Privacy Policy

    Last updated: June 30, 2026

    1. Introduction

    Honno ("we", "us", "our") operates the Honno platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

    2. Information We Collect

    Account Information

    When you create an account, we collect your email address and any profile information you provide (e.g., company name).

    Integration Data

    When you connect third-party services (such as Google Ads, Shopify, TikTok Ads, HubSpot, or Notion), we access and store data from those platforms solely to provide analytics and insights. This includes metrics such as ad spend, revenue, impressions, and other business performance data. We do not access data beyond the scopes you explicitly authorize.

    Google Ads Data

    When you connect your Google Ads account, we request only the https://www.googleapis.com/auth/adwords scope. We collect the following data exclusively for analytics and reporting purposes:

    • Campaign metrics: Campaign names, status, spend, impressions, clicks, conversions, cost-per-click, and click-through rates
    • Ad group performance: Ad group names, impressions, clicks, and conversions for your top-performing ad groups
    • Calculated metrics: Return on ad spend (ROAS), wasted spend (spend on campaigns with zero conversions), and daily spend trends

    We do not access or store personally identifiable information about your ad viewers or customers. We do not modify, create, or delete any campaigns or ads in your Google Ads account — access is strictly read-only.

    Google Analytics Data

    When you connect your Google Analytics 4 property, we request only the https://www.googleapis.com/auth/analytics.readonly scope. We collect the following data exclusively for analytics and reporting purposes:

    • Traffic metrics: Sessions, active users, new users, and traffic sources by channel group
    • Engagement metrics: Bounce rate, average session duration, engagement rate, pages per session, and screen page views
    • Conversion events: Event counts for purchase, sign-up, lead generation, add-to-cart, and checkout events
    • Page performance: Top pages by views, user count, session duration, and bounce rate
    • Device breakdown: Sessions, bounce rate, and session duration by device category (desktop, mobile, tablet)
    • Daily trends: Sessions, active users, and conversions over the selected date range

    We do not access personally identifiable information about your website visitors. All data is retrieved via the GA4 Data API runReport method, which returns only aggregated, anonymised metrics. We do not modify any Google Analytics settings, properties, or data streams — access is strictly read-only.

    Usage Data

    We collect information about how you interact with the platform, including AI chat message counts and feature usage, to enforce plan limits and improve our service.

    Payment Information

    Payment processing is handled by Stripe. We do not store your credit card details. Stripe's privacy policy governs how your payment information is handled.

    3. How We Use Your Information

    • To provide, maintain, and improve the Honno platform
    • To generate AI-powered business insights and analytics from your connected data sources
    • To manage your account, subscriptions, and billing
    • To send transactional emails such as alert notifications, daily summaries, and weekly reports (based on your preferences)
    • To enforce usage limits based on your subscription plan
    • To respond to your inquiries and provide customer support

    4. Data Security & Encryption

    We take data security seriously. All data is encrypted at rest and in transit using industry-standard protocols.

    OAuth Token Encryption

    OAuth access tokens and refresh tokens for all connected integrations (including Google Ads) are encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode) before being stored in our database. Encryption keys are derived using PBKDF2 with a unique salt per user, ensuring that even in the event of a database breach, tokens cannot be decrypted without the corresponding key material managed within our secure backend functions. Encryption keys support rotation, and old keys are invalidated upon rotation.

    API Permissions & Scope Justification

    All integrations request the minimum OAuth scopes required:

    • Google Adshttps://www.googleapis.com/auth/adwords (restricted scope). While this scope technically permits read and write access, Honno exclusively performs read-only operations — specifically, googleAds:search queries via the Google Ads API to retrieve campaign metrics, ad group performance, and spend data. A narrower read-only scope does not exist for the Google Ads API, which is why the broad adwords scope is required. No campaigns, ad groups, budgets, or account settings are ever created, modified, or deleted.
    • Google Analytics 4https://www.googleapis.com/auth/analytics.readonly (sensitive scope). This scope grants read-only access to Google Analytics reporting data. Honno uses only the runReport method of the GA4 Data API to retrieve aggregated traffic, engagement, conversion, and device metrics. No Analytics properties, data streams, or settings are modified.

