Privacy Policy
Effective Date: March 1, 2026
1. Introduction
UTM Mind (“we”, “us”, or “our”) is committed to protecting your privacy and handling your data with the highest standards of security and transparency. This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights regarding your data.
By using UTM Mind, you agree to the practices described in this policy. If you do not agree, please discontinue use of the Service. For questions, contact us at hi@utmmind.com.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your email address, name, and profile picture (if provided via your sign-in provider). Authentication is managed by Clerk, a SOC 2 Type II certified identity platform.
2.2 UTM and Campaign Data
We store the UTM links, templates, attributes, and validation rules you create within UTM Mind. This data is associated with your account and organization and is used solely to provide the Service.
2.3 Third-Party Integration Credentials
When you connect Google Ads, Meta Ads, or Google Analytics 4, we receive OAuth access tokens and refresh tokens from those platforms. Our handling of this data is subject to the strict conditions outlined in the “Google API Limited Use Disclosure” (Section 4) and “OAuth Tokens & Third-Party Credentials” (Section 5) sections below.
2.4 Usage Data
We collect standard usage data including page views, feature usage, and error logs to improve the Service. This data is collected via Google Tag Manager and is anonymized where possible.
3. How We Use Your Information
We use the information we collect solely to provide, operate, and improve the UTM Mind Service. This includes:
- ✓To provide, operate, and improve the UTM Mind Service.
- ✓To authenticate your identity and manage your account.
- ✓To sync tracking templates to your connected ad platforms (Google Ads, Meta Ads) when you explicitly request it.
- ✓To retrieve and analyze Google Analytics 4 data for reporting and the AI Validation report when you explicitly request it.
- ✓To send transactional emails (account notifications, billing receipts, security alerts).
- ✓To enforce plan limits and manage your subscription.
We will never sell your data to third parties, use it for advertising, or use it for any purpose not directly related to providing or improving the core functionality of utmmind.com. Information received from Google APIs is strictly excluded from any data-sharing or AI-training practices.
4. Google API Limited Use Disclosure
🔵 Official Google API Compliance Statement
utmmind.com’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We request access to your Google Ads (https://www.googleapis.com/auth/adwords), Google Analytics (https://www.googleapis.com/auth/analytics.readonly), and Google Drive (https://www.googleapis.com/auth/drive.file) data via OAuth for the exclusive purpose of providing the core functionality of our application. Specifically:
- ›Google Ads — Read: We read your account structure (campaigns, ad groups, ads) solely to allow you to select where to apply UTM tracking templates within the UTM Mind interface.
- ›Google Ads — Write: We write updated tracking templates to your Google Ads campaigns only when you explicitly initiate a sync operation from within UTM Mind.
- ›Google Analytics 4 — Read: We read your GA4 account structure, properties, and report data solely to generate UTM performance reports and dashboards that are displayed to you within utmmind.com. We use the analytics.readonly scope which grants read-only access.
- ›Google Drive — Write: We create new Google Sheets files in your Drive solely when you explicitly export UTM links. We use the drive.file scope which limits access to only files created by UTM Mind.
This data is used solely to provide and improve these user-facing features. We do not sell, trade, share with third-party advertisers, or otherwise misuse information received from Google APIs.
5. OAuth Tokens & Third-Party Credentials
🔒 Our Absolute Commitment on Token Security
We treat OAuth tokens from Google Ads, Meta Ads, and Google Analytics 4 as highly sensitive credentials. We make the following absolute, unconditional commitments:
- ✓Encrypted at rest: All tokens are encrypted using AES-256 encryption before being stored in our MongoDB Atlas database.
- ✓Encrypted in transit: All tokens are transmitted exclusively over TLS 1.2+ encrypted connections. Tokens are never transmitted in plaintext.
- ✓Never shared or sold: Tokens are never shared with, sold to, or disclosed to any third party except the originating platform API (e.g., Google or Meta) when performing authorized actions.
- ✓Minimum scope: We request only the minimum OAuth scopes required to perform the specific functions you use. We do not request write access unless you explicitly use a sync feature.
