Menu
SAY HELLO

Working With Heady

Menu

Privacy Policy

Slingshot Privacy Policy

Effective date: November 3, 2025
Host page: https://useheady.com/legal/slingshot/privacy-policy
Service: Slingshot (AI + analytics dashboards for marketing and local SEO)
Provider / Data Controller: Heady Collective, LLC (“Heady”, “we”, “us”, “our”)
Address: 4833 Front St, Ste B, Castle Rock, CO 80104
Contact: privacy@useheady.com

This Privacy Policy explains how Slingshot collects, uses, shares, and protects information when you visit our site and use our application, including when you connect third-party services such as Google Analytics 4 and Google Search Console. If you do not agree with this Policy, please do not use Slingshot.

1) Information We Collect

1.1 Account & Contact Information

  • Name, email address, company, role, and workspace settings provided during sign-up or onboarding.
  • Authentication data (passwords are hashed; SSO/OAuth tokens are stored encrypted).
  • Billing contact and plan selections (if applicable). Payment card details are processed by our payment processor and not stored by Slingshot.

1.2 Usage, Device & Log Data

  • App activity (for example, feature interactions), pages viewed, timestamps, IP-derived general location, referrer, device/browser type, and diagnostics/error events.

1.3 Cookies and Similar Technologies

  • Essential cookies to maintain your session and secure your account.
  • Optional analytics cookies (only where permitted by law/consent) to understand product usage and improve features.

1.4 Data From Services You Connect (Your Choice)

When you connect a third-party service, Slingshot accesses only the data strictly necessary to provide the features you invoke.

Google services (OAuth 2.0):

  • Google Analytics 4 (Analytics Data/Admin APIs) – property metadata and metrics/dimensions you query for dashboards and reports.
  • Google Search Console (Webmasters API) – verified site list and read-only performance/coverage data to power dashboards.

Other optional connections (examples):

  • SEMrush, BrightLocal (visibility/keyword metrics).
  • E-commerce/menu tools (configuration metadata and public catalog/deals data).

Tokens & scopes. We use OAuth tokens and request the minimum scopes necessary. Tokens are encrypted at rest. You can revoke access at any time in Slingshot and via your Google Account security settings.

2) How We Use Information

  • Provide, operate, and secure Slingshot (authentication; dashboards; reports; exports; alerts).
  • Diagnose issues, monitor performance, and improve features and UX.
  • Provide customer support and essential service communications.
  • Comply with legal obligations and enforce our Terms.

We do not sell personal information. We do not use Google-sourced data for advertising, retargeting, or profiling beyond the product features you request.

Legal bases (EEA/UK): performance of a contract, legitimate interests, and consent where required (for example, non-essential cookies, marketing emails).

3) Google API Services User Data Policy (“Limited Use”)

  • We use Google user data only to provide or improve user-facing features within Slingshot that you request or enable.
  • We do not transfer Google user data to third parties except (a) as necessary to provide or secure Slingshot (for example, bound subprocessors), (b) to comply with applicable law, or (c) with your explicit direction/consent.
  • We do not use Google user data for ads, retargeting, or building profiles unrelated to the product’s features.
  • We do not allow human access to Google user data except when required for security, fraud prevention, debugging, or legal compliance, and then only under strict need-to-know access controls.

This Policy is hosted on our verified domain and linked on the OAuth consent screen.

4) Data Sharing & Subprocessors

We share data only with:

  • Service providers (subprocessors) under written contracts, used to host infrastructure, store data, process logs/analytics, send emails, manage support, and process payments. They may access information solely to perform services for us and are bound by confidentiality and data-protection terms.
  • Legal/compliance recipients where required by law or to protect rights, safety, or security.
  • Business transfers (for example, merger/acquisition) with appropriate protections.

Current subprocessors (Slingshot):

  • Vercel (hosting/build/edge)
  • Supabase (database/auth/storage)
  • Cloudflare (CDN, edge security, object storage)
  • Klaviyo (email communications)
  • Stripe (payments)

We may update this list as our stack evolves. We do not sell or “share” personal information (as “share” is defined under the CPRA).

5) Data Retention

  • Account/workspace data: retained for the life of the account and up to 24 months thereafter for backups, audits, and legal obligations.
  • Connected-service data (for example, GA4/GSC): cached results/derived metrics retained to power dashboards, comparisons, and exports; typically up to 24 months unless you delete earlier.
  • Logs/diagnostics: retained for up to 12 months, then deleted or anonymized.

We will delete or anonymize data sooner upon request where legally permissible.

6) Your Choices & Rights

  • Disconnect integrations. Disconnect Google and other integrations in Slingshot at any time; revoke Google access via Google Account → Security → Third-party access.
  • Access/port/correct/delete. Request a copy of your data, correction, or deletion (subject to legal exceptions).
  • Opt-outs. Opt out of non-essential cookies (where required) and of marketing emails via unsubscribe links.

We honor rights applicable to your location (for example, GDPR/UK GDPR, CCPA/CPRA, Colorado CPA). Colorado users may submit an appeal if we deny a rights request by replying to our response or emailing privacy@useheady.com with subject “Privacy Appeal.” We will respond within the timelines required by law.

7) Security

We employ administrative, technical, and physical safeguards, including TLS in transit, encryption at rest for OAuth tokens and stored data, least-privilege access controls, secret rotation, and audit logging. No method is 100% secure, and we continuously improve our controls.

8) International Data Transfers

Where information is processed outside your country, we use appropriate safeguards (for example, EU Standard Contractual Clauses) to protect your data in accordance with applicable law.

9) Children’s Privacy

Slingshot is intended for business users and is not directed to children under 16. We do not knowingly collect personal information from children.

10) Changes to This Policy

We may update this Policy periodically. We will post updates at the URL above and revise the “Effective date.” For material changes, we may provide additional notice.

11) Google OAuth Scopes Disclosure

Slingshot may request the following read-only scopes to deliver the features you choose:

  • Google Analytics 4 (Analytics Data/Admin APIs): read property metadata and analytics metrics/dimensions for reporting.
  • Google Search Console: https://www.googleapis.com/auth/webmasters.readonly (site list, search performance/coverage data).

We request the minimum scopes necessary, explain each scope’s purpose in clear language, and you can revoke access at any time.

12) Statement of Adherence (Google Verification)

Slingshot’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. This statement appears here and within our app.

Contact

Heady Collective, LLC
4833 Front St, Ste B, Castle Rock, CO 80104
privacy@useheady.com