Privacy Policy

OMG Bridge is operated by WODO Digital (referred to as "WODO", "we", "us", or "our"). OMG Bridge is a service that connects Google Search Console, Google Analytics 4, and Google Business Profile data to AI assistants via the Model Context Protocol (MCP). This Privacy Policy describes how we handle information you provide when you use bridge.theomg.ai.

When you sign in with Google, we collect and store:

• Your Google account email address
• Your Google account display name
• Your Google profile picture URL
• Your Google account ID
• An OAuth refresh token and short-lived access token issued by Google (so we can call Google APIs on your behalf)
• The list of Google Search Console properties, GA4 properties, and Google Business Profile locations associated with your account

We also keep operational logs of MCP tool calls (which tool was called, which property, and the response time) so we can enforce usage quotas, debug issues, and show you usage analytics. These logs do not contain the content of search queries or GA4 reports.

We only request the minimum scopes needed to read your data. We never request write access to your search analytics or analytics data:

• openid, email, profile — to identify your account
• webmasters.readonly — to read your Google Search Console data
• analytics.readonly — to read your Google Analytics 4 reports
• business.manage — to read your Google Business Profile locations, reviews, and performance data (used in read-only mode)

You explicitly consent to these scopes on Google's consent screen before we receive any tokens.

Your Google OAuth refresh token and access token are encrypted at rest using AES-256-GCM with a key held only on our application servers. Tokens are never written to logs, never returned in API responses, and never visible in our admin dashboard.

API keys you generate for Claude Desktop or Cursor are stored as SHA-256 hashes — we cannot recover the plaintext key once you have closed the "copy key" dialog. Account passwords are not stored at all because authentication is handled entirely through Google OAuth.

We use your data only to:

• Respond to MCP tool calls from AI sessions you have explicitly authorized (Claude.ai, ChatGPT, Claude Desktop, Cursor, or any other MCP-compatible client)
• Enforce per-plan usage limits and bill paid plans correctly
• Show you your own usage history and connected properties on the dashboard
• Diagnose errors, prevent abuse, and improve reliability of the service

We do not train AI models on your data, we do not aggregate your data with other customers, and we do not use your data for advertising.

We do not sell your data and we do not share it with third parties for marketing or analytics. The only third parties that touch your data are infrastructure providers we need to run the service:

• Google LLC — the source of all GSC, GA4, and GBP data; we call Google's APIs on your behalf
• Stripe, Inc. — payment processing for the Annual plan; Stripe receives your email and billing details only when you check out
• Our hosting and database providers — for compute, storage, and email; bound by data processing agreements

Each AI client you authorize (e.g., Claude.ai) receives only the scoped tool responses you ask for — never your refresh token or your underlying Google credentials.

You can, at any time:

• Disconnect your Google account from the OMG Bridge dashboard, which deletes your stored tokens immediately
• Toggle individual GSC, GA4, or GBP properties off so they are no longer accessible to your AI tools
• Revoke a previously issued OAuth client (e.g., Claude.ai) from your dashboard so it can no longer call our MCP endpoint on your behalf
• Revoke OMG Bridge entirely from your Google account's security settings: myaccount.google.com/permissions
• Request export or deletion of all data we hold about you by emailing us

Account deletion removes your tokens, properties, API keys, and usage logs from our active database. Encrypted backups are rotated out within 30 days.

We use a small number of strictly necessary cookies and equivalent local storage entries:

• gsc_session — your signed session JWT (expires after 30 days)
• oauth_state, oauth_next — short-lived CSRF protection during the Google OAuth flow

We do not use analytics cookies, advertising cookies, or any third-party tracking pixels.

We follow industry-standard practices: TLS in transit, AES-256-GCM for refresh tokens at rest, SHA-256 hashes for API keys, PKCE for our OAuth flows, per-user rate limiting, and the principle of least privilege for both Google scopes and internal access. If you believe you have found a security issue, please contact us using the email below.

Data is stored on infrastructure located in the European Union and the United States. We retain your data while your account is active. When you delete your account, we remove your data from production within 7 days and from backups within 30 days, except where we are required to retain billing records for tax and accounting compliance.

OMG Bridge is not directed at children under 16, and we do not knowingly collect data from anyone in that age range.

If we make material changes, we will update the "Last updated" date above and notify active users by email at least 7 days before the change takes effect.

For privacy questions, data export requests, or deletion requests, email us at privacy@theomg.ai.

See also our Terms of Service.