Privacy & Data

Google API Limited-Use Compliance

How we handle Google Ads, Analytics and Search Console data under Google’s Limited Use rules.

Last updated: 13 July 2026

SemlyPro


1. Who we are

This Statement is published by Semly Pro, a sole proprietorship (eenmanszaak) established in the Netherlands, registered with the KvK (Dutch Chamber of Commerce) under number 99448351, VAT ID NL005387029B31, with registered address Hawaiiweg 41, 1339 NW Almere, Netherlands (trading as “SemlyPro”, “we”, “us”, “our”). SemlyPro is the developer and operator of the SemlyPro application and its associated APIs, browser extensions and Model Context Protocol (MCP) server (together, the “Service”).

SemlyPro currently operates as a Dutch sole proprietorship; its owner (currently Surya Pillai) is the natural person legally responsible. SemlyPro intends to incorporate a private limited company (Semly Pro B.V.). Upon incorporation, Semly Pro B.V. will assume the Service and this Statement, the Google Cloud project and OAuth client will be transferred or re-registered to it, and references to “SemlyPro” will be read as references to Semly Pro B.V. Its incorporation does not require your further consent.


2. Purpose and scope of this Statement

The Google API Services User Data Policy requires any application that accesses Google user data through Google APIs to disclose, in a published policy that is accessible from the OAuth consent screen, how the application accesses, uses, stores and shares that data, and to affirm that its use complies with the Limited Use requirements. This Statement provides that disclosure specifically for SemlyPro’s Google integrations. It supplements, and does not replace, our Privacy Policy (in particular Section 3.3, “Data from third parties”), our Sub-processor List, our Data Processing Agreement (“DPA”) and our internal Staff Data-Access Policy. Where this Statement conflicts with those documents on the treatment of Google user data, this Statement and the Privacy Policy control and are read together.

In this Statement, “Google user data” means data that SemlyPro obtains through Google APIs under the OAuth scopes listed in Section 4, together with any data SemlyPro aggregates, anonymises or derives from it — consistent with the scope of the Google API Services User Data Policy, which applies to raw scope data and to data derived from it alike.

Where you (our Customer) authorise SemlyPro to access your connected Google accounts, the Google user data we ingest on your instruction is Customer Materials: you (or your end-client) are the controller (and, for Indian Data Principals, the Data Fiduciary) of any personal data it contains, and SemlyPro acts as your processor (Data Processor) under the DPA. Nothing in this Statement alters that allocation of roles.


3. Which Google services we connect to and why

SemlyPro is a search-engine-optimisation and content platform. With your authorisation, we connect to the following Google services to provide user-facing analysis, auditing and reporting features that are prominent in the SemlyPro interface:

Google service What we ingest The user-facing feature it powers
Google Ads Campaign, ad-group, keyword, spend, performance, conversion and (where present) audience data Paid-and-organic performance analysis, budget/keyword insight, and reporting inside the SemlyPro dashboard
Google Analytics 4 (GA4) Traffic, audience, session, engagement, conversion and event data (which may include IP addresses and client/user identifiers) Site-performance and audience analysis, content-effectiveness reporting, and audit recommendations
Google Search Console Search query, impression, click, average-position and index-coverage data for your verified property Keyword and query analysis, ranking/visibility tracking, and technical-SEO audit findings

We connect to these services only after you initiate the connection and grant consent on Google’s OAuth consent screen, and only within the scopes you approve. We do not connect to any Google account you have not authorised, and we do not request scopes beyond those needed for the features above.


4. OAuth scopes we request

The table below lists the OAuth scopes SemlyPro requests. Each is classified by Google as a sensitive scope (as distinct from a restricted scope, such as Gmail or Drive content scopes); sensitive scopes require SemlyPro’s application to complete Google’s OAuth app-verification process before general access is granted.

Google API OAuth scope requested Access level Google classification
Google Ads API https://www.googleapis.com/auth/adwords Read Sensitive
Google Analytics Data API (GA4) https://www.googleapis.com/auth/analytics.readonly Read-only Sensitive
Google Search Console API https://www.googleapis.com/auth/webmasters.readonly Read-only Sensitive

We follow the principle of incremental, least-privilege authorisation: we request the minimum scopes necessary, we request them in context (at the point you enable the relevant feature) rather than all at once, and we prefer read-only scopes wherever a feature does not require write access.


