Legal

Privacy policy

Last updated 15 June 2026

This Privacy Policy explains how Dot Square Lab Ltd ( "Nerb", "we", "us"), a company registered in England & Wales, collects, uses, stores, and shares information when you use the Nerb service at nerb.ai and its hosted MCP gateway (the "Service"). Dot Square Lab Ltd is the data controller for the purposes of UK data protection law. If you have any questions, email hello@nerb.ai.

1. What Nerb does

Nerb is a hosted gateway that, with your explicit authorization, connects to your Google Ads, Google Analytics 4, and Google Search Console accounts using read-only access and makes that data available to your own large-language-model or MCP client (for example Claude or Cursor). Nerb relays the data you request to the client you connect; it is an instrument you operate, not an advertising or analytics product of our own.

2. Information we collect

Account information

When you create a Nerb account we store your email address and a one-way bcrypt hash of your password. We never store your password in plain text.

Google connection data

When you connect a Google account, Google's OAuth flow returns to us a refresh token together with your Google account email address, a Google account identifier, and the set of scopes you granted. We store the refresh token encrypted at rest (AES-256-GCM, with a key derived from a server secret) so that we can mint short-lived access tokens on your behalf. Access tokens live only in memory for roughly an hour before they are refreshed or discarded.

Google service data

When you make a request through your connected client, Nerb uses a short-lived access token to read the relevant data from the Google Ads, Analytics, or Search Console APIs and relays the response back to your client. We do not persist this reporting data in our own systems; it passes through to fulfil your request and is not stored beyond what is briefly held in memory to serve the response.

Other information

  • Waitlist: if you join the waitlist we store your email address and selected role with our email provider.
  • Feedback: messages you send us through the in-product contact tool, with your email address, so we can respond.
  • Usage analytics: if you accept analytics cookies, we use Google Analytics 4 via Google Tag Manager to understand site usage. See our Cookie policy.

3. How we use Google user data

We use the Google user data accessed through the Service for one purpose only: to provide the Service to you, at your direction, by reading the data you ask for and relaying it to the client you have connected. We do not use it for any other purpose.

4. Limited Use

Nerb's use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular, we do not and will not:

  • sell Google user data;
  • use or transfer Google user data for serving advertisements;
  • use Google user data to train or improve generalized or non-personalized artificial-intelligence or machine-learning models;
  • allow humans to read Google user data, unless we first obtain your affirmative consent for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data has been aggregated and anonymized.

5. How we store and protect data

  • Refresh tokens are encrypted at rest with authenticated encryption; application secrets are managed in a dedicated secrets manager (HashiCorp Vault).
  • All data in transit is protected with TLS.
  • The Service and its database run on Google Cloud Platform in Europe.
  • We request the narrowest, read-only Google scopes the Service needs: adwords (read), analytics.readonly, and webmasters.readonly.

6. Sharing and sub-processors

We do not sell your data and we do not share Google user data across customers. We use a small number of sub-processors to run the Service:

  • Google Cloud Platform — hosting and database.
  • Resend — transactional and waitlist email.
  • HashiCorp Vault — secrets management.

We may also disclose information where required by law or to protect the rights, safety, and security of Nerb and its users.

7. Retention and deletion

You can disconnect any Google account at any time from the Connected accounts page; doing so revokes and removes the stored refresh token. You can also revoke Nerb's access directly from your Google account permissions. To delete your Nerb account and associated data, email hello@nerb.ai and we will action the request.

8. Your rights

If you are in the UK or EEA, you have rights under the UK GDPR and the Data Protection Act 2018, including the rights to access, rectify, erase, restrict, port, and object to the processing of your personal data. To exercise any of these, contact hello@nerb.ai. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

9. International transfers

Some of our sub-processors may process data outside the UK. Where they do, we rely on appropriate safeguards (such as adequacy decisions or standard contractual clauses) as required by applicable law.

10. Children

The Service is not directed to children and is intended for use by people aged 18 or over.

11. Changes to this policy

We may update this policy from time to time. We will revise the "Last updated" date above and, where changes are material, take reasonable steps to notify you.

12. Contact

Dot Square Lab Ltd — hello@nerb.ai. See also our Terms of Service.