Privacy Policy

Google Business Profile Data and OAuth Access

Scion Media is a Google Business Profile management agency. To operate your profile on your behalf, we need access to your Google Business Profile data. That access is granted exclusively via Google's official OAuth 2.0 authorization flow — we cannot access your account without your explicit, real-time authorization.

Scopes we request

The OAuth scope we request is https://www.googleapis.com/auth/business.manage (the Business Profile APIs family). This single scope authorizes the following specific APIs used by Scion Media, each limited to the minimum functionality required to operate your profile on your behalf:

• My Business Account Management API — View the Business Profile accounts and locations you have granted us access to.
• My Business Business Information API — Read and update your business information (name, address, phone, website, hours, categories, services, attributes).
• My Business Verifications API — Manage verification status for your locations.
• My Business Notifications API — Receive notifications about changes, reviews, and questions on your profile so we can respond promptly.
• Business Profile Performance API — Read profile insights (views, searches, clicks, calls, direction requests) to generate your monthly reports.

We do not request any additional Google scopes beyond business.manage. We do not access Gmail, Drive, Contacts, Calendar, Photos, or any other Google product or user data.

How we use Google data

We use your Google Business Profile data exclusively to:

• Optimize your business profile for visibility across Google Search and Maps
• Post weekly Google Posts on your behalf to keep your profile active
• Monitor and respond to customer reviews (with your approval)
• Track profile insights (views, clicks, calls, direction requests) for reporting
• Generate monthly performance reports
• Maintain accurate, up-to-date business information

How we DO NOT use Google data

We will never:

• Sell your Google Business Profile data to any third party
• Share your data with anyone outside our service team
• Use your data for advertising purposes, retargeting, or interest-based advertising
• Use your data to train artificial intelligence or machine learning models
• Access more data than is necessary for the services you have hired us for

Granting and revoking access

You grant Scion Media access to your Google Business Profile during onboarding by completing Google's official OAuth consent flow. This requires you to actively click "Allow" on Google's consent screen. You can revoke this access at any time by:

1. Visiting your Google Account permissions page at https://myaccount.google.com/permissions
2. Finding "Scion Media" in the list of connected apps
3. Clicking "Remove access"

You can also email privacy@scionmediadigital.com and we will revoke our access on your behalf within 24 hours.

Data retention

We retain Google Business Profile data only as long as your service agreement is active. Within 30 days of service termination, we permanently delete all stored Google data. Live access via OAuth is automatically revoked when your service ends.

Limited Use compliance

Scion Media's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Scion Media affirms that:

1. Allowed use. We use Google user data only to provide or improve user-facing features that are prominent in Scion Media's services, as described in "How we use Google data" above. Any other use requires your additional explicit consent.
2. Allowed transfer. We do not transfer Google user data to third parties except (a) as necessary to provide or improve user-facing features that are prominent in the requesting application's user interface, (b) to comply with applicable law, or (c) as part of a merger, acquisition, or sale of assets of Scion Media with notice to users.
3. Prohibited use — advertising. We do not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising.
4. Prohibited use — human access. We do not, and do not permit any employee, contractor, or affiliate to, read Google user data except (a) with your affirmative agreement for specific data; (b) as necessary for security purposes such as investigating abuse or a security incident; (c) to comply with applicable law; or (d) where the data (including derivatives) has been aggregated and is used for internal operations in accordance with applicable privacy laws.

No human access to your data

Day-to-day operations on your Google Business Profile — content posting, review monitoring, insights aggregation, and profile updates — are performed by automated systems acting under the OAuth authorization you granted. Scion Media employees and contractors do not read, export, or otherwise access the individual contents of your Google user data except in the narrow circumstances listed in item (4) above.

When manual access is unavoidable (for example, to diagnose a production issue, to act on a specific support request you sent us, or to investigate a potential security incident), that access is:

• Authorized by a designated privileged-access role within Scion Media
• Logged with user identity, timestamp, scope of access, and business justification
• Time-limited and restricted to the minimum data necessary to resolve the issue
• Never used for advertising, model training, resale, or any purpose unrelated to the stated justification

Security for Google data

Google OAuth credentials are stored encrypted at rest and transmitted only over TLS 1.2 or higher. Access to Google API systems is restricted by role and protected by multi-factor authentication. Scion Media commits to an annual Cloud Application Security Assessment (CASA) appropriate to our scope tier, and will notify affected users of any security incident involving Google user data without undue delay and in any case consistent with applicable law.

Facebook and Instagram Data

Scion Media operates the Sightline platform as a Meta Tech Provider that helps local businesses manage their Facebook Pages and Instagram Business Accounts. To perform that work on your behalf, Sightline needs access to specific Meta data. Access is granted exclusively through Facebook Login for Business — a Page admin must explicitly authorize Sightline before any data is read, and access can be revoked at any time.

What data we access

When you connect a Facebook Page or Instagram Business Account through Sightline, we may access the following, limited to what the permissions you grant allow:

• Facebook Page profile information — name, address, phone number, hours, categories, website, cover and profile photos, and other public profile fields.
• Facebook Page posts and engagement metrics — your Page posts and their reach, impressions, likes, shares, and other engagement signals.
• Comments and reactions on Page posts — including the commenter's name and the text of their comment, so we can monitor and respond to customer engagement on your behalf.
• Page insights — audience demographics, post performance, follower counts, and other analytics provided by Meta.
• Linked Instagram Business Account — profile information, media (posts, reels, stories), comments on that media, and Instagram insights.
• Meta Business Manager assets — information about the Pages, Instagram accounts, and other business assets you grant Sightline access to.