5. How we use Google user data (approved use)

Consistent with the “Approved use” and Limited Use provisions of the Google API Services User Data Policy, SemlyPro uses Google user data only to provide and improve user-facing features that are prominent in the SemlyPro interface, and for security purposes (for example, investigating abuse). Specifically, we use Google user data to:

  • generate the analysis, audits, dashboards, charts and reports you request within the Service;
  • power keyword, ranking, traffic, audience and campaign-performance insights that are visible and prominent in the SemlyPro interface;
  • provide support, and troubleshoot and debug issues you report that involve a connected Google account; and
  • maintain the security and integrity of the Service (for example detecting and investigating abuse), as permitted by the policy.

We do not use Google user data for any purpose that is not a user-facing feature prominent in the Service, except the narrow security and legal-compliance purposes the policy expressly permits.


6. Limited Use affirmation

SemlyPro’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Although SemlyPro’s Google Ads, GA4 and Search Console scopes are classified as sensitive rather than restricted, we apply the full Limited Use commitments to all Google user data as a matter of policy. Accordingly:

  1. Providing/improving user-facing features. We limit our use of Google user data to providing or improving user-facing features that are prominent in the SemlyPro interface (see Section 5).
  2. No onward transfer or sale. We do not transfer or sell Google user data to third parties, except as necessary (a) to provide or improve those user-facing features (for example to the infrastructure and AI sub-processors listed in our Sub-processor List, which process it on our behalf under written contract), (b) to comply with applicable law, or © as part of a merger, acquisition or sale of assets after you are notified and provided the data continues to be used subject to this Statement. We do not sell Google user data, and we do not share it with data brokers or information-resellers.
  3. No advertising use. We do not use or transfer Google user data to serve advertisements, including personalised, re-targeted or interest-based advertising. Google user data ingested through these integrations is never fed into SemlyPro’s own marketing, advertising or audience-matching activity.
  4. No credit or lending use. We do not use Google user data for determining credit-worthiness or for lending purposes.
  5. Limits on human access. We do not allow humans to read Google user data, except: (a) with your affirmative agreement (for example where you ask a support agent to look at your connected data to resolve an issue you have reported); (b) where necessary for security purposes, such as investigating abuse; © to comply with applicable law; or (d) where the data has been aggregated and anonymised and is used for internal operations. These limits are operationalised by our Staff Data-Access Policy (see Section 9).

6.1 No AI-model training on Google user data

SemlyPro does not use Google user data to train, fine-tune or otherwise improve generalised or publicly-released AI/ML models, whether our own or any third party’s. This is consistent with, and additional to, the pack-wide no-public-model-training position stated in our Privacy Policy (Section 5.2), our AI Transparency Notice and our DPA.

Where a SemlyPro feature applies AI to Google user data (for example, to summarise or interpret your GA4 or Search Console data in a report you have requested), that processing occurs at inference time only, to produce the specific user-facing output you asked for. Any inference inputs sent to our model providers (currently OpenAI Ireland Limited and Anthropic PBC) are transmitted under commercial/enterprise terms that prohibit the use of inputs or outputs to train those providers’ publicly-released models. Google user data is excluded from any internal, non-public model-improvement activity to the extent the Google API Services User Data Policy so requires; the narrow internal “review and improve the Service” purpose described elsewhere in the pack does not extend to using Google user data to build or improve generalised models.


7. How we store and secure Google user data

  • Where it is stored. Google user data we ingest on your instruction is held within SemlyPro’s production datastore (identified in the Sub-processor List), configured for EU data residency where offered, alongside your other Customer Materials.
  • OAuth tokens. The OAuth refresh/access tokens that permit us to connect to your Google accounts are stored encrypted at rest and are treated as a high-sensitivity credential. They are used only to make API calls in service of the features you have enabled.
  • Encryption. Google user data and tokens are encrypted in transit (TLS 1.2 or higher) and at rest.
  • Access controls. Access is governed by least-privilege, role-based access controls with access logging, and administrative access requires multi-factor authentication, as described in our Privacy Policy (Section 10) and Staff Data-Access Policy.
  • Sub-processors. Google user data is processed by the sub-processors listed in our Sub-processor List (for example our hosting and infrastructure providers, and — at inference time only — our AI providers) under written contracts no less protective than our DPA.

International transfers of Google user data that contains personal data are governed by the safeguards in our Privacy Policy (Section 7) and Sub-processor List (EU Standard Contractual Clauses; the UK IDTA / UK Addendum and the UK–US data bridge for UK data; and, for Indian Data Principals, DPDP Act cross-border rules).


