Privacy Policy

1. Controller and Contact

The controller of personal data processed in connection with the Service is:

Ing. Petra Vlčková
Natural person – self-employed (OSVČ)
ID (IČO): 10881263
Registered office: Zahradní 302, 267 51 Zdice, Czech Republic
E-mail (privacy and data subject rights): legal@geotrackerai.com
E-mail (operational support): support@geotrackerai.com
Bot identification: geotrackerai.com/bots

We are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR; however, all privacy queries are handled directly by the controller.

For users in the European Union/EEA we are not required, given our small scale and lack of regular monitoring at scale, to designate an Article 27 GDPR representative. We will appoint one if and when applicable thresholds are met. UK users with no effective EU establishment for processing falling within the scope of UK GDPR may direct queries to the same e-mail above; we will appoint a UK representative if and when required.

2. Scope of this Policy

This Policy applies to personal data we process when you (a) visit our website at geotrackerai.com (the marketing site, blog, changelog, documentation, public Free GEO Snapshot tool at /grader); (b) create or use an authenticated account on the Service; (c) subscribe to a paid plan; (d) communicate with us by e-mail or a contact form; or (e) interact with cookies and similar technologies on our pages. It does not apply to third-party services that you choose to interact with from within our Service (e.g., your own subscription to OpenAI, Reddit, GitHub, Hacker News, your own website's analytics, your own Slack workspace).

3. Categories of Data We Process

We process the following categories of data:

• Account and identity data — e-mail address, hashed password (managed by Supabase Auth), authentication provider identifier (e.g., OAuth provider id), accepted Terms version, terms-acceptance timestamp, and the IP address recorded at the time of acceptance for legal-audit purposes.
• Subscription and billing data — Stripe customer ID, Stripe subscription ID, subscription tier and status, billing period (monthly / annual), invoice metadata, last-four card digits and card brand (where Stripe shares them), billing country, currency, and tax-related data. We do not store full card numbers, full bank account numbers, or CVV — those are handled by Stripe under PCI-DSS.
• Configuration and Customer Inputs — domains you add, stored queries, cadence settings, monitored slots, plan preferences (e.g., weekly e-mail report opt-in, Slack alert webhook URL when configured). These are typically business inputs and may, in rare cases, contain personal data if you choose to enter it (which we do not require).
• Scan inputs and outputs — text of queries we send to third-party AI providers, raw and normalized text of AI responses, citation URLs, mention snippets, mention classifications, mention quality bands, GEO scores, geo-score history, and engine-level usage events.
• Citation Source Intelligence (CSI) data — public-web URLs cited in your scan results that we fetch and enrich (Reddit, Hacker News, GitHub, listicles, comparison pages, blogs, podcasts, news, forums, YouTube, X/Twitter threads), titles, authors (where publicly displayed), publish dates, scores/upvotes/stars, body excerpts capped at ~4 KB, structured data (Open Graph, JSON-LD), classifications, actionability flags, and recommended actions. CSI data is user-scoped and protected by RLS.
• Crawlability audit data — fetched robots.txt bodies (capped at ~256 KB), response headers, meta-robots tags, fetch errors, llms.txt/llms-full.txt presence and parsed snapshots, Open Graph and Twitter Card per-tag presence, JSON-LD entity coverage (10 entity types), and deterministic findings about AI-bot access to your domain.
• Content audit data — sitemap snapshots, fetched HTML, deterministic readiness scores, per-page audit findings, and historical audit snapshots.
• Competitor tracking data — auto-discovered competitor hostnames seen across your scan results, share-of-voice aggregates, and per-scan event logs.
• Loss-analysis data and unified action stream — LLM-generated explanations and structured findings related to specific queries; the unified dashboard_actions stream (kind, status, target URL, lifecycle from pending → in_progress → done → dismissed/expired); and the 14-day outcome-loop measurements (mention-rate and GEO-score deltas attributed to a marked action).
• Discovery Map and progression data — derived signals about your account's onboarding progress (no separate database — derived live from existing tables).
• Alert-pipeline data (Business) — alert event log entries used for idempotent alert de-duplication (kind, fingerprint, dispatched-at), alert e-mail content, and (where you have configured a Slack Incoming Webhook) the alert payload posted to your Slack workspace.
• Free GEO Snapshot data — the raw domain string you submitted, the normalized hostname, an optional e-mail address you provide for follow-up, a SHA-256 hash of your IP address (with a per-deployment salt — raw IP is not stored), the truncated User-Agent header (max 240 characters), the Snapshot result blob, and an estimated cost figure for cost monitoring. Snapshot rows expire after seven (7) days for public viewing and we may purge them in bulk thereafter.
• Communications data — content of e-mails you send us, transactional e-mails we send through Resend, weekly report e-mails (when opted in), alert e-mails (Business), and Snapshot follow-up e-mails.
• Cookies and similar technologies — see Section 8.
• Logs, security, and observability — structured logs (component, level, event, status, run-id, duration), error stacks, billing-audit events (status before / after, period before / after for Stripe events), classifier failure logs, alert dispatches, and cron-run heartbeats.
• Anti-abuse data (Free GEO Snapshot) — Cloudflare Turnstile token verification result (when enabled), in-memory IP rate-limit counters, per-domain cool-down windows, and 24h cost-spike monitoring.

