Privacy Policy
Effective date: May 28, 2026
Last updated: May 28, 2026
1. Introduction
Marketing & Production Studio Inc (“we,” “us,” or “our”) operates the 5Clicks AI service (“Service”). This Privacy Policy explains what personal information we collect from users and lead contacts, how we use it, who we share it with, and what rights you have.
By using the Service, you consent to this policy. If you do not agree, do not install or use the Service.
This policy applies to:
- Business users who install 5Clicks AI in their GoHighLevel sub-account (“Users”)
- End-customers whose contact information is forwarded through the Service from Thumbtack, Yelp, or other lead sources (“Lead Contacts”)
2. Information we collect
From you, the User
When you install and use 5Clicks AI, we collect:
- OAuth credentials and tokens for your connected Thumbtack, Yelp, and GoHighLevel accounts (access tokens, refresh tokens, scope grants)
- Account identifiers such as your GoHighLevel location ID and company ID, your Thumbtack business IDs, and your Yelp business identifier
- Profile information returned by those third-party platforms during OAuth (your name, business email, business name)
- Support communications when you email or call us
- Phone numbers registered to your GoHighLevel sub-account (so we can register them with Thumbtack as your “associate phone numbers”)
From Lead Contacts (received through the Service)
When a lead arrives via Thumbtack or Yelp webhook, we receive whatever information that platform sends, typically:
- Name (first and last)
- Phone number (when provided)
- Email address (when provided)
- Service category or job request
- Geographic location of the request
- Message content sent by the lead
- Timestamps and platform-assigned IDs
We do NOT collect Social Security numbers, payment card numbers, government-issued IDs, biometric data, precise GPS location, or health information.
Automatically collected
- Standard server logs (IP address, request path, timestamp, user agent) for operational diagnostics
- Error logs when the Service encounters an issue
3. How we use information
We use the information collected to:
- Operate the Service: forward leads and messages between Thumbtack/Yelp and your GoHighLevel Conversations inbox in real time
- Refresh expiring OAuth tokens so the connection stays active
- Display contact information correctly inside your GoHighLevel sub-account
- Respond to your support requests
- Send important account notices (security alerts, billing changes, planned maintenance)
- Detect and prevent abuse, fraud, and security incidents
- Improve the Service through aggregated, anonymized analytics
We do NOT sell your data or Lead Contact data to anyone, ever. We do NOT use Lead Contact data to send marketing messages on our own behalf.
4. How we share information
We share data only as described below:
Third-party processors (data processors acting on our behalf)
- Vercel Inc. — hosts our application code. Data may transit through Vercel servers (US region).
- Supabase Inc. — hosts our database. All persisted data is stored here, in the AWS us-east-1 region, encrypted at rest.
- Email/SMS service providers — when we send transactional notifications (e.g., onboarding emails, security alerts).
Each processor is bound by a data processing agreement and is contractually limited to processing data only for the purposes we direct.
Service integrations (data flows between platforms)
The Service is a bridge. By using it, you direct us to send the following data to the following parties on your behalf:
- GoHighLevel — Lead Contact information and messages received from Thumbtack/Yelp are written into your GoHighLevel sub-account so they appear in your Conversations inbox.
- Thumbtack — your replies to leads, written inside GoHighLevel, are forwarded to Thumbtack so they reach the lead.
- Yelp (via Zapier) — your Yelp replies are forwarded back through Zapier to Yelp.
These flows are necessary for the Service to function as described in our documentation.
Legal compliance
We may disclose information if required by law, court order, valid subpoena, or to protect our rights, property, or safety, or that of our users or the public.
Business transfers
If we are involved in a merger, acquisition, or sale of assets, your data may transfer to the new owner. You will be notified by email and in-app at least 30 days in advance.
5. Data retention
- OAuth tokens and account data — retained while your account is active and for up to 30 days after uninstalling, then permanently deleted.
