Google Business Profile API usage

01What Ma Belle Note does with your Google account

When you connect your Google account to Ma Belle Note, the product accesses your Google Business Profile listings to perform, on your behalf and with your explicit authorization, three strictly scoped operations:

• List the locations your Google account is allowed to manage, so you can pick the ones you want to operate inside Ma Belle Note.
• Read the reviews posted on the selected locations, to display them inside your private dashboard.
• Publish your replies to those reviews, after you have approved each reply (copilot mode) or explicitly turned autopilot on for a given location.

No other operation is performed. We do not modify your listing's content (name, address, hours, photos, posts, Q&A), we do not create new listings, we do not delete reviews, and we do not touch your Google account settings.

02Which scopes are requested and why

https://www.googleapis.com/auth/business.manage

Strictly required for the three operations above: list your locations, read the reviews posted on them, and reply to those reviews on your behalf. This scope is only applied to listings you own or are recognized as a manager of by Google.

openid, email, profile

Standard OAuth identity scopes. Used solely to identify which Google account you connected and to display the associated email address inside the 'Settings → Google connection' page so you can recognize the linked account at a glance. No marketing use, no resale.

03How your consent is obtained

The Google authorization flow is never triggered in the background. It only runs when you explicitly click 'Connect Google Business Profile' inside the application.

Before the Google consent screen appears, Ma Belle Note shows you an in-app explanation listing the two operations that will be performed on your behalf: read your reviews and publish your replies. You then grant access on Google's official consent screen, which lists the requested scopes.

For each location you wish to switch to autopilot (auto-publishing of replies to 4-5 star reviews), an additional explicit opt-in is required in that location's settings. Autopilot is OFF by default and is never enabled silently.

04Compliance with the Google API terms

• No automation without consent: every reply published on Google originates either from a human approval in copilot mode, or from a location for which you have explicitly enabled autopilot. No action is ever triggered without prior consent.
• No third-party programmatic access: only authenticated owners of a listing can see their own data through their own session in the product. We do not expose API access to third parties through our Google project.
• Cache capped at 30 days: reviews and replies are cached for less than 30 days for performance reasons. Beyond that, data is refreshed from Google. We do not aggregate or transform reviews in a way that would prevent Google from tracking or revoking access.
• Strict authorization scope: we only operate on listings your Google account is authorized to manage. No scraping, no access to third-party listings, no Place ID guessing.
• No prohibited operations: we do not create, modify, or delete reviews left by end customers. The only write operations we perform are replies to reviews on your own listings.

05How to revoke access

You can stop Ma Belle Note's access to your Google account at any time, in two ways:

1. From your Ma Belle Note settings: open 'Settings → Google connection' and click 'Disconnect' on the relevant location. The tokens we store are immediately deleted.
2. From your Google account: visit https://myaccount.google.com/permissions, select Ma Belle Note in the list of connected apps, and click 'Remove access'.

Revocation immediately stops synchronization. Historical data already imported into Ma Belle Note remains accessible read-only in your dashboard — no reply can be published until the connection is re-established.

06Token storage and security

• OAuth tokens (access token, refresh token) are encrypted at rest in our database.
• They are never exposed to the browser, never sent to a third party, never included in an email or a log.
• Only backend services strictly required for syncing and publishing can decrypt them, for the duration of a single API call.
• A revocation on Google's side automatically triggers the deletion of the tokens on our side at the next failed call.

07Contact

For any question regarding this Google API usage or to report a concern, please contact us at [email protected]. We respond within 5 business days.

This page is updated whenever our Google integration changes. Any significant evolution (new scope, new operation, change in storage) will be reflected here.