Privacy Policy
GrabNear ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your personal data when you use grabnear.com (the "Service").
Contents
1. Information We Collect
1.1 Account Information
When you create an account or sign in with a third-party provider (Google, Microsoft), we collect:
- Email address — used as your unique identifier and for transactional communications.
- Full name — displayed in your profile and used for personalisation.
- Profile image / avatar URL — sourced from your Google or Microsoft account when you use OAuth sign-in.
- Phone number — optionally provided during registration; used for account recovery and WhatsApp integration if enabled.
1.2 Usage Data
We automatically record information about how you use the Service, including:
- Search queries you submit (business type, location, radius).
- Search results and business leads you save or export.
- Notes and status labels you attach to leads.
- Subscription plan and payment status (we do not store full card details).
- IP address, browser type, and device information for security and analytics.
1.3 Payment Information
Payments are processed by Razorpay. We store only the Razorpay order ID and payment status. Full card numbers and bank details are never transmitted to or stored on our servers.
1.4 Integration Credentials
If you connect WhatsApp Business via our Integrations page, we store your WhatsApp API token and webhook verification token in our database, encrypted at rest.
2. How We Use Your Information
We use the information we collect to:
- Provide and improve the Service — process searches, display results, and personalise your dashboard.
- Authentication — verify your identity when you sign in and maintain your session.
- Communication — send transactional emails (OTP verification, payment receipts, plan change confirmations). We do not send marketing emails without your explicit consent.
- Subscription management — track your plan limits, search quotas, and billing cycle.
- Security & fraud prevention — detect suspicious activity and protect your account.
- Analytics & product improvement — understand aggregated usage patterns to improve features (data is anonymised where possible).
- Legal obligations — comply with applicable laws, regulations, or lawful government requests.
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
3. Third-Party Services
We rely on the following third-party providers to operate the Service. Each has its own privacy policy.
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Database, authentication, and user session management | supabase.com/privacy |
| Google Cloud / Maps Platform | Business data via Google Places API, map rendering | policies.google.com/privacy |
| Google OAuth | Sign-in authentication (optional) | policies.google.com/privacy |
| Microsoft / Azure AD | Sign-in authentication (optional) | privacy.microsoft.com |
| Razorpay | Payment processing (India) | razorpay.com/privacy |
| Google Cloud Run | Backend hosting and infrastructure | cloud.google.com |
When you choose to sign in with Google or Microsoft, those providers may share your name, email address, and profile picture with us as part of the authentication flow. We use this data only to create or update your GrabNear account.
3a. Google User Data — Permissions, Sharing & Disclosure
GrabNear requests Google user data in two separate flows, each with distinct permissions:
A. Google Sign-In (Authentication)
When you sign in with Google, we request the following OAuth scopes:
openid— confirms your identityemail— your Google email address, used as your GrabNear account identifierprofile— your full name and profile picture, displayed in your account
This data is used only to create or update your GrabNear account and to authenticate your sessions. It is not used for advertising, profiling, or any unrelated purpose.
B. Google Calendar Integration (Optional)
If you choose to connect your Google Calendar from the Integrations page, we request the following additional OAuth scope:
-
https://www.googleapis.com/auth/calendar.events— allows GrabNear to create, read, update, and delete calendar events on your primary Google Calendar. This is used exclusively to add, update, or remove follow-up reminder events when you mark a business lead as "Follow Up" in GrabNear.
We do not read, store, or process the contents of your existing Google calendar events. We only write/manage events that GrabNear itself creates (follow-up reminders). Google Calendar access is entirely optional — the core Service works without it.
Your Google Calendar OAuth access token and refresh token are stored encrypted in our database (Supabase) and are used solely to perform the calendar actions described above. You can revoke Google Calendar access at any time from the Integrations page or from your Google Account permissions.
C. Microsoft (Outlook) Calendar Integration (Optional)
If you choose to connect your Microsoft Outlook Calendar from the Integrations page, we request the following Microsoft OAuth scopes:
-
https://graph.microsoft.com/Calendars.ReadWrite— allows GrabNear to create, read, update, and delete calendar events in your Microsoft/Outlook Calendar. This is used exclusively to add, update, or remove follow-up reminder events when you mark a business lead as "Follow Up" in GrabNear. -
offline_access— allows GrabNear to refresh your access token without requiring you to re-authenticate each time, so your calendar integration stays connected.
