SSmart Spend
Legal

Privacy Policy

Last updated: May 7, 2026

Who we are

Smart Spend is a software platform operated from Victoria, British Columbia, Canada. We help massage therapy and physical therapy clinics automate their Google Ads campaign management based on appointment availability. For privacy questions, contact carlosgrouchy@gmail.com.

What we collect

We collect the minimum data needed to operate the service:

  • Account information: clinic name, owner email, and login credentials. Passwords are hashed by our authentication provider; we never see them in plaintext.
  • Google Ads metadata: account ID, campaign IDs, campaign names, current status, and budget amounts.
  • Scheduling metadata:appointment start and end timestamps from your scheduling software's iCal feeds. We extract only timestamps; all other event content is discarded immediately.
  • Operational logs: timestamps of system actions, decisions made (paused / enabled), aggregate availability counts, and error codes.

Google user data — Limited Use disclosure

Smart Spend's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

How we access Google user data:Smart Spend connects to your Google Ads account through Google's OAuth 2.0 consent flow. You grant access using the https://www.googleapis.com/auth/adwords scope. Smart Spend receives a refresh token from Google and uses it to obtain short-lived access tokens at the time of each API call. We do not access any Google account data outside the Google Ads scope you have granted.

How we use Google user data: Smart Spend uses Google Ads data exclusively for the user-facing automation feature you signed up for: reading the status of your campaigns, then pausing or enabling those campaigns based on the availability signals from your scheduling software. We do not use Google user data to train, develop, or improve generalized or generative artificial-intelligence or machine-learning models. We do not use Google user data to build advertising profiles or to serve you advertisements. We do not transfer Google user data to third parties for those purposes. We do not allow human access to Google user data except (a) where strictly necessary for the user-facing feature (e.g. an account holder reviewing their own campaigns), (b) where we have your explicit consent for a specific instance, (c) where strictly necessary to comply with applicable law, or (d) where strictly necessary to investigate abuse or security incidents.

How we store Google user data: The OAuth refresh token is stored encrypted at rest in our Supabase database (Canadian region; Row Level Security enforced). Campaign IDs, names, and current status are stored so we can act on them. We do not store keywords, ad creative, conversion data, audience lists, or remarketing data.

How we share Google user data: We do not sell, rent, or trade Google user data to anyone. We do not share it with third parties except as strictly required to operate the service (e.g. our database provider Supabase stores the data on our behalf under their data processing terms). We do not share Google user data for advertising or marketing.

Retention and deletion:You may revoke Smart Spend's access to your Google account at any time from your Google Account permissions page. When you do, or when you delete your Smart Spend account, we delete all Google user data we hold within 30 days, except where required to retain by law.

What we do not collect

Smart Spend is operationally PHI-free by design. We never collect, store, log, or transmit:

  • Patient names, contact information, or any personally identifying patient data
  • Health information of any kind, including diagnoses or treatment notes
  • Free-text fields from scheduling software (event titles, descriptions, locations)
  • Ad keywords, ad creative content, or ad copy from Google Ads
  • Conversion data, audience lists, or remarketing data from Google Ads

Where we store your data

All Smart Spend data is stored on Supabase (PostgreSQL) infrastructure in the ca-central-1 region (Montreal, Canada). Data does not leave Canadian jurisdiction during normal operation.

How we secure your data

  • Row Level Security is enforced on every database table
  • OAuth tokens for connected Google Ads accounts are encrypted at rest
  • All communication between you and Smart Spend is over HTTPS
  • Credentials are handled server-side only — no Google Ads tokens or database secrets are exposed to client-side code
  • We follow the principle of least privilege: every API call uses the minimum permissions required

Third-party services we use

  • Google Ads API — for the campaign management we provide on your behalf
  • Jane App / iCal feeds — read-only access via subscription URLs you provide
  • Supabase — database and authentication
  • Vercel — application hosting
  • Resend — transactional email (when configured)

Your rights under PIPEDA

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (PIPA), you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your account and associated data
  • Withdraw consent for our processing of your data at any time

Contact carlosgrouchy@gmail.com to exercise any of these rights. We will respond within 30 days.

Data retention

We retain your account data while your account is active. If you delete your account, we delete your account information and operational logs within 30 days, except where required to retain by law or for legitimate audit purposes (in which case we retain only the minimum necessary).

Changes to this policy

We will notify all account holders by email at least 30 days before any material change to this policy takes effect. The "Last updated" date at the top of this page reflects the most recent revision.

Contact

For privacy questions or to exercise your rights: carlosgrouchy@gmail.com

← Back to homeTerms of Service →