Esmy · esmy.ai

Privacy Policy

Last updated: May 2026

FR·EN

In short. Your data and your customers' data are never sold, nor shared with third parties for commercial purposes. No advertising. Data received from Google is used only to operate your dashboard. You can revoke access and request deletion of your data at any time.

1 Who we are

Esmy (esmy.ai) is a project currently being incorporated, operated by a representative domiciled in France. The data controller is Esmy's founder, reachable at privacy@esmy.ai or contact@esmy.ai.

2 Data we collect

2.1 Merchant data (dashboard users)

  • First name, last name, professional email address
  • Business name and address
  • Google Business Profile OAuth token (encrypted, never exposed to the browser)
  • Billing data (processed by Stripe — not stored by Esmy)
  • Platform usage logs

2.2 End-customer data (visitors of the game page)

  • Email address (optional — only if the customer voluntarily provides it)
  • Game outcome (prize won, reward code)
  • Date and time of participation
  • No precise location data is collected

2.3 Data from the Google Business Profile API

  • Published Google reviews (text, rating, reviewer display name, date)
  • Review replies (published only with your explicit consent)
  • Business information (name, address, category)

This data is accessed through the official Google Business Profile API, exclusively after the merchant's explicit OAuth authorization.

3 Google Business Profile API integration

Compliance — Limited Use. Esmy's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

OAuth scope requested

Esmy requests only the following scope:

https://www.googleapis.com/auth/business.manage

Endpoints used

  • accounts.list — identify the merchant's Google Business account
  • locations.get — retrieve the business name and address
  • reviews.list — read published reviews (read-only)
  • reviews.updateReply — publish a reply (only after the merchant's approval)

How Google data is used

  • Display reviews in the relevant merchant's Esmy dashboard
  • Generate and then publish review replies, after the merchant's explicit approval
  • Produce statistics internal to that merchant's account only

Data obtained from the Google API is never: shared between different merchants, sold or transferred to third parties, used for advertising purposes, or used to train generalized or human-independent artificial intelligence models.

Review data is deleted 90 days after the contract ends. The merchant can revoke access at any time from their Google account or from their Esmy account.

4 Purposes of processing

  • Providing the Esmy service (dashboard, AI replies, gamification)
  • Account-related communication (alerts, notifications)
  • Billing and account management
  • Service improvement (aggregated and anonymized data)

Legal basis: performance of the contract (Art. 6.1.b GDPR) and legitimate interest (Art. 6.1.f GDPR) for service improvement.

5 Data retention

  • Merchant account data: subscription duration + 3 years (legal obligations)
  • Google review data: 90 days after contract termination
  • End-customer data (optional email): rolling 12 months
  • Technical logs: 6 months

6 Security

  • Data at rest encryption: AES-256
  • Communications encryption: TLS 1.3
  • OAuth tokens stored encrypted — never exposed to the frontend
  • Data access restricted to Esmy team members who need it

7 Your rights (GDPR)

You have the following rights over your personal data:

  • Access — obtain a copy of your data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data
  • Portability — receive your data in a structured format
  • Objection — object to certain processing

To exercise these rights: privacy@esmy.ai. Response within 30 days. You may also lodge a complaint with the French data protection authority, the CNIL (cnil.fr).

8 Data deletion and access revocation

At any time, you can:

Deletion results in the erasure of associated data within 30 days, except for legally required retention.

9 Cookies

Esmy uses only cookies strictly necessary for the platform to function (session, authentication). No advertising or third-party tracking cookies are used.

10 Sub-processors

  • Stripe — payment processing (PCI-DSS compliant)
  • Vercel — web platform hosting
  • Supabase — database and authentication (hosted in the European Union)
  • Resend — transactional email delivery
  • Anthropic — AI API for generating review replies. Data sent through the API is not used to train Anthropic's models.

All sub-processors are bound by a GDPR-compliant Data Processing Agreement (DPA).

11 Contact

For any question regarding this policy: privacy@esmy.ai.

← Back to home Terms of Service →