Last updated: June 10, 2026

Privacy Policy

Sada HQ is a multi-branch operations platform for Google Business Profile. This policy explains what data we process when you use the dashboard, connect Google, run QR surveys, or send WhatsApp campaigns.

Summary

We access Google data only to run features you enable. We do not sell customer data. OAuth tokens are encrypted at rest. You can revoke Google access at any time.

Overview

This policy applies to sadahq.com, app.sadahq.com, and related services operated by Sada HQ ("Sada", "we"). It covers workspace accounts, connected integrations, and public marketing pages.

What data we collect

Account & workspace

Login identifiers (email or username), hashed credentials, and OTP verification records.
Team member names, roles, and permission settings you assign inside Sada.
Workspace configuration: licensed branch limits, plan tier, and billing contact details.

Google Business Profile (via OAuth)

OAuth access and refresh tokens for scope business.manage (encrypted at rest).
Business locations: names, addresses, categories, hours, phone, website, photos, and verification status.
Reviews, star ratings, reviewer display names, review text, reply status, and published replies.
Maps performance metrics: views, searches, calls, direction requests, and related insights.
Google Posts and media you create or sync through Sada.

Customer feedback & surveys

QR survey responses submitted on public visit pages, including answers and timestamps.
Customer profiles you build in Sada: contact fields, marketing consent flags, and consent source (e.g. survey QR).

WhatsApp & messaging (when enabled)

Meta/WhatsApp Business connection tokens (encrypted).
Campaign audiences, template names, delivery/read status, and conversation messages handled in Sada.
Phone numbers and consent status for recipients you target with approved templates.

Technical logs

IP address, browser type, and request logs for security and abuse prevention.
Product usage events needed to operate dashboards, exports, and scheduled sync jobs.

Why we collect it

Authenticate your team and enforce role-based access to branches, reviews, and campaigns.
Sync and display Google Business Profile data across licensed locations in one dashboard.
Draft, schedule, and publish review replies and Google Posts you approve.
Run QR surveys, store responses, and surface customer feedback analytics.
Send WhatsApp campaigns using Meta-approved templates to consented audiences.
Generate branch comparison reports, Keyword Pulse themes, PDF exports, and AI-assisted recommendations.
Maintain platform security, troubleshoot errors, and meet legal obligations.

How we use it

We use collected data only to provide and improve Sada features for your organization. We do not use Google user data for advertising, creditworthiness decisions, or unrelated profiling.

AI reply drafts and insights are generated from your business data to assist your team — you review before publishing.
Aggregated analytics may be shown inside your workspace; we do not publish your branch data publicly.
We may contact you about account security, billing, or service changes.

How Google data is handled

Summary

Sada's use of Google API data follows the Google API Services User Data Policy, including Limited Use requirements. See our Google API Data Usage Disclosure for scope, storage, and revocation details.

OAuth scope requested: https://www.googleapis.com/auth/business.manage only.
Tokens are stored encrypted. Synced GBP data is stored in Sada databases while your integration is active.
Only users you authorize in Sada can view branch and review data for your workspace.
Revoke access: https://myaccount.google.com/permissions or disconnect in Sada Settings → Google.
Full disclosure: /google-api-disclosure · Google policy: https://developers.google.com/terms/api-services-user-data-policy

Data retention

Google-synced data is retained while your account is active and the Google connection remains authorized.
Survey responses and customer records are retained until you delete them or close the workspace.
When you disconnect Google or delete your account, we delete OAuth tokens and stop new syncs within a reasonable period.
Backups and logs may persist for a limited time for disaster recovery and security, then are purged on schedule.
We may retain minimal records where required for billing disputes or legal compliance.

Security

Data is encrypted in transit (HTTPS/TLS) and OAuth tokens are encrypted at rest using field-level encryption.
Production access is restricted to authorized personnel on a need-to-know basis.
Sessions use short-lived access tokens; refresh tokens are stored in HttpOnly cookies where applicable.
We monitor for abuse and may suspend accounts that threaten platform or API stability.

Your rights

Sada serves customers in Oman, the GCC, and internationally. Applicable privacy laws vary by location — we do not represent that every global regulation applies to your use of Sada.

Request access to personal data we hold about your account.
Request correction of inaccurate account or contact information.
Request deletion of your workspace or specific customer records where technically feasible.
Export data available in your dashboard (e.g. PDF reports, customer lists) or request an export package.
Withdraw marketing consent for contacts you store in Sada.

How do I submit a request?: Email [email protected] from your registered workspace contact. We respond within a reasonable timeframe and may verify your identity.
Does GDPR apply?: If you are in the European Economic Area or another jurisdiction with specific data protection laws, contact us to discuss applicable rights. Our default operations are designed for Oman and GCC business customers.

Contact

Privacy requests and questions: [email protected] · General support: [email protected]

Questions? [email protected]