google Analytics 4(property G-7VFMNP7705) so we can count visitors, measure which guides land, and prioritise improvements. IP anonymisation is enabled (anonymize_ip=true); GA4 never receives your full IP. Cookies set by gtag.js: _ga, _ga_* (1-year retention).
• We do not push any personally identifiable information into GA4 events - no email, no name, no user ID. Page paths, referrer, User-Agent, and approximate (city-level) location are the only dimensions collected.
• Opt out by enabling browser-level tracking blockers (uBlock, Brave Shields, the GA Opt-Out add-on, etc.) - the rest of the site keeps working. Users in the EU/UK can also clear the _ga* cookies any time.

We will add an opt-in consent banner if and when we introduce marketing or behavioural-tracking cookies. Today we don't use any.

6. Data retention

• Account + encrypted refresh token: kept while your account is active. Deleted within 30 days of account deletion.
• MCP sessions (token hashes): kept while un-revoked. Marked revoked immediately on sign-out / token revocation / account deletion.
• Tool-call usage log: 90 days, then automatically deleted.
• Personal Archive (Search Console data fetched on your behalf): kept while your account is active so you can time-travel beyond Google's 16-month limit. Deleted within 30 days of account deletion. You can request earlier deletion of specific properties or date ranges by emailing support.
• Internal operator analytics: derived metrics (no raw user data) computed from your Personal Archive are retained for the lifetime of the Service.
• Audit log: indefinite (security purposes), but never contains Search Console data.

7. Your rights

Under GDPR, KVKK (Law No. 6698), and similar regulations you have the right to:

• Access the data we hold about you
• Correct inaccurate data
• Delete your account and associated data
• Receive a portable export of your data
• Object to processing
• Withdraw consent (revoke OAuth)
• Lodge a complaint with your local data protection authority

Most of these are available self-service from your account dashboard:

• Delete account: Security → Delete account
• Revoke at Google's side: myaccount.google.com/permissions

For data export or any other request, email support@gscpap.com. We respond within 30 days.

8. Security

• OAuth refresh tokens are AES-256-GCM encrypted at rest
• Bearer tokens are stored only as SHA-256 hashes
• HTTPS-only in production
• OAuth flows use PKCE (S256) per OAuth 2.1
• State binding (request fingerprint + HttpOnly nonce cookie)
• Per-user rate limiting on MCP requests

9. Operator access

Our personnel may access data stored on this Service for the following narrow purposes:

• Providing support you have requested
• Investigating security incidents or suspected abuse
• Debugging product issues affecting service availability
• Computing anonymized aggregate analytics (no individually identifiable data leaves this purpose)

Every such access is logged in our internal audit trail with: who accessed, which user's data was viewed, the timestamp, and the stated reason. The audit log is retained indefinitely.

We do not access your data for marketing, ad targeting, AI model training, or to share with third parties beyond what's necessary to operate the Service (e.g. our infrastructure provider hosts the database - it is not human-accessible to them in the normal course).

We do not offer end-to-end encryption (which would mean even our operators cannot read your data). Doing so would prevent the core functionality of this Service - server-side benchmarks, background GSC sync, and support - from working. If true zero-knowledge access is a hard requirement for your use case, this product is not the right fit.

9. International transfers

Our infrastructure is hosted in [region - confirmed at launch]. By using the service you acknowledge that your data may be processed there. Standard contractual safeguards apply.

10. Changes to this policy

We will publish a new version with an updated effective date here and notify active users by email at least 14 days before any material change.

11. Contact

Questions, requests, or complaints: support@gscpap.com.

Operator: GSC PAP (Personal project (independent operator)).