The specific Meta permissions Sightline requests include pages_show_list, pages_manage_metadata, pages_manage_posts, pages_read_engagement, pages_read_user_content, pages_manage_engagement, read_insights, business_management, instagram_basic, instagram_content_publish, instagram_manage_insights, and instagram_manage_comments. Each permission is requested only to deliver a feature that appears in the Sightline product.

How we obtain it

We obtain Meta data exclusively through Facebook Login for Business. A Page admin or Business Manager user with the necessary role must complete Meta's official login flow and explicitly grant Sightline the listed permissions. Sightline cannot read any Meta data without that affirmative authorization, and cannot exceed the scope of the permissions granted.

Why we collect it

We use Meta data exclusively to provide the marketing services you have engaged us for, including:

• Maintaining accurate and consistent business listing information across your Facebook Page and Instagram profile
• Drafting, scheduling, and publishing posts, reels, and stories on your behalf
• Monitoring comments, reactions, and direct messages so we can respond to customer engagement
• Producing performance reporting (reach, impressions, follower growth, post performance) for your monthly review
• Surfacing recommendations to improve your social presence

How we DO NOT use Meta data

We will never:

• Sell your Facebook or Instagram data to any third party
• Share your Meta data with third-party advertisers or data brokers
• Use your Meta data for advertising, retargeting, or interest-based advertising outside the campaigns you explicitly direct us to run
• Use your Meta data to train artificial intelligence or machine learning models
• Use your Meta data for competitive research, benchmarking against other clients, or any purpose outside the marketing services agreement you signed
• Access more data than the permissions you granted require

Sub-processors

To deliver the service, Meta data may pass through the following vetted sub-processors, each bound by contractual data-protection requirements:

• Railway — application hosting and database infrastructure
• Cloudflare — content delivery network and edge security
• Anthropic — AI processing for content drafting and reply suggestions, where applicable to your plan; content sent to Anthropic is not used to train their models per Anthropic's API terms

We do not sell or share Facebook or Instagram data with third-party advertisers, marketing networks, or any party outside of these named sub-processors and Meta itself.

How long we retain it

Meta data is retained only as long as your connection to Sightline is active and your service agreement is in force. Specifically:

• While your account is connected, we retain the operational data needed to deliver the service (your most recent posts, comments, insights, and audience metrics).
• If you disconnect your Facebook Page or Instagram account from Sightline, we purge the associated data from our active systems within 90 days.
• You can request immediate deletion at any time by contacting us at privacy@scionmediadigital.com or through the Data Deletion process described below.
• Aggregated, fully anonymized statistics that cannot be traced back to you may be retained for internal product analytics.

User rights

You can manage your Meta data in Sightline at any time by:

• Disconnecting your account — go to Sightline → Settings → Connected Accounts and click "Disconnect" for the Facebook Page or Instagram account in question. This revokes our access immediately and triggers data purge.
• Removing the app from Facebook — visit Facebook Settings → Business Integrations (or Settings → Apps and Websites), find Sightline, and remove it. Meta will notify our endpoint and we will delete the associated data per the Data Deletion process below.
• Contacting us directly — email privacy@scionmediadigital.com or marc@scionmediadigital.com for any data access, correction, or deletion request.

Compliance with Meta Platform Terms

Sightline's use of information received from Meta APIs adheres to the Meta Platform Terms and the Meta Developer Policies, including all data-handling, retention, and use restrictions stated in those documents. Specifically, Sightline affirms that it uses Meta data solely to provide the marketing features described above, does not transfer Meta data to any party other than the sub-processors listed, does not use Meta data for advertising outside the campaigns clients direct, and does not use Meta data to train AI models.

Our automated Data Deletion Callback endpoint, which Meta calls when a user removes Sightline from their Facebook account, is published at: https://app.scionmediadigital.com/api/meta/data-deletion.

Data Deletion process

You can request deletion of all Meta data we hold about you at any time. There are three paths:

1. In Sightline — disconnect your Facebook Page or Instagram account in Sightline → Settings → Connected Accounts. Disconnect immediately revokes our API access and queues purge of all associated data.
2. Via Facebook — remove Sightline from Facebook Settings → Business Integrations. Meta will send a deletion callback to our endpoint and we will purge the associated data and return a confirmation code per Meta's specification.
3. By email — write to privacy@scionmediadigital.com with the subject line "Meta Data Deletion Request" and identify the Facebook Page or Instagram account in question.

Service-level commitment: deletion requests are processed within 30 days and typically within 24 hours. After deletion, only minimal records required for legal compliance (such as audit logs of the deletion event itself) are retained, and those are kept for the shortest period applicable law permits.

Security for Meta data

Meta access tokens are stored encrypted at rest and transmitted only over TLS 1.2 or higher. Access to Meta API systems is restricted by role and protected by multi-factor authentication. We will notify affected users of any security incident involving Meta user data without undue delay and in any case consistent with applicable law and Meta's incident-reporting requirements.