Privacy Policy

Effective date: May 28, 2026 · Last updated: May 28, 2026

ShuiLink ("ShuiLink", "we", "us", or "our") operates the website shuilink.com and its subdomains (including ads.shuilink.com, voice.shuilink.com, hibachi.shuilink.com, book.shuilink.com, and api.shuilink.com), and provides marketing, booking, and automation services to small local-service businesses. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the choices you have. It applies to information we collect through our websites, our connected APIs (including our internal tooling that interacts with the Google Ads API on behalf of the businesses we serve), and any communications you have with us.

1. Information we collect

1.1 Information you provide directly

When you fill out a form on a ShuiLink-operated website (for example, a quote request on a hibachi catering landing page, a booking-engine form, or the "Contact us" form on shuilink.com), we collect the fields you submit, which typically include:

• Your name
• Phone number
• Email address (when provided)
• Event date, location, guest count, and other booking details (when relevant to the service you are requesting)
• Any free-text message you choose to include

1.2 Information collected automatically

When you visit our websites we automatically receive certain technical information from your browser, including:

• IP address (used for fraud prevention and approximate geolocation)
• Browser type and version, operating system, device type
• Pages visited, time spent on each page, referring URL, exit URL
• Interaction signals such as clicks, scroll depth, and form field activity
• Cookie identifiers and similar device identifiers

1.3 Information from third parties

If you reach us via a click on a Google Ads or other advertising campaign, we receive the campaign attribution parameters (for example, gclid) so we can measure which campaigns deliver real bookings. If you are an operator of a managed Google Ads client account that ShuiLink administers, we may receive your account-level identifiers (customer IDs, conversion action IDs, campaign metadata) from the Google Ads API.

2. How we use information

We use the information described above to:

• Respond to inquiries, quotes, and booking requests you send us
• Forward leads to the appropriate ShuiLink-managed business so they can contact you
• Measure and improve the performance of our websites and ad campaigns
• Operate our internal automation tools (keyword research, ad copy review, conversion tracking validation, reporting) for the small-business clients whose Google Ads accounts we manage
• Detect, prevent, and respond to fraud, abuse, and security incidents
• Comply with applicable legal obligations
• Send you transactional messages related to a service you have requested (for example, replying to your quote request, confirming a booking)

We do not sell personal information to third parties. We do not use personal information to build cross-context behavioral advertising profiles outside of the Google and Microsoft analytics tools described below.

3. Third-party services and data sharing

To operate our services we use a small set of well-known service providers. Each receives only the information necessary to perform a specific function on our behalf:

• Google LLC — Google Analytics 4 (web analytics), Google Ads (campaign delivery and conversion measurement), and the Google Ads API (managed-client campaign operations).
• Microsoft Corporation — Microsoft Clarity (session recordings, heatmaps, and behavioral analytics used to diagnose user-experience issues).
• Vercel Inc. — Hosting, edge delivery, and serverless function execution for our websites and APIs.
• Resend, Inc. — Transactional email delivery for lead notifications and replies.
• MongoDB, Inc. — Database hosting for booking records and managed-client configuration.
• Anthropic, PBC — Claude API for AI-assisted ad copy review and keyword analysis. Personal information of website visitors is not sent to Anthropic; only aggregated, anonymized campaign metadata.

We may also disclose information when required by law (subpoena, court order, regulatory request), to protect our rights or the rights of others, or in connection with a corporate transaction such as a merger, acquisition, or asset sale.

4. Google user data and Google API services

ShuiLink uses the Google Ads API as an internal tool to help our team manage Google Ads campaigns on behalf of a small number of business clients whose accounts we are explicitly authorized to administer. When ShuiLink team members sign in with their @shuilink.com Google account to authorize this tool, we receive an OAuth refresh token that lets the tool read and modify the Google Ads accounts under our manager (MCC) account.

ShuiLink's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide the campaign management features visible to the ShuiLink operator who is signed in.
• We do not transfer Google user data to third parties except as necessary to provide or improve those features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with prior notice.
• We do not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising, beyond the scope of the campaigns the user is actively managing.
• We do not allow humans to read the user's Google data unless we have the user's affirmative agreement for specific messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymized.

5. Cookies and similar technologies

We use cookies and similar technologies for three purposes:

• Strictly necessary — required for the site to work (for example, session continuity on the booking engine).
• Analytics — Google Analytics 4 and Microsoft Clarity drop first-party cookies to count unique visitors, measure page performance, and record anonymized session replays. You can opt out at the browser level (private browsing mode, "Do Not Track", or browser-extension blockers).
• Advertising attribution — Google Ads drops the _gcl_* family of cookies to attribute conversions to campaigns. These cookies do not personally identify you to advertisers.

6. Data retention

We retain personal information for as long as needed to provide the service you requested, comply with legal obligations, resolve disputes, and enforce our agreements. As a baseline:

• Lead-form submissions: 24 months from the date of submission, then archived or deleted.
• Booking records: 7 years from the booking date (to satisfy financial-record retention requirements).
• Web analytics events: retained according to Google Analytics and Microsoft Clarity defaults (currently 14 months for GA4 user-level data, 12 months for Clarity recordings).
• OAuth tokens for managed-client Google Ads accounts: retained as long as the management relationship is active; revoked on offboarding.

7. Security

We use industry-standard security controls including TLS 1.2+ for all data in transit, encryption at rest for production databases, role-based access control for internal tooling, OAuth-based authentication for third-party APIs, and the principle of least privilege for operator credentials. No system can be guaranteed 100% secure; if we ever discover a breach affecting your personal information we will notify you in accordance with applicable law.

8. Your rights and choices

Depending on where you live, you may have the right to:

• Request a copy of the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your information (subject to legal retention requirements)
• Opt out of analytics cookies and Microsoft Clarity recordings
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with your local data protection authority

To exercise any of these rights, email admin@shuilink.com from the address associated with the request. We will respond within 30 days.

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know, the right to delete, the right to correct, and the right to opt out of "sale" or "sharing" of personal information. ShuiLink does not sell personal information.

9. Children's privacy

Our websites and services are not directed to children under 13 (or under 16 in jurisdictions where that is the applicable threshold). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without verified parental consent, we will delete it as quickly as possible.

10. International transfers

ShuiLink is based in the United States. If you access our services from outside the United States, your information will be transferred to, stored, and processed in the United States. By using our services you consent to that transfer.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Material changes will be highlighted on the home page or sent to you by email if we have your address on file.

12. Contact us

← Back to ShuiLink