8. Retention, deletion and revocation

8.1 Retention. We retain Google user data only for as long as necessary to provide the features you use and to meet the retention scheme stated across our documents (Privacy Policy Section 8; DPA; Terms of Service). In summary: Customer Materials — including ingested Google user data — are retained for the duration of your subscription and a post-termination export window of thirty (30) days on standard plans or ninety (90) days where an Enterprise agreement/MSA so provides, after which they are deleted or anonymised; residual copies in backups are purged within ninety (90) days.

8.2 Disconnection and revocation. You can disconnect a Google integration at any time from within the Service, and you can independently revoke SemlyPro’s access from your Google Account’s security settings (myaccount.google.com/permissions). When you disconnect or revoke:

  • we stop making API calls to the affected Google account;
  • we delete the associated OAuth tokens; and
  • we delete or anonymise the Google user data ingested from that account within the retention windows above (or sooner on request), except where we are required by law to retain a specific record.

8.3 Deletion on request. You may request deletion of Google user data we hold about you at anil@semlypro.com. Where you are a data subject of one of our Customers’ connected accounts (rather than the account holder), we will route your request to that Customer as described in our Privacy Policy (Section 9).


9. Human-access limits (personnel and contractors)

SemlyPro personnel and authorised contractors may access Google user data only as necessary to (a) provide, maintain and secure the Service; (b) troubleshoot, debug and provide support; © investigate abuse, security or Acceptable Use Policy issues; and (d) review and improve the Service and its models for SemlyPro’s internal, non-public purposes only — and, for Google user data, subject to the “no human reading” limits in Section 6(5) and the no-generalised-model-training carve-out in Section 6.1. Such access is subject to confidentiality obligations, least-privilege / role-based access controls, and access logging.

These controls are operationalised by our internal Staff Data-Access Policy, and mirror the “Support and Access” commitments in our Privacy Policy (Section 10.1) and DPA. Where we process Google user data as your processor, personnel access is exercised only within the documented instructions and safeguards of the DPA.


10. Sharing with third parties

We share Google user data only as described in Section 6(2) and Section 7 — that is, with the sub-processors that help us provide the Service, where required by law, or in a corporate transaction after notice. We do not make Google user data available to other Customers, and we do not expose it through our public API or MCP server to developers other than in service of the account holder’s own authorised use. Developers who consume SemlyPro’s API are separately bound, under our API Terms of Use (clause 9) and Acceptable Use Policy, to comply with the Google API Services User Data Policy and Limited Use requirements and not to transfer, resell or misuse Google-originated data.


11. OAuth verification and app status

Because SemlyPro requests sensitive Google OAuth scopes, our application is subject to Google’s OAuth app-verification process, which includes review of this Statement and of our Privacy Policy against the Limited Use requirements. We maintain our OAuth consent screen, this Statement, and our Privacy Policy in a consistent state so that the disclosures match the scopes actually requested.

We monitor and comply with the Google Ads API Terms and the Google Analytics and Search Console API terms of service applicable to each integration, and we will suspend or cease an integration where a Google policy or a provider instruction requires it.


12. Changes to this Statement

We may update this Statement to reflect changes to the Google services we connect to, the scopes we request, or the Google API Services User Data Policy itself. We will update the “Last updated” date above, and where a change materially affects how we handle Google user data we will notify affected Customers in line with our Privacy Policy.


13. Where this Statement sits in the SemlyPro legal pack

This Statement should be read together with:

  • Privacy Policy — Section 3.3 (Google data integrations as a data source) and Section 5 (AI processing); the primary transparency notice under Articles 13/14 GDPR.
  • Staff Data-Access Policy (internal) — operational controls behind the human-access limits in Sections 6(5) and 9.
  • Sub-processor List — the authoritative list of recipients that process Google user data on our behalf.
  • Data Processing Agreement — the controller/processor (Data Fiduciary/Data Processor) framework for Google user data we process on your behalf.
  • API Terms of Use (clause 9) and Acceptable Use Policy — flow-down of Google’s Limited Use restrictions to API developers and users.
  • AI Transparency Notice — the pack-wide no-public-model-training position referenced in Section 6.1.

14. Contact

This Statement is published on the SemlyPro website and is linked from our OAuth consent screen and from our Privacy Policy.


Last updated 13 July 2026 · Operated by Semly Pro (eenmanszaak), KvK 99448351, Hawaiiweg 41, 1339 NW Almere, Netherlands · Questions about this document: anil@semlypro.com