Privacy policy
Last updated: May 23, 2026
hubnativo ("hubnativo", "we", "our") operates the SaaS atapp.hubnativo.com that helps WordPress operators produce SEO content. This policy explains what data we collect, how we use it, and the rights you have over it.
1. Data we collect
1.1 Account data
When you sign up we store: email address, hashed password (via Supabase Auth), tenant name, and the timestamps of your account activity. We never store passwords in plaintext.
1.2 Workspace data
For each blog you add we store: blog name, WordPress URL, your editorial documents (voice, structure, linking rules), the article queue, generated articles, AI usage logs, and pipeline cost records.
1.3 API credentials (encrypted at rest)
You provide your own API keys for Anthropic, OpenAI, Gemini, DeepSeek (BYOK), WordPress Application Passwords, and OAuth refresh tokens for Google Search Console / Google Analytics. All credentials are encrypted at rest with pgcrypto (pgp_sym_encrypt) using a server-only key. We never display the plaintext value back to you after saving. Credentials are only decrypted in-memory at the moment a request to that provider is made on your behalf.
1.4 Data from Google APIs
When you connect Google Search Console (GSC) or Google Analytics 4 (GA4) we receive, via OAuth with scopes webmasters.readonly and analytics.readonly:
- The list of verified properties on your Google account (so you can pick which one to link to a blog).
- Search performance data for the property you select: queries, impressions, clicks, CTR, average position, country, device, date.
- GA4 traffic metrics for the property you select: sessions, users, page views, source/medium, dates.
- The OAuth refresh token, encrypted at rest, used to renew access without re-prompting you.
2. How we use Google user data — Limited Use compliance
hubnativo's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, GSC + GA4 data is used only to:
- Display search and traffic metrics in YOUR dashboard.
- Identify content gaps and ranking opportunities for YOUR blog.
- Drive the meta description optimizer and the featured snippet finder for YOUR articles.
- Detect content that is decaying in rank so we can suggest refreshes for YOUR blog.
We do not:
- Transfer Google user data to third-party AI tools to train models. AI calls we make on your behalf use YOUR API keys (BYOK) and operate only on titles or content you generate, never on raw GSC/GA4 datasets sent to the AI provider.
- Sell, lease, or rent your data to any party.
- Use your Google data for advertising or personalized advertising.
- Allow humans on our team to read your Google data, except when (a) you give us explicit written permission to debug a specific issue, (b) we are legally compelled, or (c) we need it to investigate security incidents or platform abuse.
3. Third-party AI providers (BYOK)
When you provide your own API keys (Anthropic, OpenAI, Gemini, DeepSeek), we make requests to those providers on your behalf, using your account. The content of those requests is governed by each provider's own privacy policy:
4. WordPress publishing
When you provide a WordPress Application Password, we use it to authenticate with YOUR WordPress site's REST API to (a) read posts you ask us to inventory, (b) publish drafts the pipeline generates, (c) push edits you make in our visual editor. We do not access posts, users, or settings beyond what is necessary for these operations.
5. Cookies and sessions
We use first-party cookies set by Supabase Auth to keep you signed in. We also set a small preference cookie (wcr_active_blog_id) to remember which blog is the active one across tabs. We do not use third-party tracking cookies. We do not run advertising or analytics scripts on the SaaS dashboard.
6. Data sharing
We share data with the following processors, under data processing agreements that bind them to use the data only to provide their service:
- Supabase (database hosting, authentication) — stores your account, workspace data, encrypted credentials.
- Vercel (web hosting) — serves the app; logs requests for operational purposes.
- Hetzner / Cloudways (server hosting for the editorial orchestrator and the test WordPress site we use ourselves).
- The AI/Google providers you elect to connect, as described above.
We do not share, sell, or transfer your data to any other party.
7. Data retention
We retain your workspace data for as long as your account is active. If you delete your account (email us, see Section 11), we delete your tenant, blogs, editorial documents, articles, credentials, and any cached Google API responses within 30 days. Backups containing your data are purged on a rolling 90-day window.
8. Your rights
Regardless of where you live, you can ask us to:
- Export a copy of all data we hold about you (JSON download).
- Delete your account and all associated data.
- Correct any inaccurate data we hold.
- Revoke our access to your connected Google account (do this directly at myaccount.google.com/permissions — your access tokens become invalid immediately).
Email alex@hubnativo.com to exercise any of the above.
9. Security
Credentials are encrypted at rest with AES-256 via PostgreSQL pgcrypto. Database access is restricted to the application servers via Supabase Row-Level Security. The server-side encryption key is held in environment variables, not in the database. We operate over HTTPS exclusively, with Strict-Transport-Security enabled.
If we ever experience a security incident affecting your data, we will notify you by email within 72 hours of discovery.
10. Children
hubnativo is a B2B tool not directed at children under 16. We do not knowingly collect data from minors.
11. Contact
Questions, requests, complaints: alex@hubnativo.com
12. Changes
We may update this policy. The "Last updated" date at the top reflects the most recent change. Material changes are notified by email to all active users.