This Privacy Policy describes how MaximusLabs AI, a company incorporated under the laws of India with its registered office at No 132/1, 24th Main Road, Kaveri Nagar, Kurubarahalli, Bengaluru 560086, India ("Maximus Labs," "we," "us," or "our"), collects, uses, stores, shares, and protects personal data when you visit maximuslabs.ai, use the Clients Dashboard at clients.maximuslabs.ai, connect Google Search Console or Google Analytics via our OAuth integration, or otherwise engage with our services. Maximus Labs is a full-stack AI growth marketing agency specializing in Answer Engine Optimization.
This Policy is designed to comply with the Digital Personal Data Protection Act 2023 (India), the General Data Protection Regulation (EU GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA, the Israel Privacy Protection Law (5741-1981, as amended), and other applicable data-protection laws.
By using our services, you acknowledge that you have read this Policy.
This Policy applies to personal data Maximus Labs processes in the following contexts:
maximuslabs.ai and its subdomains[email protected] or Client-issued API credentialsData Controller / Fiduciary: MaximusLabs AI, No 132/1, 24th Main Road, Kaveri Nagar, Kurubarahalli, Bengaluru 560086, India.
Grievance Officer (DPDP Act 2023), Data Protection Contact, and Privacy Contact:
You may contact the Grievance Officer with any data-protection concern, rights request, or complaint. We will acknowledge receipt promptly and respond within the timelines required by applicable law (typically 30 days).
With your explicit consent via the Google OAuth consent screen, we request the following read-only scopes:
https://www.googleapis.com/auth/webmasters.readonlyhttps://www.googleapis.com/auth/analytics.readonlyopenid, email, profileThrough these scopes we access: authenticated user identity (email, name), Google Search Console property lists, search queries, impressions, clicks, CTR, average position, top pages, and country/device breakdowns; Google Analytics account, property, and view metadata, sessions, users, events, conversions, traffic-source reports, and dimension/metric combinations required to render dashboards. We do not request, and do not have, any write, modify, delete, or publishing permissions on Google user data.
Through either the [email protected] email invited into your CMS, Client-issued API credentials, or staging API endpoints, we access content, draft articles, media assets, and metadata required to push articles as drafts. We never auto-publish content live.
Application logs, audit trails, session data, feature usage events, and error reports to operate and secure the Dashboard.
Invoice, bank wire, and payment-processor metadata. Full payment card numbers are processed by our payment processor and are not stored by Maximus Labs.
PurposeCategoriesLegal Basis (GDPR/UK GDPR)Operate the website and communicate with prospectsWebsite, prospect dataLegitimate interests; consent for marketingDeliver agency services under the MSAClient data, Google API data, CMS dataPerformance of contract; legitimate interestsProvide the Clients Dashboard and visualizationsOAuth data, Dashboard usage dataPerformance of contract; consent for OAuth scopesBilling, tax compliance, record-keepingBilling and tax recordsLegal obligation; performance of contractSecure the services, prevent fraud, audit logsAll categoriesLegitimate interests; legal obligationMarketing communicationsProspect and client contactsConsent; legitimate interests with opt-outComply with law, respond to legal processAny as requiredLegal obligation
Under the India DPDP Act 2023, processing of personal data is based on (a) consent, or (b) legitimate uses as defined in Section 7 of the Act. Under CCPA/CPRA, we process personal information as a business. Under Israel PPL, we process data in accordance with the consent and purpose-limitation principles.
Maximus Labs' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
https://myaccount.google.com/permissions.We share personal data only with trusted sub-processors who act on our instructions and are bound by data-protection obligations at least as protective as this Policy. Our current sub-processor categories are:
CategoryPurposeApplication hostingCloud hosting of the Clients DashboardManaged databaseEncrypted storage of Dashboard dataDNS, CDN, WAFDomain, performance, and security for maximuslabs.ai and clients.maximuslabs.aiTransactional emailPassword resets, OAuth notifications, system emailMarketing emailNewsletters and opted-in communicationsCRMProspect and client relationship managementPayment processingCard payments alongside HDFC Bank wiresWebsite analyticsGA4 on maximuslabs.aiError monitoringApplication error and performance trackingEnterprise LLM APIsContent-production workflows with vendor terms prohibiting training on our inputsSchedulingDiscovery-call bookingsCloud storage and productivityGoogle Workspace for internal documents and communications
The current live list of named sub-processors is available on request at [email protected]. We will provide reasonable advance notice of material changes so that Clients with DPA rights may object.