    We do not request BigQuery, Cloud Storage, or Cloud Platform scopes for either integration.

    5. Third-Party AI Services

    Honno uses third-party artificial intelligence services to power its AI chat, automated insights, anomaly detection, and business analysis features. Specifically, we use:

    • Google Gemini (models including Gemini 2.5 Pro and Gemini 3 Flash) — provided by Google
    • Anthropic Claude (Claude Sonnet 4.5) — provided by Anthropic

    When you use AI-powered features, relevant business data from your connected integrations may be sent to these providers to generate responses and insights. These providers process data solely to fulfil your request and do not retain it for their own training purposes. No personally identifiable information beyond what is necessary for the AI query is transmitted. Paid plan users (Starter and above) can choose their preferred AI model; free plan users are assigned a default model.

    6. Data Sharing

    We do not sell your personal data. We share data only with:

    • Service providers: Stripe for payment processing; Google (Gemini) and Anthropic (Claude) for AI-powered insights and chat (data is not retained by these providers beyond processing your request)
    • Legal requirements: When required by law, regulation, or legal process

    7. Your Rights & Data Control

    You have full control over your data:

    • Disconnect integrations: You can disconnect any connected service at any time, which revokes our access to that platform's data
    • Delete your account: You can permanently delete your account and all associated data from the Settings page. This removes your profile, integrations, insights, notifications, and usage data
    • Export data: You can request a copy of your data by contacting us
    • Email preferences: You can control alert and summary email preferences from the Alerts settings page

    8. Data Retention

    We retain your data for as long as your account is active. Integration data — including metrics from Google Ads (campaign spend, clicks, impressions, ROAS) and Google Analytics 4 (traffic sources, active users, session duration, bounce rates, conversions, device breakdown, and top-page performance) — is refreshed during each sync cycle. Older metric snapshots are replaced with the latest data, meaning we retain only the most recent sync snapshot per integration. Historical trend data is derived from these snapshots and not stored indefinitely.

    Google Analytics 4 data specifics: GA4 metric snapshots include aggregated, non-personally-identifiable statistics retrieved via the runReport method. These snapshots cover traffic & engagement metrics, conversion counts, device categories, and page-level performance. No raw Google Analytics user-level data or personally identifiable information is stored — only aggregated report outputs.

    When you disconnect any integration (including Google Ads or Google Analytics 4), all stored metrics, encrypted OAuth tokens, and encryption keys associated with that integration are permanently deleted immediately.

    When you delete your account, all personal data — including profiles, integration credentials, insights, notifications, and usage records — is permanently and irreversibly removed from our systems.

    9. Google API Limited Use Disclosure

    Honno's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

    This disclosure applies to data received from both the Google Ads API (via the adwords restricted scope) and the Google Analytics Data API (via the analytics.readonly sensitive scope).

    Specifically, Honno:

    • Only uses Google Ads and Google Analytics data to provide and improve the user-facing analytics features described in this policy (campaign performance dashboards, traffic and engagement widgets, conversion funnel analysis, AI-generated insights, and alerting)
    • Does not transfer Google API data to third parties unless necessary to provide or improve the app's user-facing features, to comply with applicable laws, or as part of a merger/acquisition with adequate data protection commitments
    • Does not use Google API data for serving advertisements, including retargeting, personalised, or interest-based advertising
    • Does not allow humans to read Google API data unless: (a) the user has provided affirmative consent, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymised for internal operations

    10. Cookies

    We use essential cookies and local storage for authentication sessions and theme preferences. We do not use third-party tracking cookies or advertising cookies.

    11. Changes to This Policy

    We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or an in-app notification. Continued use of the platform after changes constitutes acceptance of the updated policy.

    12. Contact Us

    If you have questions about this Privacy Policy or your data, please contact us at [email protected].