We do not read, store, or process the contents of your existing Outlook calendar events. We only write/manage events that GrabNear itself creates (follow-up reminders). Microsoft Calendar access is entirely optional — the core Service works without it.
Your Microsoft OAuth access token and refresh token are stored encrypted in our database (Supabase) and are used solely to perform the calendar actions described above. You can revoke Microsoft Calendar access at any time from the Integrations page or from your Microsoft Account app permissions.
With whom we share Google user data
We do not sell, rent, or share Google user data with any third party, except in the following limited circumstances:
- Supabase — our database and authentication provider stores your email, name, avatar URL, and (if calendar is connected) your OAuth tokens to maintain your account and calendar integration. Supabase processes this data on our behalf and does not use it for independent purposes. (Supabase Privacy Policy)
- Google Calendar API — when creating or managing follow-up events, our backend sends requests to Google's Calendar API using your access token. No data beyond the event details (lead name, follow-up date) is transmitted.
- Microsoft Graph API — if you connect your Outlook Calendar, our backend sends requests to Microsoft's Graph API using your access token to create or manage follow-up events. No data beyond the event details (lead name, follow-up date) is transmitted. (Microsoft Privacy Statement)
- Google Cloud Run — our backend infrastructure hosted on Google Cloud processes all API requests. Google processes infrastructure data solely to operate the hosting environment. (Google Cloud Privacy Notice)
- Legal obligations — we may disclose your data if required by law, court order, or lawful government request.
No other third parties receive, access, or process your Google user data. Google user data is never transferred to data brokers, advertisers, or analytics platforms.
3b. Google API Limited Use Disclosure
GrabNear's use of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements.
Specifically:
- We only request Google account data and Calendar access that is strictly necessary for the features described above.
- We do not use Google user data to serve advertisements.
- We do not use Google Calendar or Microsoft Calendar data for any purpose other than creating and managing follow-up reminders at the user's request.
- We do not allow humans to read your Google or Microsoft calendar data unless you have given explicit permission, it is necessary for security purposes, or it is required by law.
- We do not transfer Google user data to third parties except as described in section 3a above.
- We do not use Google data to develop, improve, or train generalized AI or machine learning models.
4. Cookies & Sessions
GrabNear uses the following types of browser storage:
-
Authentication session (localStorage) — Supabase stores a JWT access token and refresh token in your browser's
localStorage. This token is used to authenticate your requests and is automatically refreshed. It is cleared when you log out. - Strictly necessary cookies — set by Cloudflare (our DNS/CDN provider) for DDoS protection and load balancing. These do not track you across websites.
We do not use advertising cookies, cross-site tracking cookies, or analytics cookies that follow you beyond the GrabNear platform.
5. Data Retention
- Account data (name, email, profile) — retained for as long as your account is active. You may request deletion at any time.
- Search history and leads — retained for the lifetime of your account. You can manually delete individual searches or leads from your dashboard.
- Payment records — retained for 7 years as required by Indian GST regulations.
- Server logs — retained for up to 30 days for security and debugging, then automatically purged.
- Deleted accounts — personal data is removed within 30 days of account deletion, except where retention is required by law.
6. Security
We implement reasonable technical and organisational measures to protect your data, including:
- All data in transit is encrypted via TLS/HTTPS.
- Database and credentials are stored with Supabase, which encrypts data at rest.
- API keys and integration tokens are stored encrypted.
- Access to production systems is restricted to authorised personnel.
No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at support@grabnear.com.
7. Your Rights
Depending on your location, you may have the right to:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to correct inaccurate or incomplete data.
- Deletion — request that we delete your account and personal data ("right to be forgotten").
- Portability — receive your data in a machine-readable format.
- Withdraw consent — opt out of any non-essential data processing at any time.
To exercise any of these rights, email us at support@grabnear.com. We will respond within 30 days.
8. Children's Privacy
GrabNear is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Continued use of the Service after changes constitutes acceptance of the updated policy.
10. Contact Us
If you have questions or concerns about this Privacy Policy, please reach out: