Privacy Policy

Last updated: April 9, 2026

1. Introduction

Mercatura Holdings LLC ("we", "us", "our") operates BoostLocal.ai (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. This policy applies to all users, including residents of the European Economic Area (GDPR) and California (CCPA/CPRA).

2. Information We Collect

We collect information you provide directly:

  • Account information (name, email address) via Google Sign-In
  • Business information (business name, address, phone, website)
  • Content you upload or connect (photos, videos via Google Drive)
  • Social media account connections (Instagram, Facebook, Google Business Profile)
  • Payment information (processed by Stripe; we do not store card details)
  • Communication preferences (notification settings, marketing consent)

We automatically collect:

  • Usage data (pages visited, features used, timestamps)
  • Device information (browser type, operating system)
  • Log data (IP address, access times, referring URLs)
  • Photo metadata (EXIF data including camera info; GPS coordinates are stripped on upload)

3. Google API Services

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We access Google Drive data (read-only) to index your business photos for content creation
  • We access Google Business Profile data to manage your business listing and publish posts
  • We only use this data to provide and improve the Service as described in this policy
  • We do not sell Google user data to third parties
  • We do not use Google user data for advertising purposes
  • You can revoke access at any time from your Google Account settings or within BoostLocal

4. How We Use Your Information

  • To provide and maintain the Service
  • To create and publish social media content on your behalf
  • To manage and respond to your business reviews
  • To sync and index your content from connected sources
  • To send you notifications about pending approvals and activity
  • To process payments and manage subscriptions
  • To improve and optimize the Service
  • To communicate with you about updates and support

We do not use your data for targeted advertising or sell your personal information to third parties.

5. Third-Party Services & Sub-Processors

We share data with the following service providers strictly to operate the Service. Each processes data only as instructed by us and under appropriate safeguards.

ProviderPurposeData Shared
GoogleAuthentication, Drive sync, Business Profile, YouTubeEmail, name, photos, business data
Meta (Facebook/Instagram)Social media publishingPost content, images, page tokens
StripePayment processingEmail, name, payment method (card details stored by Stripe only)
CloudflareCDN, DNS, R2 storage, securityIP address, uploaded files
AnthropicAI content generation, photo scoringBusiness info, prompts, image descriptions
ResendTransactional email deliveryEmail address, notification content
TelegramPost approval notificationsChat ID, post content previews
OutscraperCompetitor review monitoringBusiness names, Google Place IDs

6. Cookies & Tracking

We use only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics trackers.

  • Session cookie — Required for login (NextAuth). Expires when you close your browser or after 7 days.
  • Cookie preference — Remembers your Accept/Reject choice. Stored in localStorage.

We honor the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we automatically treat it as an opt-out of non-essential data processing.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. When you delete your account, all personal data is permanently deleted immediately, including all associated businesses, posts, reviews, images, and payment records. Stripe customer records and active subscriptions are also cancelled and removed. We do not retain copies of your data after deletion, except where required by law (e.g., financial records for tax purposes).

8. Data Security

We implement appropriate technical and organizational security measures to protect your data, including encryption in transit (TLS), secure credential storage, and access controls. However, no method of transmission over the Internet is 100% secure.

9. Your Rights

Depending on your location, you may have some or all of the following rights regarding your personal data:

  • Access — Request a copy of all personal data we hold about you
  • Portability — Export your data in a machine-readable format (JSON)
  • Correction — Request correction of inaccurate or incomplete data
  • Deletion — Request permanent deletion of your account and all associated data
  • Revoke access — Disconnect third-party services (Google, Facebook, etc.) at any time
  • Opt out — Opt out of non-essential communications via your notification settings

To exercise any of these rights, visit Settings → Privacy & Data in your dashboard, or email us at [email protected]. We respond to all requests within 30 days (GDPR) or 45 days (CCPA).

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

  • Right to Know — You may request the categories and specific pieces of personal information we have collected about you, including data going back to January 1, 2022.
  • Right to Delete — You may request deletion of your personal information. We will process deletion requests within 45 days.
  • Right to Correct — You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising. You may still exercise your opt-out right via the "Do Not Sell My Info" link or your account settings.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of these rights.

We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request under the CCPA. If we detect a GPC signal from your browser, we automatically honor it without requiring further action.

Categories of personal information collected: Identifiers (name, email), commercial information (subscription data), internet activity (usage logs), geolocation (business address), and professional information (business details).

We do not sell personal information. We share data with service providers listed in Section 5 solely for business purposes as described in this policy.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal basis — We process your data based on: (a) your consent, (b) performance of our contract with you, (c) compliance with legal obligations, and (d) our legitimate interests in operating and improving the Service.
  • Data transfers — Your data is processed in the United States. We rely on standard contractual clauses and service provider agreements to ensure adequate protection.
  • Right to restrict processing — You may request that we limit how we use your data.
  • Right to object — You may object to processing based on legitimate interests.
  • Right to lodge a complaint — You may file a complaint with your local data protection authority.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or a prominent notice in the Service. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at: [email protected]

Mercatura Holdings LLC
Oakland, CA