Steadfast Creative LLC

Privacy Policy

Effective date: March 25, 2026 · Last updated: April 8, 2026

Steadfast Creative LLC ("Steadfast Creative," "we," "us," or "our") operates Steadfast Local, a social media and Google Business Profile management platform. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

By using the Service, you agree to the collection and use of information as described in this policy.

1. Information We Collect

Account & Contact Information

When you register or are set up as a user, we collect:

Name and email address
Business name and contact information
Role and access level within the platform

Business Content

In the course of providing the Service, we collect and process:

Photos and images you upload
Captions, descriptions, and other text content
Business information such as job type, location, and service details used to generate content
Published post history and performance data

Third-Party Platform Credentials

To publish content on your behalf, we store encrypted access tokens for connected platforms (Google Business Profile). These tokens are stored using AES-256-GCM encryption and are never shared with any party other than the platform they authenticate with.

Usage Data

We automatically collect limited technical data when you use the Service, including:

Browser type and device information
Pages visited and actions taken within the platform
IP address and approximate geographic location
Error logs and performance data

2. How We Use Your Information

Purpose	Information Used
Providing and operating the Service	Account info, content, platform tokens
Publishing content to connected platforms	Images, captions, platform tokens
Generating AI-assisted captions and responses	Business info, job details, photo context
Sending service notifications and updates	Email address
Improving and debugging the Service	Usage data, error logs
Complying with legal obligations	As required by applicable law

We do not sell your personal information. We do not use your content for advertising purposes or share it with data brokers.

3. Third-Party Services

We use the following third-party services to operate the platform. Each has its own privacy practices:

Service	Purpose	Privacy Policy
Supabase	Database, file storage, authentication	supabase.com/privacy
Vercel	Hosting and deployment	vercel.com/legal/privacy-policy
Anthropic (Claude)	AI caption and response generation	anthropic.com/privacy
Google	Google Business Profile integration	policies.google.com/privacy
Twilio	SMS review request delivery	twilio.com/legal/privacy

AI content generation: When captions or review responses are generated, relevant business details (business name, job type, location, brand voice settings) are sent to Anthropic's API. Images are not sent to Anthropic. Photo descriptions you enter voluntarily may be included.

4. SMS Messaging

The Service enables local business staff to send one-time review request text messages to customers via Twilio. These messages are manually triggered — they are never sent automatically or without a human action.

Phone numbers collected through the SMS flow are used solely to deliver the requested review link. They are not stored for marketing purposes and are not used for any follow-up communication.
Message frequency: One message per customer interaction, sent only when a staff member chooses to send it.
Message and data rates may apply.
To opt out: reply STOP to any message. No further messages will be sent.
For help: reply HELP or contact joe@steadfast-creative.com.

Phone numbers are not shared with third parties beyond Twilio (the SMS delivery provider) and are not used to train any AI model.

5. Google Data

Google Business Profile Data: When you connect your Google Business Profile, we access your GBP account information, review data, and location data via the Google Business Profile API. We store encrypted OAuth tokens to maintain your connection. Review content may be cached in our private database to support our review response workflow. We do not sell this data or share it with third parties. You may revoke access at any time via the app's Settings page or through your Google Account security settings.

Specifically, the Service accesses and uses Google data as follows:

Reviews (read): GBP reviews are retrieved and displayed in the agency dashboard so the agency can draft and publish keyword-rich, AI-assisted responses. Review text is cached in a private Supabase database to support the response workflow.
Review replies (write): AI-generated responses, edited and approved by the agency, are published to GBP via the Business Profile API on behalf of the client.
Local posts (write): Photo posts with AI-generated captions are published to the client's GBP location. Photos are stored in a private Supabase Storage bucket.

What is NOT done with Google data:

No Google data is sold, licensed, or shared with third parties.
No Google data is used for advertising or user profiling.
Review content is not used to train any AI model.
GBP account or location data is not stored beyond what is needed to make API calls.

Token security: OAuth access tokens and refresh tokens are encrypted with AES-256-GCM before being written to the database. The encryption key is stored as a server-side environment variable and is never exposed to the client.

Revocation: You may disconnect your Google Business Profile connection at any time via Settings → Connections → Disconnect. This immediately deletes your tokens from our database. You may also revoke access via Google Account → Security → Third-party apps & services.

6. Data Storage and Security

Your data is stored on Supabase-managed infrastructure. We implement the following security measures:

All platform access tokens are encrypted at rest using AES-256-GCM encryption before database storage.
All data is transmitted over HTTPS/TLS.
Access to client data is restricted by role — staff and clients can only access their own records.
Uploaded images are stored in private Supabase Storage buckets with controlled public access for publishing purposes only.

No security system is impenetrable. In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

Account data: Retained until account deletion is requested.
Post content and images: Retained in the platform queue until you archive or delete individual posts.
Publish logs: Retained for up to 2 years for reporting and audit purposes.
Platform access tokens: Deleted immediately when you disconnect a platform or close your account.
Cached review data: Retained for the duration of the client relationship and deleted upon client offboarding.

Upon termination of your account, we will delete or anonymize your personal data within 90 days, unless retention is required by law.

8. Cookies

The Service uses essential cookies to maintain your login session. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Session cookies are automatically deleted when you close your browser.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

Access: Request a copy of the personal data we hold about you.
Correction: Request that inaccurate data be corrected.
Deletion: Request deletion of your personal data, subject to legal retention requirements.
Portability: Request your data in a portable format.
Objection: Object to certain uses of your data.

To exercise any of these rights, contact us at joe@steadfast-creative.com. We will respond within 30 days.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active users of material changes by email or in-app notification at least 14 days before the changes take effect. Continued use of the Service after changes are effective constitutes your acceptance of the revised policy.

12. Contact

For questions, concerns, or requests related to this Privacy Policy, please contact us: