Privacy Policy

Effective date: May 13, 2026 · Last updated: May 13, 2026

1. About this policy

This Privacy Policy describes how Expend Stat (“Expend Stat”, “we”, “us”, “our”) collects, uses, stores, and protects information when you use our analytics platform. It focuses in particular on data that we receive from Google APIs after you authorize Expend Stat through Google’s OAuth 2.0 consent flow.

Expend Stat is a hosted analytics platform whose only function is to read Google Ads spend metrics on behalf of an authorized user and to display those metrics back to that same user (and to other users at the same organization who have been granted access by their administrator).

Core commitment. Any data we receive through Google APIs is used solely to provide spend statistics back to the authorizing user. We do not modify your Google Ads accounts, we do not sell your data, we do not share your data with third parties for their own purposes, we do not serve advertising with it, and we do not use it to train generalized AI or ML models.

2. Scope

This policy applies to:

  • The Expend Stat marketing website at the domain hosting these pages;
  • Any Google OAuth 2.0 authorizations that are completed through Expend Stat;
  • Data that Expend Stat reads from Google APIs based on those authorizations (including the Google Ads API and Google’s OAuth user-info endpoints);
  • Operational logs generated when authorized users interact with the Expend Stat dashboard.

This policy does not apply to:

  • Google’s own products (Google Ads, your Google Account, etc.). Your use of those products is governed by their own terms and Google’s privacy policy.
  • Any other third-party websites or services that may be linked to from this site.

3. Data we access

3.1 Basic identity information from Google OAuth

When you complete Google’s OAuth consent flow, Expend Stat receives the following basic identity information so that we can identify the authorizing account inside our dashboard:

  • Your Google Account’s unique identifier;
  • Your Google Account email address and basic profile (display name, locale).

3.2 Google Ads data

Based on the https://www.googleapis.com/auth/adwords scope that you grant, Expend Stat issues read-only Search queries against the Google Ads API. We read only the minimum fields necessary for spend statistics:

  • customer / customer_client: account ID, display name, currency code, time zone, account status, manager flag, hierarchy level — used to list and group your accounts in the dashboard.
  • campaign joined with segments.date and metrics.cost_micros: daily spend amounts, aggregated by date — the core metric we display.

3.3 OAuth tokens

To keep your authorization active so that scheduled spend sync can continue running, we store the access_token, refresh_token, token expiry, and the granted scopes that Google returns. These tokens are stored encrypted in our database and are used only by Expend Stat itself.

3.4 Data we do not access

  • We do not request scopes for, and do not read, content from Gmail, Drive, Calendar, Contacts, Photos, or any other Google service outside of Google Ads.
  • We do not read ad creatives, ad copy, keywords, audiences, targeting settings, conversions, customer-match lists, or other sensitive advertising content.
  • We do not read billing details, payment instruments, or invoice content.

4. How we use that data

We use data received from Google APIs only for the following single purpose:

  • Showing the authorizing user (and other users at the same organization who have been granted access by their administrator) aggregated daily and range-based spend across their own Google Ads accounts;
  • Allowing those users to filter that spend by account, customer ID, owner, and date range;
  • Powering the dashboard’s charts for cumulative account count and daily spend trends, computed from the same data.

We do not use Google API data for any other purpose — see Sections 5 and 10 for the explicit list of prohibited uses we have committed to avoid.

5. Google API Services Limited Use disclosure

Expend Stat’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Applied to Expend Stat specifically, this means:

  • Single purpose. Google user data is used only to deliver the user-facing spend-analytics features described in Section 4.
  • No selling. We do not sell Google user data to anyone.
  • No advertising. We do not use Google user data for any form of advertising, including retargeting, audience building, or personalized ads.
  • No credit-worthiness or biometric uses. We do not use Google user data to determine credit-worthiness, for lending purposes, or for any kind of biometric identification.
  • No human reading. We do not allow humans to read Google user data except in the limited cases described in Section 11.
  • No transfer to other apps. We do not transfer data received from Google APIs to any other application except as strictly necessary to provide our service to the user, comply with applicable law, or as part of an aggregated and anonymized dataset that cannot be tied back to an individual user.
  • No use for AI / ML training. We do not use Google user data to develop, improve, or train generalized or non-personalized AI or machine learning models.

