Privacy Policy
Last updated: June 15, 2026 · Effective: June 18, 2026
Daxoom is a product of Citroot LLC, a California limited liability company ("Daxoom", "we", "us", "our"). This Privacy Policy explains what information we collect, how we use and protect it, and the choices you have. It applies to www.daxoom.com, the Daxoom application at app.daxoom.com, and the Daxoom API and MCP services (together, the "Service").
1. Who we are and how to contact us
Citroot LLC, 2108 N St, Ste N, Sacramento, CA 95816, USA. Privacy enquiries: [email protected]. General contact: [email protected].
2. Information we collect
Information you provide
- Account data — name, email address, password (stored only as a salted hash), and business/partner details you enter.
- Business profile data — the business name, locations, contact details, hours, categories, offerings, menus, prices, attributes, descriptions, and media you publish to your Daxoom profile.
- Billing data — handled by our payment processor (Stripe). We store a customer/subscription reference, never your full card number.
- Support communications — messages you send us.
Information from Google (only if you choose to connect Google)
If you select "Sign up with Google Business Profile" or "Import from Google Business Profile", you authorize Daxoom through Google OAuth. With your consent we access:
- Google Business Profile data (scope
https://www.googleapis.com/auth/business.manage) — your business locations and their facts: name, address, phone numbers, website, primary and additional categories, regular and special hours, attributes, descriptions, and public listing metadata. - Basic Google account info (scopes
email,profile), used only when you sign in to Daxoom with Google, to identify your account.
We request the narrowest scope Google offers for this purpose. Google publishes business.manage as the only Business Profile OAuth scope; there is no read-only equivalent, so we request it but limit our actual use to reading the fields above.
Information collected automatically
- Basic log and device data (IP address, browser type, timestamps) for security and reliability.
- We do not use third-party advertising trackers.
3. How we use information
- To create, prefill, and maintain your owner-controlled business profile so AI assistants and agents can answer questions from a source you control.
- To verify your ownership of a business when you connect Google.
- To operate, secure, and improve the Service, and to provide support.
- To process subscriptions and send service-related email.
We use Google user data only to provide and improve these user-facing features. We do not use it for advertising, and we do not sell it.
Google API Services — Limited Use
Daxoom's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Google user data to third parties except as necessary to provide or improve the user-facing features you request, to comply with applicable law, or as part of a merger or acquisition. We do not use Google user data for serving advertisements, and no humans read it except with your explicit consent, for security, to comply with law, or where the data is aggregated and anonymized.
4. How we share information
- Publicly, at your direction. The business facts you publish (hours, services, prices, menus, etc.) are intended to be public and are served through the Daxoom profile, API, and MCP server. OAuth tokens and your Google account email are never published.
- Service providers who process data on our behalf under contract — e.g. Stripe (payments), our cloud and email infrastructure. They may use the data only to perform services for us.
- Legal and safety reasons, when required by law or to protect rights and safety.
- Business transfers — in connection with a merger, acquisition, or asset sale, subject to this Policy.
We never sell your personal information or your Google user data.
5. Data retention and deletion
- We keep account and profile data while your account is active and as needed to provide the Service.
- Google OAuth tokens are stored encrypted at rest (AES-256-GCM) and are used only for owner-authorized import or re-sync. If you disconnect Google or delete your account, we delete the stored tokens.
- You can request deletion of your account and associated personal data at any time by emailing [email protected]; we will delete it within 30 days, except where retention is required by law.
6. Your choices and how to revoke access
- Disconnect Google. You can revoke Daxoom's access to your Google account at any time from your Google Account → Third-party access page. You may also email us to disconnect it for you.
- Access, correct, or delete your data — contact [email protected].
- California residents have rights under the CCPA/CPRA, including the right to know, delete, correct, and to opt out of "sale"/"sharing" (we do neither). We do not discriminate against you for exercising these rights.
7. Security
We protect data in transit with TLS and protect sensitive secrets (including Google OAuth tokens) with authenticated encryption at rest. No method of transmission or storage is perfectly secure, but we work to protect your information and limit access to it.
8. International users
We operate in the United States. If you access the Service from outside the U.S., you consent to processing your information in the U.S.
9. Children
The Service is for businesses and is not directed to children under 13, and we do not knowingly collect their data.
10. Changes to this Policy
We may update this Policy. Material changes will be reflected by the "Last updated" date and, where appropriate, additional notice. Continued use after changes means you accept the updated Policy.
11. Contact
Citroot LLC (Daxoom) · 2108 N St, Ste N, Sacramento, CA 95816 · [email protected]