Legal

Privacy
Policy

Last updated: March 2026 · Statsnapp Technologies

Proof is built on a simple principle — we request only what we need, store as little as possible, and keep you in control at all times. This policy explains exactly what data we collect from each integration, how we use it, and your rights over it.

01

Who We Are

Statsnapp Technologies operates the Proof analytics platform at withproof.io. We are headquartered in Coimbatore, Tamil Nadu, India.

For any privacy-related questions or data requests, contact us directly at Founder@withproof.io. We respond to all enquiries including those from Google's, Meta's review and compliance teams.

02

What Data We Collect

Data is only collected when you explicitly authorise a connection via that platform's OAuth flow. We collect three categories of data across our integrations. Collected data is displayed primarily on your private authenticated Proof dashboard (dashboard.withproof.io). When enabled, the same aggregate metrics may also appear on a connected Proof device (in development). See §03 Display surfaces for details.

Account Data (all users)

Data

Why we collect it

Business email address

Used to identify your Proof account and send service notifications

Business name

Used to label your dashboard and confirm the correct profiles are linked

OAuth access tokens

Stored encrypted — used solely to authenticate API requests on your behalf

Google Business Profile

business.manage · read-only

Data

Why we collect it

Aggregate star rating

Displayed on your Proof dashboard and, when enabled, on a connected Proof device (in development)

Total review count

Used to track review milestones and the celebration tracker on your Proof dashboard and, when enabled, on a connected Proof device (in development)

Latest review text

Displayed on your dashboard — shown in real time, not stored after session ends

Reviewer display name

Shown alongside review text for context — not stored after session ends

New review event (via Cloud Pub/Sub)

Google publishes a notification to our Cloud Pub/Sub topic when a new review is posted — we then fetch only that review. We do not poll the API continuously.

How Cloud Pub/Sub works: When a customer leaves a new Google review, Google publishes a message to our registered Cloud Pub/Sub topic (hosted in Google Cloud). Our server receives this event and makes a single API call to fetch the new review. No data is held in Pub/Sub beyond Google's own transit — we do not store events in the message queue.

Instagram

Instagram Graph API · read-only

Data

Why we collect it

Follower count

Displayed on your Proof dashboard as a social growth metric and, when enabled, on a connected Proof device (in development)

Reach metrics (aggregate)

Used to power reach trend charts over 30 / 90 day windows

Post impressions (aggregate)

Shown alongside reach to indicate content visibility

Profile visit count

Displayed as an engagement signal

Connection profile: Requires an Instagram Professional Account (Business or Creator). Consumer/Personal accounts are not supported by Meta's active API framework.
Proof device (in development). When available, aggregate metrics from connected integrations—including Instagram follower count and Google star rating / review count—may be transmitted from our servers to a Proof device at your business premises via MQTT over TLS. Only aggregate numbers are shown; no review text, post content, media, or personal data. The device is designed for volatile in-memory display only (no persistent local storage of platform data).
03

How We Use Your Data

  • To display your trust metrics, review activity, and social growth on your Proof dashboard and, when enabled, on connected Proof devices at your business location (see Display surfaces below) — the sole purpose of every data point we collect.
  • To transmit aggregate trust metrics to connected Proof devices over secure MQTT channels when that hardware is enabled on your account.
  • To send you service notifications (e.g. new review alerts, sync errors) via email where you've opted in.
  • To maintain your account and authenticate your platform connections via stored OAuth tokens.
  • We do not use your data for advertising, profiling, or any purpose beyond operating the Proof service you have authorised (dashboard and connected Proof devices).
  • We do not sell, license, or share your data with any third party for their own purposes.

Display surfaces

  1. Proof Dashboard (dashboard.withproof.io) — private, authenticated web interface for the business owner and authorized team members.
  2. Proof device — optional in-store hardware, currently in development. Shows aggregate metrics from connected platforms (e.g. Google star rating, review count, Instagram follower count). Visible to anyone in your premises. Real-time updates via MQTT over TLS. No OAuth tokens on device. Volatile memory only.

Google API Limited Use Disclosure

Proof's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to serve advertisements, train AI/machine learning models, or transfer data to third-party networks for tracking purposes.

04

Data Retention

We apply different retention rules depending on the sensitivity of the data and how it's used.

Review text & reviewer name

Not persisted. Displayed in your dashboard session only. Cleared when session ends or data refreshes.

Star rating & review count

Retained while account is active. Deleted within 24 hours of account closure.

Instagram aggregates

Retained to power trend charts. No individual post content stored.

OAuth tokens

Retained while connected. Deleted immediately upon disconnection or account closure.

