Privacy Policy

GEOscan (“we”, “us”, “our”) operates geoscan.io (the “Service”). This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

By using the Service, you agree to the collection and use of information in accordance with this policy. We process your personal data only for the purposes described here and in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

We collect the following categories of personal data:

• Account data: your email address and name, provided when you sign up via magic link or Google OAuth.
• Brand data: brand names, website domains, industry descriptions, and target keywords that you enter into the Service.
• Scan results: AI engine responses, visibility scores, keyword rankings, and competitor mentions generated by the Service on your behalf.
• Usage data: pages visited, features used, session duration, browser type, IP address, and device information collected automatically via analytics.
• Payment information: billing address and payment method details. These are processed directly by our payment provider (Stripe) and are never stored on our servers.
• Communications: emails you send to us for support or other inquiries.

We use the information we collect for the following purposes:

• To provide and operate the Service, including running scans, computing visibility scores, and generating reports.
• To send transactional notifications such as scan completion emails, score alerts, and weekly digest emails.
• To process payments and manage your subscription.
• To improve and develop the Service by analyzing usage patterns and feature adoption.
• To respond to support inquiries and communicate about your account.
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal data to third parties. We do not use your brand data or scan results to train AI models or share them with other customers.

Your data is stored on the following infrastructure, all located in the United States:

• Application hosting: Vercel (serverless, US regions).
• Database: Supabase (PostgreSQL, US East region). Brand data, keywords, scan results, and account information are stored here.
• Cache: Upstash (Redis, US region). Used for rate limiting and short-lived session data.
• File storage: Vercel Blob or AWS S3, used for generated PDF reports.

We implement industry-standard security measures including TLS encryption in transit, encryption at rest, and role-based access controls. However, no method of transmission over the internet or method of electronic storage is 100% secure.

GEOscan integrates with the following third-party services to deliver the core functionality of the platform:

• Anthropic (Claude) — AI engine queries. We send your keywords as prompts but not your personal data.
• OpenAI (ChatGPT / GPT-4o) — AI engine queries. Same data handling as above.
• Google (Gemini) — AI engine queries. Same data handling as above.
• Perplexity AI — AI engine queries. Same data handling as above.
• Tavily Search — AI engine queries. Same data handling as above.
• Resend — Transactional email delivery. Your email address is transmitted to send notifications.
• PostHog — Product analytics (only with your consent). Records feature usage and page views.
• Sentry — Error monitoring. May capture anonymized stack traces when errors occur.
• Stripe — Payment processing. Handles all billing and stores payment methods.

Important: When GEOscan queries AI engines on your behalf, it sends only your keyword strings as search prompts. Your name, email address, and other personally identifiable information are never included in AI engine requests.

We retain your data according to the following schedules:

• Scan results and visibility scores: retained based on your plan — 30 days (Starter), 90 days (Growth), or 365 days (Pro). Older data is automatically deleted.
• Account data (email, name, brand configuration): retained for as long as your account is active.
• Alert history: retained for 90 days.
• Generated PDF reports: retained for 30 days after creation, or until the share token expires.
• Support emails: retained for up to 2 years for record-keeping purposes.

When you delete your account, all associated personal data is removed from our active systems within 30 days. Anonymized, aggregated data (e.g., aggregate usage statistics not linked to you) may be retained indefinitely.

Depending on your location, you may have the following rights regarding your personal data:

• Right to access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data. You can delete your account at any time via Settings → Danger Zone.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to object: Object to processing of your personal data for direct marketing or based on legitimate interests.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• CCPA — Right to know and opt out: California residents have the right to know what personal data is collected and to opt out of its sale. We do not sell personal data.

To exercise any of these rights, email us at privacy@geoscan.io. We will respond within 30 days. For account deletion, you can also use the self-service option in your account settings.

We use the following categories of cookies:

• Essential cookies (always active): NextAuth.js session cookies required for authentication. These are strictly necessary for the Service to function and cannot be disabled.
• Analytics cookies (requires consent): PostHog cookies used to understand how users interact with GEOscan. These are only set after you click "Accept All" in the cookie banner.

You can change your cookie preferences at any time by clearing your browser's local storage for geoscan.io and refreshing the page. A new consent banner will appear. Essential cookies cannot be disabled without affecting your ability to log in.

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting a notice on the Service or by sending an email to the address associated with your account. The “Last updated” date at the top of this page reflects when the policy was last revised.

Continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:

• Email: privacy@geoscan.io
• Website: geoscan.io

We aim to respond to all privacy-related inquiries within 5 business days and to complete all data subject requests within 30 days.