Privacy Policy
Contents
- 1. About this policy
- 2. Scope
- 3. Data we access
- 4. How we use that data
- 5. Google API Services Limited Use disclosure
- 6. Read-only access — we never modify your ads
- 7. Storage and security
- 8. Data retention and deletion
- 9. No selling, no third-party sharing
- 10. No use for advertising or AI training
- 11. Limited human access
- 12. Cookies and logs
- 13. Children
- 14. Changes to this policy
- 15. Contact
1. About this policy
This Privacy Policy describes how Expend Stat (“Expend Stat”, “we”, “us”, “our”) collects, uses, stores, and protects information when you use our analytics platform. It focuses in particular on data that we receive from Google APIs after you authorize Expend Stat through Google’s OAuth 2.0 consent flow.
Expend Stat is a hosted analytics platform whose only function is to read Google Ads spend metrics on behalf of an authorized user and to display those metrics back to that same user (and to other users at the same organization who have been granted access by their administrator).
Core commitment. Any data we receive through Google APIs is used solely to provide spend statistics back to the authorizing user. We do not modify your Google Ads accounts, we do not sell your data, we do not share your data with third parties for their own purposes, we do not serve advertising with it, and we do not use it to train generalized AI or ML models.
2. Scope
This policy applies to:
- The Expend Stat marketing website at the domain hosting these pages;
- Any Google OAuth 2.0 authorizations that are completed through Expend Stat;
- Data that Expend Stat reads from Google APIs based on those authorizations (including the Google Ads API and Google’s OAuth user-info endpoints);
- Operational logs generated when authorized users interact with the Expend Stat dashboard.
This policy does not apply to:
- Google’s own products (Google Ads, your Google Account, etc.). Your use of those products is governed by their own terms and Google’s privacy policy.
- Any other third-party websites or services that may be linked to from this site.
3. Data we access
3.1 Basic identity information from Google OAuth
When you complete Google’s OAuth consent flow, Expend Stat receives the following basic identity information so that we can identify the authorizing account inside our dashboard:
- Your Google Account’s unique identifier;
- Your Google Account email address and basic profile (display name, locale).
3.2 Google Ads data
Based on the https://www.googleapis.com/auth/adwords scope that you grant,
Expend Stat issues read-only Search queries against the Google Ads API. We
read only the minimum fields necessary for spend statistics:
customer/customer_client: account ID, display name, currency code, time zone, account status, manager flag, hierarchy level — used to list and group your accounts in the dashboard.campaignjoined withsegments.dateandmetrics.cost_micros: daily spend amounts, aggregated by date — the core metric we display.
3.3 OAuth tokens
To keep your authorization active so that scheduled spend sync can continue running, we
store the access_token, refresh_token, token expiry, and the
granted scopes that Google returns. These tokens are stored encrypted in our database
and are used only by Expend Stat itself.
3.4 Data we do not access
- We do not request scopes for, and do not read, content from Gmail, Drive, Calendar, Contacts, Photos, or any other Google service outside of Google Ads.
- We do not read ad creatives, ad copy, keywords, audiences, targeting settings, conversions, customer-match lists, or other sensitive advertising content.
- We do not read billing details, payment instruments, or invoice content.
4. How we use that data
We use data received from Google APIs only for the following single purpose:
- Showing the authorizing user (and other users at the same organization who have been granted access by their administrator) aggregated daily and range-based spend across their own Google Ads accounts;
- Allowing those users to filter that spend by account, customer ID, owner, and date range;
- Powering the dashboard’s charts for cumulative account count and daily spend trends, computed from the same data.
We do not use Google API data for any other purpose — see Sections 5 and 10 for the explicit list of prohibited uses we have committed to avoid.
5. Google API Services Limited Use disclosure
Expend Stat’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Applied to Expend Stat specifically, this means:
- Single purpose. Google user data is used only to deliver the user-facing spend-analytics features described in Section 4.
- No selling. We do not sell Google user data to anyone.
- No advertising. We do not use Google user data for any form of advertising, including retargeting, audience building, or personalized ads.