We also disclose data when required by law, valid legal process, to protect rights, property, or safety, or in connection with a corporate transaction, with notice.
We do not sell personal information under CCPA/CPRA, and we do not share personal information for cross-context behavioral advertising.
Maximus Labs is based in India and serves clients in India, the United States, the United Kingdom, the European Union, Israel, and other jurisdictions. Personal data may be transferred to and processed in countries other than your own, including India, the United States, and the European Economic Area, depending on the location of our sub-processors.
For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum where applicable) and, where required, supplementary measures to ensure equivalent protection. Clients may request a copy of the applicable transfer mechanism at [email protected].
We retain personal data only as long as necessary for the purposes described:
Data CategoryRetention PeriodWebsite analytics (GA4)Up to 14 monthsProspect inquiriesUp to 24 months from last interaction, then deletion unless converted to ClientClient contract, engagement, and deliverable recordsDuration of engagement + 3 yearsInvoices, tax and billing records8 years (India tax law)Google OAuth tokens and cached GSC/GA dataActive engagement + 30 days after disconnection or terminationCMS credentialsActive engagement + 30 days post-terminationDashboard usage logs12 monthsBackups35-day rolling window, then permanent overwriteMarketing subscribersUntil unsubscribe + statutory retention
After the retention period, data is deleted or irreversibly anonymized.
We use (a) essential cookies required for the site to function, (b) analytics cookies (Google Analytics 4) to understand usage, and (c) marketing cookies to measure campaign performance. A cookie banner allows you to accept, reject, or customize non-essential categories.
The Clients Dashboard uses only (a) essential cookies for authentication, session management, and security, and (b) product analytics cookies to improve the Dashboard experience. No marketing cookies are set on the Dashboard.
You can manage cookies via your browser settings; blocking essential cookies may prevent the Services from functioning.
Depending on your jurisdiction, you may have the following rights:
To exercise your rights, contact [email protected]. We will verify your identity and respond within the timelines required by applicable law (typically 30 days, extendable as permitted).
Maximus Labs implements administrative, technical, and physical safeguards to protect personal data, including TLS 1.2+ encryption in transit, encryption at rest for credentials, OAuth tokens, and Google user data, least-privilege access controls, audit logging, vulnerability scanning, secure software development practices, and vendor diligence on sub-processors. No system is perfectly secure; you remain responsible for safeguarding your credentials.
Breach notification: In the event of a personal-data breach likely to result in risk to individuals, we will notify affected Clients and competent authorities without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with GDPR, UK GDPR, and the DPDP Act notification requirements.
The Services are intended for business users aged 18 or older. We do not knowingly collect personal data from children under 16. If we learn we have collected such data, we will delete it promptly.
Maximus Labs uses artificial intelligence and machine learning tools in the course of delivering services (for example, content production, research summarization, and analytics). We do not make solely automated decisions that produce legal or similarly significant effects on individuals. Where AI is involved in analyses, human experts review and direct the output before it reaches a Client.
No training on your data. We configure all third-party LLM/AI APIs we use with vendor settings that prohibit training on our inputs, and we do not use Client data or Google user data to train, fine-tune, or evaluate any AI/ML model.
With your consent or under applicable legitimate-interest bases, we may send you newsletters, product updates, or relevant marketing communications. You can opt out at any time using the unsubscribe link in any email or by contacting [email protected]. Transactional and account-related emails are not marketing and cannot be opted out of while you have an active account.
For Clients who are Data Controllers under GDPR, UK GDPR, or equivalent laws and who require a Data Processing Addendum (DPA) under which Maximus Labs acts as Processor, a DPA incorporating the EU SCCs and UK IDTA is available on written request at [email protected].
Consistent with standard agency practice, Maximus Labs may display Client names and logos on maximuslabs.ai, in decks, proposals, and marketing materials. This is an auto opt-in component of engagement; opt-out is available only by separate written agreement. Detailed case studies with specific performance metrics are published only with the Client's prior written approval of the specific content.
We may update this Policy from time to time. Material changes will be communicated by updating the "Last Updated" date, posting a notice on maximuslabs.ai/privacy, and, for significant changes, sending email notification to Clients and subscribers at least 30 days in advance. Your continued use after the effective date constitutes acceptance.
For any question, rights request, or complaint: