Privacy Policy

Effective date: May 1, 2026 · Last updated: May 1, 2026

1. Who we are

Silver Path Marketing ("Silver Path", "we", "us") operates the Marketing Automation Tracker ("MAT" or "the Service"), a marketing analytics and CRM platform hosted at https://app.silverpathmarketing.com. MAT is provided to our agency clients ("Customers") and their authorized end users.

Contact: eagan@silverpathmarketing.com
Mailing address: 2624 Monroe St. #209, Madison, WI 53711

2. Scope of this policy

This policy describes how MAT collects, uses, stores, and shares personal information when:

Customers and their team members log into the MAT dashboard
Customers connect third-party accounts (Google, Facebook, Twilio, Ahrefs, Namecheap, Resend, AWS) to enrich their analytics
Anonymous visitors browse a website that runs the MAT tracking pixel
A visitor identifies themselves by submitting a form, booking a call, or calling a tracked phone number

For tracked end-user visitors, the Customer (the website owner) is the data controller and Silver Path is a data processor acting on the Customer's behalf.

3. Information we collect

Account data (Customers and team users). Email, name, hashed password (bcrypt), role, site assignments, session tokens.

Connected-account data. When a Customer connects a Google account through OAuth, we receive an access token, a refresh token, and the email address of the connected Google account. Tokens are encrypted at rest using AES-256-GCM. We never receive or store the Customer's Google password.

Data accessed via Google APIs. With the Customer's explicit consent, MAT uses the following Google scopes:

https://www.googleapis.com/auth/webmasters.readonly — read Search Console performance data (queries, pages, clicks, impressions, position)
https://www.googleapis.com/auth/analytics.readonly — read Google Analytics 4 reports (sessions, channels, landing pages, events)
https://www.googleapis.com/auth/adwords — read Google Ads campaigns, ad groups, keywords, search terms, and conversions; upload offline conversions back to the Customer's Google Ads account
userinfo.email and userinfo.profile — identify which Google account is connected so the Customer can confirm and disconnect it

Tracked visitor data (collected on Customer websites). A first-party cookie (_mat_id), pageviews, time on page, referrer, UTM parameters, click identifiers (GCLID, FBCLID, MSCLKID), IP-derived country and region, and form submissions.

Call and SMS data. Call recordings, transcripts (Deepgram and Anthropic Claude), AI-generated summaries, and SMS message bodies for tracked phone numbers provisioned through Twilio.

Cookies. A first-party _mat_id cookie for visitor identification, a _mat_consent cookie for consent state, and a session cookie for dashboard login.

4. How we use information

Display analytics, attribution, CRM, SEO, and ad-performance reports inside the Customer's MAT workspace
Tie anonymous web sessions to identified contacts when those contacts submit a form or take a tracked action
Enrich GCLID click data with Google Ads keyword and search-term details
Upload offline conversions to Google Ads and Facebook (Conversions API) when the Customer maps deal stages to conversion events
Process inbound calls and SMS, transcribe and summarize them, and route them to the Customer
Send transactional emails (password resets, welcome) and, with separate consent, marketing emails on the Customer's behalf
Operate, secure, and improve the Service

We do not use Google user data for advertising, do not sell it, and do not share it with anyone other than the subprocessors listed below.

5. Limited Use of Google user data

MAT's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we do not:

Use Google user data to serve advertisements
Allow humans to read Google user data, except (a) with the user's affirmative consent for specific messages, (b) when necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data is aggregated and anonymized for internal operations
Transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users

6. Legal bases (GDPR / UK GDPR)

Where applicable, we rely on:

Contract — to provide the Service to Customers
Consent — for marketing email, SMS, call recording, and (where required) website analytics cookies
Legitimate interest — to secure the Service, prevent fraud, and improve features

7. Sharing and subprocessors

We share data with vendors who process it on our behalf under written contracts:

Vendor	Purpose
Amazon Web Services (AWS)	Hosting, database, email sending (SES), SNS bounce and complaint webhooks
Resend	Transactional email delivery (password resets, welcome emails)
Twilio	Call routing, recording storage, SMS messaging, 10DLC brand and campaign registration
Deepgram	Call audio transcription
Anthropic	AI summarization, lead scoring, intent analysis, content generation, brand extraction
Google LLC	OAuth, Search Console, Analytics 4, Google Ads APIs
Meta Platforms, Inc.	Facebook OAuth, Marketing API, Conversions API
Ahrefs Pte. Ltd.	Keyword volume, SERP, and backlink data
Namecheap, Inc.	Domain availability lookups for landing-page publishing

We may add or replace subprocessors from time to time. Material additions will be posted on this page; Customers may subscribe to subprocessor change notifications by emailing eagan@silverpathmarketing.com.

8. Data retention

Customer account and connected-account data: retained while the account is active, deleted within 30 days of account closure
OAuth refresh tokens: deleted immediately on disconnect
Visitor and event data: retained for the term of the Customer's contract; deleted within 90 days of contract termination
Call recordings and transcripts: retained for 12 months unless the Customer configures a shorter window
Backups: purged within 35 days

9. Security

Industry-standard controls including TLS in transit, AES-256-GCM encryption of OAuth tokens at rest, bcrypt password hashing (12 rounds), session cookies with HttpOnly, Secure, and SameSite=Lax, CSRF protection, rate-limited authentication, and AWS-managed encrypted storage.

10. Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA/CPRA, PIPEDA, others), you may have the right to access, correct, delete, export, or restrict processing of your personal information, or to object to processing or withdraw consent.

Customers (account holders): manage your data in-app or email eagan@silverpathmarketing.com.
Tracked visitors: contact the website operator (the Customer) directly. We will assist the Customer in fulfilling the request.
California residents (CCPA): you may request "Do Not Sell or Share My Personal Information." MAT does not sell personal information.

11. Revoking Google access

You can revoke MAT's access to your Google account at any time by:

Disconnecting inside MAT at Sites → Integrations → Disconnect, or
Visiting https://myaccount.google.com/permissions

12. International transfers

Data is stored in the United States. Where required, we rely on Standard Contractual Clauses for transfers from the EEA, UK, or Switzerland.

13. Children

The Service is not directed to anyone under 16. We do not knowingly collect personal information from children.

14. Changes

We will post material changes here and update the "Last updated" date. For significant changes, we will notify Customers by email.

15. Contact

Privacy questions, data requests, or complaints: eagan@silverpathmarketing.com