Privacy Policy

AEO Optima ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Answer Engine Optimization platform ("Service").

This policy applies to all users of the Service, including visitors to our website, registered account holders, team members within organizations, and API/MCP consumers. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

For purposes of the EU General Data Protection Regulation (GDPR), AEO Optima acts as the "data controller" for personal data collected through the Service. When processing data on behalf of our customers (e.g., team member data within an organization), we act as a "data processor."

Information You Provide Directly:

• Account information — name, email address, and password when you create an account, or profile data from Google when you authenticate via Google OAuth
• Organization & project data — organization name, project names, brand names, competitor names, and related business information
• Prompts & configurations — the queries you create for AI monitoring, schedule settings, alert rules, and other configurations
• API keys — your own third-party API keys (stored encrypted with AES-256)
• Payment information — billing details processed by Stripe (we do not store credit card numbers)
• Communications — messages you send to our support or feedback channels

Information Collected Automatically:

• Usage data — pages visited, features used, actions taken, timestamps, and session duration
• Device & browser information — IP address, browser type and version, operating system, device type, and screen resolution
• Cookies & similar technologies — session cookies for authentication and optional analytics cookies (see our Cookie Policy)
• Log data — server logs including request URLs, response codes, and error messages

Information from Third Parties:

• Google OAuth — basic profile information (name, email, profile picture) when you authenticate via Google
• Stripe — payment status and subscription information
• Google Analytics 4 — if you connect your GA4 account, we receive traffic and engagement metrics for your monitored pages
• Google Search Console — if you connect your GSC account, we receive search query, impression, click-through, and ranking data for your monitored properties
• Optional connectors — if you enable third-party connectors (e.g., Shopify, Slack, Looker, Bing Webmaster, Reddit, Wikipedia), we receive only the data scoped to that integration

We use your personal data for the following purposes:

• Service delivery — operating the platform, capturing AI snapshots, generating analytics, and providing features you use
• Account management — creating and maintaining your account, managing authentication, and enforcing access controls
• Billing — processing payments, managing subscriptions, and enforcing plan limits
• Communications — sending transactional emails (invitations, alerts, scheduled reports, weekly digests), and responding to support requests
• Security — detecting and preventing fraud, unauthorized access, and other security incidents
• Improvement — analyzing usage patterns to improve the Service, fix bugs, and develop new features
• Legal compliance — complying with legal obligations, resolving disputes, and enforcing our agreements

We do not sell your personal data to third parties. We do not use your prompts or snapshot data to train any AI models.

If you are located in the EU/EEA or UK, we process your personal data under the following legal bases:

Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request details of this assessment by contacting us.

We share your personal data only with the following categories of third-party service providers ("subprocessors"), each of which is contractually obligated to protect your data:

We may also disclose your data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of AEO Optima, our users, or the public.

Your data is primarily processed in the United States, where our infrastructure is hosted (Vercel, Render, Supabase). If you are located in the EU/EEA, UK, or another region with data protection laws, your data may be transferred to and processed in the US.

We protect international data transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission, in our agreements with subprocessors
• Adequacy decisions where applicable (e.g., EU-US Data Privacy Framework)
• Technical safeguards including encryption in transit (TLS 1.2+) and at rest

You may request a copy of the relevant transfer mechanisms by contacting us.

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

After the retention period, data is permanently deleted or anonymized. You may request earlier deletion, subject to our legal obligations (see Your Rights below).

GDPR Rights (EU/EEA/UK Residents):

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Restriction — request that we limit processing of your data in certain circumstances
• Data portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — where processing is based on consent, withdraw it at any time
• Lodge a complaint — file a complaint with your local data protection authority

CCPA/CPRA Rights (California Residents):

• Right to know — what personal information we collect, use, disclose, and sell
• Right to delete — request deletion of your personal information
• Right to opt-out — of the sale or sharing of personal information (note: we do not sell your data)
• Right to non-discrimination — exercising your rights will not result in discriminatory treatment

To exercise any of these rights, contact us at privacy@techshu.ai. We will respond within 30 days (GDPR) or 45 days (CCPA).

We use cookies and similar technologies to operate and improve the Service. For detailed information about the cookies we use, how to manage them, and your consent choices, please see our Cookie Policy.

In summary:

• Essential cookies (Supabase authentication) are required for the Service to function and cannot be disabled
• Analytics cookies (Google Analytics 4) are only loaded after you provide consent

The Service is not directed to children under the age of 16 (or 13 in jurisdictions where applicable). We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us immediately at privacy@techshu.ai, and we will take steps to delete such data.

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit (TLS 1.2+) and at rest
• AES-256 encryption for stored API keys
• Role-based access controls (owner, admin, member, viewer) with row-level security in our database
• Secure authentication via Supabase Auth with optional Google OAuth
• Regular security monitoring and vulnerability assessments
• Automated daily database backups

Despite these measures, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law (within 72 hours under GDPR).

As an AI monitoring platform, we want to be transparent about how data interacts with AI systems:

• Prompts sent to AI providers: When capturing snapshots, we send your configured prompt text to third-party AI models via OpenRouter. These prompts may include brand names, product names, or topic descriptions you have entered. We do not send your personal information (email, name, etc.) to AI providers
• No model training: Your prompts, snapshot data, and analytics are not used to train any AI models. OpenRouter's API usage policies prohibit using API traffic for model training
• AI-generated content: Snapshots contain AI-generated responses that may reference real people, brands, or organizations. This content is generated by third-party AI models, not by us
• Data retention by AI providers: Third-party AI providers may retain prompt data according to their own data retention policies. We encourage you to review OpenRouter's and individual AI provider privacy policies for details

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Last updated" date at the top
• We will notify you via email or an in-app notification at least 30 days before material changes take effect
• We will maintain an archive of previous versions available upon request

Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

• Privacy inquiries: privacy@techshu.ai
• General support: hi@techshu.ai
• Website: aeo.techshu.ai

If you are located in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. A list of EU data protection authorities can be found on the European Commission's website.