6. Read-only access — we never modify your ads

Although the adwords scope technically allows both read and write operations against the Google Ads API, Expend Stat’s code path only ever issues read-only Search queries. Specifically:

  • We do not call any mutate, create, update, remove, or budget-management endpoint;
  • We do not pause, enable, edit, or otherwise change any campaign, ad group, ad, keyword, asset, audience, conversion action, budget, or bidding strategy;
  • We do not place, manage, or modify any payments on your behalf.

Your Google Ads accounts remain entirely under your control. Expend Stat’s role is strictly that of a read-only observer.

7. Storage and security

  • Encryption in transit. Traffic between Expend Stat and Google APIs, and between your browser and Expend Stat, runs over HTTPS / TLS.
  • Encryption at rest. OAuth tokens and the spend records derived from Google Ads data are stored in our managed database with disk-level encryption and restricted operator access.
  • Access control. The Expend Stat dashboard requires authentication and role-based authorization. Users cannot see spend data for organizations or accounts they have not been granted access to.
  • Least privilege. We request the minimum OAuth scopes required for spend analytics. We will not request additional scopes unless we add new functionality that strictly requires them, in which case we will update this policy first.
  • Monitoring. Operational systems are monitored for unusual API call patterns and access anomalies.

8. Data retention and deletion

  • OAuth tokens are retained as long as your authorization is active. When you (or Google) revoke the authorization, we mark the record as inactive and stop using the tokens.
  • Spend records are retained for as long as your organization keeps its Expend Stat workspace, so that historical trends remain available. Organization administrators may delete records for specific accounts or date ranges from the dashboard.
  • You can revoke your authorization at any time by either:
  • Right to deletion. If you would like us to delete all data associated with your Google Account from Expend Stat (tokens, account list, spend history), please email [email protected]. We will confirm your identity, process the request, and reply within 7 business days.

9. No selling, no third-party sharing

We do not sell, rent, lease, or trade Google user data. We do not share it with data brokers, advertising networks, or any other third party for their independent use. The only entities that ever process your Google user data are:

  • Google itself, by virtue of the fact that the data is fetched through Google APIs — this is inherent to the service.
  • Our infrastructure providers (for example, the cloud provider hosting our database). These providers act strictly as data processors under contractual obligations and do not have the right to use your data for their own purposes.
  • Compliance with law. If we are compelled by a valid, binding legal process (such as a court order) to disclose data, we will do so to the extent strictly required by that process.
  • With your explicit consent. If you ask us to export or share data with a specific recipient that you designate.

10. No use for advertising or AI training

Expend Stat will never:

  • Use Google user data to serve, target, retarget, or personalize advertisements;
  • Build audiences or user profiles from Google user data;
  • Use Google user data to develop, improve, or train any AI or machine learning model — whether for our own use or for a third party.

11. Limited human access

We do not have humans read Google user data, except in the following narrow, industry-standard circumstances:

  • When you have given us specific, freely-given, revocable consent for support purposes (for example, you send us a screenshot to help debug an issue);
  • For security purposes (for example, investigating an abuse signal or suspected compromise), and only to the minimum extent necessary;
  • To comply with applicable law;
  • When the data has been aggregated or anonymized and can no longer be linked to a specific Google user.

12. Cookies and logs

  • This marketing website (the pages you are reading) does not use any analytics or advertising cookies and does not embed any third-party tracking scripts.
  • The Expend Stat dashboard uses only the strictly-necessary session cookies required to keep you signed in.
  • Our backend writes standard request logs (IP address, timestamp, requested path, status code) for security and operational diagnostics. These logs do not contain raw Google user data and are retained for a limited operational window before automatic deletion.

13. Children

Expend Stat is designed for professional advertisers and is not directed at children. We do not knowingly collect personal information from anyone under the age of 13 (or the higher minimum age in your jurisdiction). If you believe a minor has authorized Expend Stat in error, please contact us using the email below and we will delete the related data.

14. Changes to this policy

We may update this policy from time to time, for example to reflect changes in law, Google’s API policies, or our product. When we do, we will update the “Effective date” and “Last updated” fields at the top of this page. For material changes, we will additionally surface a notice inside the Expend Stat dashboard. Continued use of Expend Stat after such updates constitutes acceptance of the revised policy.

15. Contact

If you have any questions about this policy, want to exercise your rights as a data subject, or want to report a security concern, please contact us:

Contact person: Wesley

Email: [email protected]

Response time: we aim to respond within 7 business days.