We do not intentionally collect special-category data under Article 9 GDPR (e.g., health, biometrics, race, political opinions, sexual orientation), and you must not submit such data as Customer Inputs.

4. How We Use Your Data and the Lawful Bases (GDPR Article 6)

For users in the EU/EEA, UK, and Switzerland, we rely on the following lawful bases:

• Performance of a contract (Article 6(1)(b)). Account creation, authentication, running scans, generating CSI/crawlability/content/competitor analyses, processing payments, sending transactional, weekly report and alert e-mails, providing customer support, fulfilling export requests.
• Compliance with a legal obligation (Article 6(1)(c)). Tax and accounting (Czech tax law typically requires retention of accounting records for ten (10) years), responding to lawful regulatory or judicial requests, and complying with consumer-protection and information-society-services law.
• Legitimate interests (Article 6(1)(f)). Operating, securing, monitoring, and improving the Service; preventing and investigating fraud, abuse, and bot traffic on the Free GEO Snapshot; defending against legal claims; basic analytics on aggregated/de-identified data; sending non-marketing e-mails about material changes to the Service. We have balanced these interests against your privacy rights and consider the processing necessary and proportionate. You may object on grounds relating to your particular situation (Article 21 GDPR) by writing to legal@geotrackerai.com.
• Consent (Article 6(1)(a)). Loading Vercel Analytics and Vercel Speed Insights, sending marketing communications where applicable, configuring an outbound Slack webhook (your explicit instruction), and any future optional features that legally require opt-in. You may withdraw consent at any time without affecting prior processing.

5. Subprocessors and Third-Party Recipients

We share personal data with the following categories of recipients to operate the Service. The list is current as of the effective date of this Policy and may evolve. Each provider acts as our processor (or as an independent controller for its own ancillary processing, such as fraud-prevention) under its own published terms and DPA where applicable.

We have entered into the published GDPR-compliant DPAs (or equivalent) of each subprocessor, including the EU Standard Contractual Clauses (Decision (EU) 2021/914) and, where applicable, the UK International Data Transfer Addendum, for transfers outside the EEA/UK. Several U.S. subprocessors are certified under the EU-U.S. Data Privacy Framework. We provide the current list and copies of relevant transfer mechanisms on request to legal@geotrackerai.com.

Model training. We configure provider integrations to avoid having your inputs used for the providers' model training where the provider offers such an option. You should review each provider's own privacy policy for additional context (OpenAI Business Terms / Enterprise Privacy, Perplexity Privacy Policy, DataForSEO Privacy Policy, etc.).

We do not sell personal data. We do not engage in "sale" or "sharing" of personal information for cross-context behavioral advertising within the meaning of CCPA/CPRA, VCDPA, or comparable U.S. state laws. We do not place targeted-advertising cookies on our properties.

6. International Data Transfers

The Service is hosted and operated from the European Union, but several subprocessors are located in the United States or have processing in the United States or other third countries. Whenever personal data is transferred outside the EEA, the UK, or Switzerland, we rely on a valid transfer mechanism, which may include:

• an adequacy decision of the European Commission (e.g., the EU-U.S. Data Privacy Framework, where the recipient is self-certified);
• EU Standard Contractual Clauses (Decision (EU) 2021/914) and the UK International Data Transfer Addendum;
• supplementary technical and organizational measures (e.g., encryption in transit, access controls, IP hashing on the Snapshot);
• derogations under Article 49 GDPR where strictly necessary (e.g., to perform a contract you requested).

7. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, including legal, accounting, or reporting requirements. Indicative periods are:

• Active accounts and Customer Inputs/Outputs: for the lifetime of the account.
• Account deletion: most account-related and product data is removed within thirty (30) days of deletion, except where retention is required by law, security, fraud prevention, dispute handling, tax / accounting obligations, or other legitimate compliance reasons.
• Billing and accounting records: up to ten (10) years (Czech tax/accounting law) or longer where required by law.
• Free GEO Snapshot rows: shareable URLs expire after seven (7) days; aggregate / cost-monitoring records may be retained for up to twenty-four (24) months for fraud-prevention and product-cost analysis.
• Backups: routine backups may persist for up to thirty-five (35) days following deletion until rotation cycles complete.
• Logs and security events: up to twelve (12) months for operational logs, longer where relevant to ongoing security incidents.
• Alert event log: idempotency entries are retained for as long as needed to de-duplicate alerts (typically up to twelve (12) months) and then purged.
• Terms-acceptance audit data: for as long as the underlying account exists, plus an additional limitation period determined by Czech / EU law.
• Aggregated / de-identified data: may be retained indefinitely for analytics, benchmarking, and research, since it no longer identifies an individual.

8. Cookies and Similar Technologies

We use a small number of cookies and similar technologies. On first visit you will see a consent banner that lets you accept all, reject all, or customize your choices. Your preferences are stored both in your browser's localStorage and in a first-party cookie named geo_cookie_consent with a max-age of one (1) year. You can change your choice any time from the cookie-settings link in the footer or by clearing the cookie.

• Strictly necessary (essential). Authentication, session, anti-CSRF, consent-state, billing portal, and security cookies set by the Service or by Stripe during checkout. These are loaded without consent because they are required to deliver the Service. Lawful basis: Article 6(1)(b)/(f) GDPR; ePrivacy "strictly necessary" exception.
• Analytics. Vercel Analytics and Vercel Speed Insights for anonymous page-view counts and Core Web Vitals. We do not load these without your explicit consent.
• Marketing. The category exists in the consent UI for future use; we do not currently set any third-party marketing or cross-context-behavioral-advertising cookies.

Cloudflare Turnstile, used on the Free GEO Snapshot for bot verification, may set first-party challenge cookies on the relevant route. These are strictly necessary for security reasons.

9. Marketing Communications

We may send you operational e-mails (e.g., account, billing, policy updates). We may also send weekly summary reports if you opt in (profiles.weekly_email_report), Business-tier alert e-mails (where applicable), and follow-up communication to e-mail addresses provided through the Free GEO Snapshot. Each commercial message contains a one-click unsubscribe link as required by GDPR/PECR (EU/UK), CAN-SPAM (US), and CASL (Canada). Unsubscribing does not terminate transactional or service-related e-mails strictly necessary to operate your account.

10. Open-Web Fetching, Bot Identification, and llms.txt / robots.txt

The Service fetches public web pages to power Citation Source Intelligence, Crawlability Monitor, Content Audit, and Discovery Readiness. We:

• identify ourselves with descriptive User-Agent strings referencing GEO Tracker AI and our public bot-information page at geotrackerai.com/bots;
• obey robots.txt directives where reasonably possible and respect emerging conventions such as llms.txt and the IETF ai.txt proposal;
• cap response sizes (e.g., ~1 MB on CSI fetches, ~256 KB on robots.txt) and impose request-rate limits;
• store only what is needed to support the user feature and to explain our findings (e.g., truncated body excerpts, structured data).

If you operate a website that does not wish to be fetched by GEO Tracker AI, you can disallow our user agents in your robots.txt (see geotrackerai.com/bots for the snippet) or contact legal@geotrackerai.com. We will honor reasonable opt-out requests within a reasonable timeframe.

11. AI-Generated Outputs and Automated Decision-Making

The Service uses third-party general-purpose AI systems to generate analytical outputs. These outputs are decision-support signals and are not used by us to make any decision producing legal or similarly significant effects on you (Article 22 GDPR). Outputs may be inaccurate, incomplete, or outdated; you are responsible for evaluating and acting on them. See the Terms of Service for details on the AI Act (Regulation (EU) 2024/1689) deployer disclosure.