- Lead Contact data and message history — retained while your account is active to support the Conversations inbox feature, then deleted within 30 days of account closure.
- Server logs — retained for up to 90 days for operational and security purposes, then deleted.
- Support communications — retained for up to 24 months to maintain service-history context.
- Records required by law (e.g., tax invoices) — retained as long as legally required.
You can request earlier deletion at any time — see Section 7 below.
6. Data security
We take security seriously. Measures include:
- All data in transit is encrypted using TLS 1.2 or higher
- OAuth tokens at rest are encrypted in our Supabase database (AES-256)
- Access to production systems is limited to authorized personnel using multi-factor authentication
- We never log or display full OAuth tokens or passwords
- Webhook payloads from third parties are verified for authenticity using shared secrets or HMAC signatures
No system is 100 percent secure. If a breach affecting your personal information occurs, we will notify you and applicable regulators within the timeframes required by law (typically 72 hours under GDPR; sooner where state law requires).
7. Your rights and choices
Depending on where you live, you may have the following rights regarding your personal information:
- Access — request a copy of the personal information we hold about you
- Correction — request that we correct inaccurate information
- Deletion — request that we delete your personal information
- Portability — request your data in a structured, machine-readable format
- Restriction or objection — request that we limit how we process your data
- Withdraw consent — uninstall the app at any time to revoke OAuth access
To exercise any of these rights, email [email protected] from the email address associated with your account. We will respond within 30 days (45 days for California residents, extendable by 45 more if needed).
We will verify your identity before fulfilling a request to prevent unauthorized disclosure.
8. International data transfers
Our servers and processors are located in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US, which may have different privacy protections than your home country. By using the Service, you consent to that transfer.
9. California residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- The right to know what personal information we collect, use, disclose, and sell
- The right to delete personal information (with some exceptions)
- The right to correct inaccurate personal information
- The right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising)
- The right not to be discriminated against for exercising these rights
To exercise California rights, email [email protected] with subject line CCPA REQUEST.
We do not knowingly collect personal information of California residents under 16 without parental consent.
10. EU / UK / EEA residents (GDPR)
If you are located in the European Economic Area or United Kingdom, your personal information is processed under the GDPR. Our legal basis for processing is:
- Performance of a contract — to provide the Service you signed up for
- Legitimate interest — to operate, maintain, and improve the Service
- Consent — where required (e.g., marketing emails)
- Legal obligation — to comply with applicable law
You have rights to access, rectify, erase, restrict, object, and port your data, and to lodge a complaint with your local data protection authority.
Email [email protected] to exercise these rights.
11. Children’s privacy
The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with information, email [email protected] and we will delete it.
12. Cookies and tracking
The 5Clicks AI backend service does not use cookies. Our public website at 5clicks-ai.com may use essential cookies for site functionality and analytics cookies (e.g., to count visitors). The site’s cookie banner provides more detail and lets you opt out where applicable.
13. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top will reflect the most recent change. Material changes will be communicated by email and/or in-app notice at least 14 days before they take effect.
14. Contact us
For privacy questions, data requests, or concerns:
Marketing & Production Studio Inc
Email: [email protected]
Phone: +1 646-956-2590
Mailing address: 375 76th str, Brooklyn, NY, 11209
For general support: [email protected]
15. Operating domains
The 5Clicks AI service is delivered via two technical domains operated by Marketing & Production Studio Inc:
- 5clicks-ai.com — public-facing brand site, documentation, privacy, terms, and support.
- api.umarketing.us — secure backend infrastructure handling OAuth authentication, webhook ingestion, and data forwarding. UMarketing is a brand of Marketing & Production Studio Inc.
Both domains are operated by the same legal entity and are covered by this Privacy Policy. You may see api.umarketing.us briefly during the OAuth authorization flow when connecting your Thumbtack, Yelp, or GoHighLevel accounts — this is expected and the data handling is identical regardless of which domain is shown.