Cloud Pub/Sub events (GMB)

Not stored by Proof. Events are consumed in transit — we fetch the review from the API and immediately discard the Pub/Sub message.

Account deletion

All data deleted within 1–2 business days of account cancellation or written request.

Proof device data

Aggregate metrics held in device memory only (volatile; clears on power cycle). No server-side logs of device transmissions are retained beyond real-time delivery, unless temporarily enabled for debugging—in which case logs are purged within 7 days. No OAuth tokens stored on the device. Upon the disconnection of any platform integration or total account cancellation, our servers immediately terminate the MQTT broadcast stream for that metric, causing the physical display to safely clear or obscure that data point on its next automated sync interval.

05

How We Collect It

All platform data is collected exclusively via official, merchant-authorised OAuth 2.0 flows. Proof employees cannot initiate or alter any merchant's platform authorisation.

  • Google Business Profile — via Google OAuth 2.0. We request access to the following scopes to authenticate your profile and safely map business metrics: https://www.googleapis.com/auth/business.manage (read-only metric retrieval), openid, https://www.googleapis.com/auth/userinfo.profile, and https://www.googleapis.com/auth/userinfo.email. New review events are received via Google Cloud Pub/Sub (My Business Notifications API).
  • Instagram — via Meta's Instagram Graph API OAuth flow (read-only). We access follower count, reach metrics (aggregate), post impressions (aggregate), and profile visit count. Requires an Instagram Professional Account (Business or Creator). Consumer/Personal accounts are not supported by Meta's active API framework.
06

What We Never Do

  • Execute unauthorized or automated write operations on your Google Business Profile or Instagram account.
  • Post, respond to, or flag reviews on your behalf.
  • Read private Instagram messages, story content, or follower identities.
  • Store raw review text or reviewer names beyond the active dashboard session.
  • Share any platform data with third parties for advertising, analytics resale, or profiling purposes.
  • When the Proof device is available, send OAuth tokens, review text, Instagram media, or private messages to it.
07

Security

  • All traffic between your browser, our servers, and connected platform APIs uses TLS 1.2 or higher.
  • OAuth tokens and credentials are encrypted at rest using industry-standard practices.
  • Cloud Pub/Sub communication with Google is secured via Google's own IAM permission system — only our service account (mybusiness-api-pubsub@system.gserviceaccount.com publisher permission) can publish to our topic.
  • Access to production systems is restricted to authorised Statsnapp Technologies personnel only.
  • MQTT between Proof servers and Proof devices uses TLS; devices authenticate with unique per-device credentials. No OAuth tokens transmitted to or stored on devices.
  • Aggregate metrics on a Proof device may be visible to customers/employees on your premises; device placement is the merchant's responsibility.
08

Your Rights

  • Revoke access anytime. Disconnect any integration from your Proof dashboard, or directly via each platform's settings: Google Account → Security → Third-party apps with account access → Remove Proof; Instagram app → Menu → Settings and privacy → Website permissions → Apps and websites → Active → Remove Proof.
  • Request data deletion. Visit /delete-data or email Founder@withproof.io. All linked data is permanently deleted within 1–2 business days of confirmation. You will receive a confirmation email when deletion is complete.
  • Access your data. Request a summary of what data Proof holds for your account at any time.
  • Eligibility. By creating a Proof account, you represent that you are at least 13 years old and, if under 18, have parental or guardian consent to use this service. Proof is designed for business use. We do not knowingly collect data from children under 13.
  • Legal basis & international users. By connecting your Instagram or other platform account, you consent to the data collection described in this policy. Users in the EU and California can exercise their data protection rights (access, correction, deletion) by contacting Founder@withproof.io or visiting /delete-data. We comply with applicable data protection laws in these jurisdictions.
  • DPDP Act (India). As an Indian-based company, we operate in compliance with India's Digital Personal Data Protection Act, 2023. You have the right to access, correct, and erase your personal data.
09

Third-Party Services

Proof connects to the following third-party platforms. Their own privacy policies govern how they handle data on their side:

10

Cookies & Tracking

The withproof.io marketing site does not set cookies and does not use third-party analytics or advertising trackers. The Proof dashboard (dashboard.withproof.io) uses session cookies solely to keep you signed in. No cross-site tracking.

11

Changes to This Policy

We will notify you by email before making material changes to this privacy policy. The "Last updated" date at the top of this page is updated for all changes. Continued use of Proof after notification constitutes acceptance.

Questions or data requests?

Founder@withproof.io

We respond to all privacy enquiries, data deletion requests, and API review team questions.