- ✓Purpose-limited: Tokens are used exclusively to perform actions you explicitly authorize within UTM Mind, in strict accordance with the Google API Services User Data Policy Limited Use requirements.
- ✓Revocable at any time: You can revoke our access at any time from the Integrations page in UTM Mind, or directly from your Google or Meta account security settings.
- ✓Deleted on request: Tokens are permanently deleted from our systems within 30 days of account deletion, integration disconnection, or upon your written request to hi@utmmind.com.
- ✓Access-controlled: Access to token storage is restricted to a minimal set of authorized engineering personnel and is protected by multi-factor authentication and audit logging.
6. Data Deletion
You have the right to delete your data at any time. We provide two methods for doing so:
Option 1: In-App Deletion
- —To disconnect a third-party integration and delete its stored OAuth tokens, go to Dashboard → Integrations and click “Disconnect” next to the relevant platform.
- —To delete individual UTM links, templates, or other data, use the delete controls within each respective section of the app.
- —To delete your entire account and all associated data, go to your Account Settings and select “Delete Account.”
Option 2: Request Deletion by Email
Send a deletion request from the email address associated with your account to hi@utmmind.com. Please include “Data Deletion Request” in the subject line and specify whether you wish to delete specific data or your entire account.
Upon receiving a valid deletion request, we will permanently delete all specified data (including account information, UTM data, and stored OAuth tokens) from our systems within 30 days. Billing records may be retained for up to 7 years as required by applicable tax law.
7. Data Storage & Infrastructure
UTM Mind is built on enterprise-grade, security-certified infrastructure:
| Service | Provider | Certifications |
|---|---|---|
| Application Hosting | Vercel | SOC 2 Type II |
| Database | MongoDB Atlas | ISO 27001, SOC 2 Type II |
| Authentication | Clerk | SOC 2 Type II |
| AI Processing | OpenAI / Google Gemini | SOC 2 Type II, GDPR |
8. Data Sharing
We do not sell your personal data. We share data with third parties only in the following limited circumstances:
- —With your connected ad platforms (Google, Meta) to perform sync operations you explicitly request.
- —With Clerk for authentication and identity management.
- —With our infrastructure providers (Vercel, MongoDB Atlas) to host and operate the Service.
- —With AI providers (OpenAI, Google) to process AI agent requests — only the content of your specific request is sent, not your full account data. Information received from Google APIs is strictly excluded from this practice.
- —When required by law, court order, or to protect the rights and safety of UTM Mind or its users.
9. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Specifically:
- —Account data is retained until you delete your account.
- —UTM links, templates, and attributes are retained until you delete them or your account.
- —OAuth tokens are retained until you disconnect the integration or delete your account, and permanently deleted within 30 days thereafter.
- —Usage logs are retained for up to 90 days.
- —Billing records are retained for 7 years as required by applicable tax law.
10. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- ›Right to access: Request a copy of the personal data we hold about you.
- ›Right to rectification: Request correction of inaccurate data.
- ›Right to erasure: Request deletion of your personal data — see Section 6 for full details.
- ›Right to portability: Request your data in a machine-readable format.
- ›Right to object: Object to processing of your data for certain purposes.
- ›Right to withdraw consent: Withdraw consent for data processing at any time.
To exercise any of these rights, contact us at hi@utmmind.com. We will respond within 30 days.
11. Cookies & Tracking
UTM Mind uses cookies for authentication (managed by Clerk) and analytics (via Google Tag Manager). We do not use advertising cookies or cross-site tracking. You can manage cookie preferences through your browser settings.
12. Children's Privacy
UTM Mind is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at hi@utmmind.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification at least 14 days before the changes take effect. The “Effective Date” at the top of this page reflects the date of the most recent update.
14. Climate Commitment
UTM Mind is committed to fighting climate change. We contribute a portion of our revenue to carbon removal through Stripe Climate. You can view our climate commitment and verified impact at climate.stripe.com/zDIV2J.
15. Contact Us
For privacy inquiries, data deletion requests, or to exercise your rights, contact us at: