Privacy Policy

Agency Metrics (“we”, “us”) is a multi-tenant SEO and digital marketing reporting platform operated by Small World Marketing (“Small World”), a marketing agency based in British Columbia, Canada. You can reach us at admin@smallworld.ca.

We act as a data processor for the agency staff and clients who use the platform. Our customer (the agency) is the data controller for the marketing-performance data we display on their behalf.

We collect three categories of data:

1. Account data — your email address and display name, supplied when you sign in with a one-time magic link. We do not store passwords.
2. Connected-service data — when an agency staff member connects a client account to Google Search Console, Google Analytics, Google Ads, Google Business Profile, or Ahrefs, we store an encrypted OAuth refresh token and periodically read performance data on that client’s behalf. The specific Google scopes we request are listed below.
3. Operational logs — request URLs, timestamps, and error traces used to keep the service running. We do not log request bodies that contain customer data.

When you connect a Google account, we request only the scopes required to display the metrics you came here to see. Each scope is used for the limited purposes described below and nothing else.

Google Search Console (read-only)

https://www.googleapis.com/auth/webmasters.readonly

Read query, page, country, and device performance for properties you explicitly connect, so we can display ranking and clickthrough reports inside your client dashboard.

Google Analytics 4 (read-only)

https://www.googleapis.com/auth/analytics.readonly

Read traffic, engagement, and conversion metrics from properties you explicitly connect, so we can display traffic-source breakdowns alongside the search data.

Google Ads

https://www.googleapis.com/auth/adwords

Read campaign, ad group, and keyword performance from Ads accounts you explicitly connect, so we can show spend and conversion data next to your organic metrics.

Google Business Profile

https://www.googleapis.com/auth/business.manage

Read profile insights and review activity for locations you explicitly connect, and — only when you take an explicit action in the dashboard — post replies or updates on behalf of that location.

Limited Use compliance. Agency Metrics’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not:

• Use Google user data to serve advertising.
• Transfer Google user data to third parties except as necessary to provide or improve the product, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to affected users.
• Allow humans to read Google user data, except in the narrow cases listed by Google’s policy (your explicit consent, security investigations, debugging when anonymization is insufficient, or to comply with law).
• Use Google user data to train or fine-tune generalized AI / ML models.

• To display the dashboards, reports, and alerts you and your clients log in to view.
• To send transactional emails — magic-link sign-ins, weekly summaries, and account-related notices. Marketing emails are not sent without separate opt-in.
• To monitor, debug, and improve the service.
• To comply with legal obligations and enforce our terms.

We do not sell personal information. We do not use connected-service data for any purpose beyond what is described in this policy.

Customer data is stored in the United States and Canada with the following subprocessors:

• Supabase — primary application database (Postgres) and authentication.
• Vercel — application hosting and edge compute.
• Resend — transactional email delivery.
• Sentry — error reporting (no request bodies).
• PostHog — product analytics (pageviews and user actions; no Google data).
• Anthropic, OpenAI, Perplexity — AI APIs used for content drafting tools when explicitly invoked. Prompts may include client-supplied context (not Google scope data).
• Ahrefs — third-party SEO data provider; we send the customer’s domain to Ahrefs to pull keyword and backlink reports.

OAuth refresh tokens are encrypted at rest with AES-256-GCM before being written to the database. Encryption keys are stored separately from the database and rotated on credential exposure.

• Active accounts — for as long as you have an account with us.
• Revoked Google connections — we delete refresh tokens within 24 hours of revocation. Historical reports that were already imported remain in your dashboard so prior periods are preserved; you can request deletion at any time.
• Closed accounts — within 30 days of confirmed account deletion, except for records we are legally required to retain (e.g. invoicing records, fraud-prevention logs).
• Operational logs — 30 days for application logs, 90 days for error traces.

You can revoke our access to your Google account at any time at myaccount.google.com/permissions. You can also:

• Request an export of the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Withdraw consent for non-essential processing at any time.

Email admin@smallworld.ca with your request. We respond within 30 days. If you believe we have mishandled your data, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada or your local data-protection authority.

We use only the cookies necessary to keep you signed in (a Supabase session cookie and an HTTP-only OAuth nonce cookie). We do not set advertising or cross-site tracking cookies.

The service is intended for use by marketing professionals. We do not knowingly collect information from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.

We will post material changes here and, where the change meaningfully expands how we use data, email affected users at least 14 days before the change takes effect. The effective date at the top of this page reflects the latest revision.

Privacy questions, data-subject requests, and security disclosures: admin@smallworld.ca.