- No credit-worthiness or biometric uses. We do not use Google user data to determine credit-worthiness, for lending purposes, or for any kind of biometric identification.
- No human reading. We do not allow humans to read Google user data except in the limited cases described in Section 11.
- No transfer to other apps. We do not transfer data received from Google APIs to any other application except as strictly necessary to provide our service to the user, comply with applicable law, or as part of an aggregated and anonymized dataset that cannot be tied back to an individual user.
- No use for AI / ML training. We do not use Google user data to develop, improve, or train generalized or non-personalized AI or machine learning models.
6. Read-only access — we never modify your ads
Although the adwords scope technically allows both read and write
operations against the Google Ads API, Expend Stat’s code path only ever issues
read-only Search queries. Specifically:
- We do not call any
mutate,create,update,remove, or budget-management endpoint; - We do not pause, enable, edit, or otherwise change any campaign, ad group, ad, keyword, asset, audience, conversion action, budget, or bidding strategy;
- We do not place, manage, or modify any payments on your behalf.
Your Google Ads accounts remain entirely under your control. Expend Stat’s role is strictly that of a read-only observer.
7. Storage and security
- Encryption in transit. Traffic between Expend Stat and Google APIs, and between your browser and Expend Stat, runs over HTTPS / TLS.
- Encryption at rest. OAuth tokens and the spend records derived from Google Ads data are stored in our managed database with disk-level encryption and restricted operator access.
- Access control. The Expend Stat dashboard requires authentication and role-based authorization. Users cannot see spend data for organizations or accounts they have not been granted access to.
- Least privilege. We request the minimum OAuth scopes required for spend analytics. We will not request additional scopes unless we add new functionality that strictly requires them, in which case we will update this policy first.
- Monitoring. Operational systems are monitored for unusual API call patterns and access anomalies.
8. Data retention and deletion
- OAuth tokens are retained as long as your authorization is active. When you (or Google) revoke the authorization, we mark the record as inactive and stop using the tokens.
- Spend records are retained for as long as your organization keeps its Expend Stat workspace, so that historical trends remain available. Organization administrators may delete records for specific accounts or date ranges from the dashboard.
-
You can revoke your authorization at any time by either:
- removing Expend Stat from your Google Account’s “Third-party apps with account access” page; or
- asking your organization administrator to delete the authorization from the Expend Stat dashboard.
- Right to deletion. If you would like us to delete all data associated with your Google Account from Expend Stat (tokens, account list, spend history), please email [email protected]. We will confirm your identity, process the request, and reply within 7 business days.
10. No use for advertising or AI training
Expend Stat will never:
- Use Google user data to serve, target, retarget, or personalize advertisements;
- Build audiences or user profiles from Google user data;
- Use Google user data to develop, improve, or train any AI or machine learning model — whether for our own use or for a third party.
11. Limited human access
We do not have humans read Google user data, except in the following narrow, industry-standard circumstances:
- When you have given us specific, freely-given, revocable consent for support purposes (for example, you send us a screenshot to help debug an issue);
- For security purposes (for example, investigating an abuse signal or suspected compromise), and only to the minimum extent necessary;
- To comply with applicable law;
- When the data has been aggregated or anonymized and can no longer be linked to a specific Google user.
13. Children
Expend Stat is designed for professional advertisers and is not directed at children. We do not knowingly collect personal information from anyone under the age of 13 (or the higher minimum age in your jurisdiction). If you believe a minor has authorized Expend Stat in error, please contact us using the email below and we will delete the related data.
14. Changes to this policy
We may update this policy from time to time, for example to reflect changes in law, Google’s API policies, or our product. When we do, we will update the “Effective date” and “Last updated” fields at the top of this page. For material changes, we will additionally surface a notice inside the Expend Stat dashboard. Continued use of Expend Stat after such updates constitutes acceptance of the revised policy.
15. Contact
If you have any questions about this policy, want to exercise your rights as a data subject, or want to report a security concern, please contact us:
Contact person: Wesley
Email: [email protected]
Response time: we aim to respond within 7 business days.