Privacy Policy

Last updated: May 19, 2026

Virginia AI ("Virginia," "we," "us," or "our") provides a software-as-a-service platform that helps marketing agencies generate AI-written performance reports for their clients using data from Google Analytics 4 and Google Ads. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your information.

1. Scope and Who This Policy Covers

Virginia is a business-to-business product. There are two distinct groups of people whose information flows through our systems:

  • Agency users are the people who sign up for a Virginia account, pay for a subscription, connect Google accounts, and configure reports. We are the data controller for agency user information.
  • End clients are the agencies' customers. Their identifying information and the analytics data we pull on their behalf are provided to us by the agency. For end-client information, we act as a data processor on behalf of the agency, which is the controller. The agency is responsible for having a lawful basis to share that information with us.

2. Information We Collect

Account information

When you register, you provide your name, email address, agency name, and authentication credentials (managed by our authentication provider, Clerk). You may also provide your agency logo URL and brand colors, used to style the reports we generate.

Client records

For each client you add, you enter a client name, a contact email address, a GA4 property ID, and optionally a Google Ads customer ID.

Billing information

Payment card details are collected and stored by Stripe — Virginia never sees or stores raw card data. We retain the Stripe customer ID, subscription plan, status, and billing history.

Google OAuth tokens

When you connect a Google account, we receive and store OAuth access tokens and refresh tokens. These tokens are encrypted at rest using AES-256-GCM and are used only to retrieve GA4 and Google Ads metrics for report generation. We use Google access only for read-only reporting:

  • https://www.googleapis.com/auth/analytics.readonly
  • https://www.googleapis.com/auth/adwords (used only to read Google Ads reporting data; Virginia does not create, edit, or delete campaigns)
  • Basic profile scopes used solely to identify which Google account was connected

Analytics data

When a report runs, we query the GA4 Data API and Google Ads API for the property and customer IDs you specified. The data returned — sessions, users, conversions, ad spend, campaign names, and similar aggregate metrics — is stored in association with the client record and report date range.

Technical information

When you use the application, we collect basic technical data needed to operate it: IP address, browser type, pages viewed, timestamps, and error logs. We use this for security and debugging. We do not use third-party advertising pixels on the application.

3. How We Use Information

  • To provide the service: authenticating your account, storing your client list, pulling analytics data on your configured schedule, generating report narratives, and emailing reports to the client addresses you specify.
  • To bill you: processing subscription payments through Stripe and sending receipts.
  • To support you: responding to your emails and troubleshooting issues.
  • To operate and secure the platform: monitoring for abuse, debugging errors, and complying with legal obligations.
  • To communicate with you: sending transactional emails about your account, security notices, and material changes to the service or this policy.

4. Google API Services — Limited Use Disclosure

Virginia AI's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • Read-only product behavior. Virginia uses Google access only to read GA4 and Google Ads reporting data. We do not create campaigns, edit campaigns, change account settings, or take write actions in your Google accounts.
  • Limited Use. Google user data is used solely to provide the report-generation features of Virginia. We do not use it for advertising, do not sell it, and do not transfer it to third parties for purposes unrelated to the service.
  • No AI training on Google user data. Google user data is used only to generate report narratives for your account. We do not use Google user data to train generalized AI models.
  • Encrypted storage. OAuth tokens are encrypted at rest using AES-256-GCM. Analytics metrics are stored in association with the report that produced them so historical reports remain viewable.
  • Revocation. You can disconnect a Google account at any time from within Virginia, which deletes the stored tokens and stops all future API calls. You may also revoke access at myaccount.google.com/permissions.

5. Third-Party Services

We rely on the following sub-processors, each receiving only the data needed for its function:

  • Clerk — User authentication. Receives agency user name, email, and session data.
  • Neon (PostgreSQL) — Primary database. Stores all agency, client, report, and encrypted OAuth token data.
  • Google (OAuth, GA4 API, Google Ads API) — Source of analytics data. Receives OAuth authentication events and API requests for the properties you authorize.
  • Google AI (Gemini 2.5 Flash) — Generates narrative report text from aggregate analytics metrics for the report you requested.
  • Resend — Transactional email delivery. Receives the recipient email address and rendered report content.
  • Stripe — Subscription billing. Receives billing email, address, and payment card details.
  • Vercel — Application hosting (US, iad1 region). Receives all application traffic and runtime logs.
  • Trigger.dev — Background job scheduling. Receives job metadata for scheduled report runs.

All application data at rest in Neon resides in the United States.

6. Data Retention and Deletion

  • Agency account data is retained for as long as your account is active.
  • Client records and report history are retained while the agency account is active. You can delete a client at any time, removing all associated data.
  • OAuth tokens are retained until you disconnect the Google account or delete the related client.
  • Billing records are retained for at least seven years to comply with US tax and accounting requirements.
  • Application logs are retained for up to 90 days.

When you close your account, we delete agency account data, client records, reports, and OAuth tokens within 30 days, except for billing records and any data required by law.

7. Security

We use TLS 1.2 or higher for all traffic in transit and encryption at rest for the database. OAuth tokens receive additional AES-256-GCM encryption at the application layer. Access to production systems is restricted to authorized personnel using multi-factor authentication. No system is perfectly secure, but we maintain reasonable and appropriate safeguards.

8. Your Rights and Choices

Depending on where you live, you may have the right to access, correct, delete, or receive a portable copy of your personal information, or to object to or restrict certain processing. Virginia does not sell personal information and does not share it for cross-context behavioral advertising.

To exercise any of these rights, email mason@virginia-i.com. We will respond within 30 days.

If you are an end client (you received a report from an agency using Virginia) and want your data removed, contact the agency directly or email us and we will coordinate with them.

9. Children

Virginia is a B2B product and is not directed to anyone under 16. We do not knowingly collect personal information from children.

10. Changes to This Policy

If we make material changes, we will update the "Last Updated" date and notify active agency users by email at least 14 days before the change takes effect. Continued use of Virginia after a change becomes effective constitutes acceptance.

11. Contact

Questions about your data? Email mason@virginia-i.com — we respond within one business day.

← Back to Virginia