12. Your Rights (GDPR / UK GDPR / FADP)

If you are in the EU/EEA, the United Kingdom, or Switzerland, you have the rights to:

• access the personal data we hold about you;
• rectify inaccurate or incomplete data;
• erasedata ("right to be forgotten"), subject to legal retention obligations;
• restrict processing, e.g., while we verify a rectification or objection;
• object to processing based on legitimate interests, including direct marketing;
• receive your data in a portable, machine-readable format and request its portability to another controller (where technically feasible). Pro and Business users may also self-serve through the in-product CSV/JSON export endpoints, capped at 10,000 rows / 365-day window per file.
• withdraw consent at any time without affecting prior processing;
• not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22 GDPR — we do not perform such processing);
• lodge a complaint with a supervisory authority — for example the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ), https://www.uoou.cz, or the supervisory authority of your habitual residence. UK users may complain to the ICO (https://ico.org.uk); Swiss users to the Federal Data Protection and Information Commissioner.

To exercise any of these rights, write to legal@geotrackerai.com. We aim to respond within thirty (30) days. We may need to verify your identity before fulfilling certain requests.

13. U.S. State Privacy Rights (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, ICDPA, DPDPA, NHPA, NJDPA, MNCDPA, MDPA, KCDPA, RIDTPPA)

If you are a resident of a U.S. state with a comprehensive privacy law, you have the rights summarized below, subject to the specific scope and exceptions of your state's law:

• Right to know / right to access the categories and specific pieces of personal information we have collected, the sources, the purposes, the categories of recipients, and (CCPA/CPRA) the categories sold or shared (if any).
• Right to delete personal information we have collected from you, subject to exceptions (e.g., legal compliance, security, completion of ongoing transactions).
• Right to correct inaccurate personal information.
• Right to data portability in a usable format.
• Right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell or share personal information.
• Right to limit use of sensitive personal information (CCPA/CPRA). We do not knowingly collect sensitive personal information beyond what is necessary to operate the Service.
• Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects (where applicable). We do not engage in such profiling.
• Right to non-discrimination for exercising any of these rights.
• Right to appeal a denied request (in states that grant this right). To appeal, reply to our denial e-mail with "Privacy Appeal" in the subject line.

Submit requests to legal@geotrackerai.com. We will verify the request through your account e-mail or other reasonable means. Authorized agents must provide a written authorization. We honor browser global-privacy-control (GPC) signals as an opt-out request to the extent applicable.

California Shine the Light. California Civil Code §1798.83 permits California residents to request a list of certain personal information disclosed to third parties for direct marketing in the prior calendar year. We do not disclose personal information for such purposes.

14. Other Jurisdictions

• Brazil (LGPD). You have rights of confirmation, access, correction, anonymization/blocking/deletion, portability, information on sharing, withdrawal of consent, and lodging a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).
• Canada (PIPEDA, Quebec Law 25). You have rights of access, correction, withdrawal of consent, and lodging a complaint with the Office of the Privacy Commissioner or the Commission d'accès à l'information du Québec.
• Australia (Privacy Act 1988). You have rights to access, correction, and complaint to the OAIC.
• Other jurisdictions. We will respect mandatory rights granted by applicable local law.

15. Children

The Service is not directed to children. We do not knowingly collect personal data from children under sixteen (16) years of age in the EU/EEA, under thirteen (13) years of age in the United States (in line with the U.S. Children's Online Privacy Protection Act, COPPA), or under any higher local minimum age. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

16. Security

We implement reasonable technical and organizational measures designed to protect personal data, including: encrypted transport (TLS); row-level security in PostgreSQL; service-role keys restricted to the server; signed Stripe webhooks (HMAC); anti-SSRF host validation on outbound webhooks (e.g., Slack); Cloudflare Turnstile bot challenge on the Free GEO Snapshot; per-deployment IP-hash salt; audit logging of billing and alert events; least-privilege access to admin tooling; and routine monitoring. No system is completely secure; we will notify affected users and authorities of personal-data breaches as required by applicable law (Articles 33–34 GDPR; comparable U.S. state breach-notification laws).

17. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date reflects the most recent revision. For material changes that adversely affect existing users (e.g., new categories of recipients, new processing purposes that significantly broaden the scope), we will provide reasonable advance notice via e-mail or in-product notification. Continued use of the Service after the effective date of the updated Policy constitutes acceptance, except where applicable law requires renewed consent.

18. Contact

Questions, requests, or complaints about this Policy or your personal data: legal@geotrackerai.com (privacy and data subject rights) or support@geotrackerai.com (operational support). Postal address: Ing. Petra Vlčková, Zahradní 302, 267 51 Zdice, Czech Republic.