Privacy Policy

This Privacy Policy explains how Rolodax Inc. ("Rolodax," "we," "us," "our") collects, uses, and discloses information when you use our website at www.rolodax.com, our partner dashboard at linkhub.rolodax.com, and related services (collectively, the "Service"). By using the Service you agree to this Policy.

Contents

1. Information we collect
2. How we use information
3. How we share information
4. Google API services compliance
5. Cookies and similar technologies
6. Data security
7. Data retention
8. Your rights and choices
9. Children's privacy
10. International data transfers
11. Changes to this Policy
12. Contact us

1. Information we collect

Information you provide directly

• Account information: name, email address, password (stored hashed), phone number, profile photo.
• Business profile information: business name, address, phone, hours, categories, website, description, logos and photos you upload.
• Reviews and feedback: when you submit a review on a listing, we collect your name, email (to verify the review is genuine), star rating, review text, and any attachments.
• Communications: messages you send us via contact forms, email, or phone.
• Billing information: our payment processor (Square) collects card and billing details on our behalf. Rolodax does not store full payment card numbers — we receive a tokenised reference and metadata (last four digits, brand, expiry month/year, billing ZIP).

Information collected via authorised third-party connections

If you choose to connect a third-party platform (for example, Google Business Profile) to your Rolodax account, we collect and store, with your explicit consent:

• OAuth access and refresh tokens issued by the third party. These are encrypted at rest and used to make authorised API calls on your behalf — for example, reading your current business listing or pushing updates you initiate from Rolodax.
• The third-party account identifier and selected listing identifier (e.g. your Google Business Profile location ID).
• Business data returned by the third-party API: business name, address, phone, hours, categories, website, photos, and ratings — used for entity-audit comparisons and the Directory Push feature.

You can revoke these connections at any time from your dashboard, which deletes the stored tokens immediately. See Google API services compliance for additional disclosures specific to Google data.

Information collected automatically

• Usage data: pages viewed, features used, referrer, IP address (truncated for analytics), user agent, language, timezone, and timestamps.
• Directory analytics: impressions and clicks on listings, embedded widgets, and partner backlinks.
• Device information: browser type, operating system, screen size.
• Cookies: see the Cookies section.

2. How we use information

We use the information described above to:

• Provide, operate, and maintain the Service, including authentication and account management.
• Process subscription payments and send billing-related communications.
• Verify the authenticity of reviews submitted to listings.
• Detect inconsistencies between your Rolodax profile and connected third-party platforms ("entity audit"), and — when you initiate — push updates from Rolodax to those platforms.
• Send transactional emails (account verification, password reset, billing receipts, subscription notices, review notifications).
• Provide aggregated analytics about how your listing and embeds are performing.
• Improve the Service, debug, and protect against fraud or abuse.
• Comply with legal obligations.

We do not sell your personal information. We do not use information collected via third-party connections (including any Google user data) for advertising or for building user profiles unrelated to the Service.

3. How we share information

We share information only in the following circumstances:

• Service providers acting on our behalf, under contract, with limited access for specific purposes:
  • Square — payment processing.
  • SMTP and transactional email providers — sending account, billing, and notification emails.
  • Hosting and infrastructure providers — running the Service.
  • Anti-spam / reCAPTCHA — protecting forms from automated abuse.
• Third-party platforms you authorise. When you connect a platform (e.g. Google Business Profile) and use the Directory Push feature, we send the relevant business information you have configured in Rolodax to that platform's API. The third party's use of that data is governed by its own terms.
• Public listings. Information you make public on your Rolodax business profile (name, address, phone, hours, photos, reviews) is displayed to anyone who visits the directory.
• Aggregated or de-identified data. We may share statistics that don't identify any individual.
• Legal requirements. If required by law, subpoena, court order, or to protect rights and safety.
• Business transfers. In the event of a merger, acquisition, or asset sale, your information may transfer; you will be notified.

4. Google API services compliance

When you connect a Google account to Rolodax for the Directory Push feature, Rolodax's use of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements.

Scopes we request

• https://www.googleapis.com/auth/business.manage — to read your business locations (so we can show you which listing is connected) and to push updates you initiate from Rolodax to your Google Business Profile.

Limited Use disclosure

Information obtained from Google APIs is used only to provide and improve the features you explicitly enable. Specifically:

• We will not transfer Google user data to third parties, except as necessary to provide or improve the Service in your dashboard, or to comply with applicable law.
• We will not use Google user data for serving advertisements, including retargeting or interest-based ads.
• We will not allow humans to read Google user data, except (a) with your explicit consent for specific support cases you raise; (b) for security investigations to comply with applicable law; or (c) when the data has been aggregated and anonymised.

Revoking access

You can disconnect Google from Rolodax at any time from your partner dashboard (Connected Platforms → Disable push), or directly from your Google account permissions page. Disconnecting deletes the stored OAuth tokens immediately. Business data already imported into your Rolodax profile remains under your control and can be deleted via your account settings.

5. Cookies and similar technologies

We use cookies for:

• Strictly necessary cookies — session management, authentication, CSRF protection. These are required for the Service to function.
• Functional cookies — remembering preferences such as language or selected company in the dashboard.
• Analytics cookies — first-party measurement of which features are used. Aggregated and not used to identify individuals.

Most browsers let you control cookies through their settings. Disabling essential cookies will prevent you from signing in.

6. Data security

We use industry-standard safeguards to protect your information, including TLS for data in transit, encrypted storage of sensitive credentials (including third-party OAuth tokens), access controls, and regular security reviews. No method of transmission or storage is 100% secure; we encourage you to use a strong, unique password and to enable any available account-protection features.

7. Data retention

We retain account and business information for as long as your account is active. When you close your account, we delete or anonymise personal data within 90 days, except where retention is required for legal, accounting, or fraud-prevention purposes (e.g. billing records). Third-party OAuth tokens are deleted immediately upon disconnect.

8. Your rights and choices

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your personal information, subject to certain exceptions.
• Export a portable copy of your data.
• Object to or restrict certain processing.
• Withdraw consent for processing based on consent (e.g. third-party connections).
• Lodge a complaint with a supervisory authority.

Most of these actions are available directly from your dashboard. For anything you can't do yourself, email privacy@rolodax.com and we will respond within 30 days.

California residents (CCPA / CPRA)

We do not sell personal information. California residents have the right to know what categories of personal information we collect, to delete it, to correct it, and to opt out of any "sharing" for cross-context behavioural advertising — which we do not engage in.

EU/UK/EEA residents (GDPR)

Our legal bases for processing are: performance of a contract (account and billing), legitimate interests (security, analytics, service improvement), consent (third-party integrations, marketing emails), and legal obligations.

9. Children's privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@rolodax.com and we will delete it.

10. International data transfers

Rolodax is based in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S., which may have different data-protection laws than your jurisdiction. By using the Service, you consent to this transfer.

11. Changes to this Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top and, for material changes, provide additional notice (e.g. by email or a prominent banner). Continued use of the Service after the effective date of the updated Policy constitutes acceptance.

12. Contact us

For privacy questions, requests, or complaints:

Rolodax Inc.
Privacy team
Email: privacy@rolodax.com
Support: hello@rolodax.com