This policy explains what data AISEOLab (“we”, “us”) collects, what we do with it, and the rights you have over it. We have written it in plain English, with a structure designed to let you find the answer to a specific question quickly. If something is unclear, email privacy@aiseolab.ai and we will fix it.

1. Who we are

AISEOLab is the data controller for personal data processed through our website and product (the “Service”). Our jurisdiction is the United Kingdom.

For data protection enquiries, contact us at dpo@aiseolab.ai. For everything else, hello@aiseolab.ai reaches a real person.

2. What we collect

We collect three buckets of data:

2.1 Account data (when you sign up)

Your email address.
Your name (if you enter one) and an avatar URL from your OAuth provider if you sign in with one.
Your locale and timezone, used only for formatting dates and times consistently.
Your billing details, processed by Stripe — we never store full card numbers ourselves, only the last four digits and a non-sensitive Stripe customer ID.

2.2 Site data (when you add a site)

The URL and hostname of the site you want to monitor.
A name and (optional) description you choose for the site inside our dashboard.
The verification token we generate to confirm site ownership.
The full results of every scan — including HTTP responses, parsed files (your robots.txt, llms.txt, sitemap, structured data, etc.), per-check scores, and any recommendations we generated.

2.3 Operational data (automatically)

Server logs covering each request: HTTP method, path, response status, duration, a hashed IP address, and a truncated User-Agent string.
For anonymous public scans (where someone scans a URL without signing up), see section 3.
For Pro citation tracking, the queries you choose to track and the search results we receive in response.

3. Anonymous scans

When anyone enters a URL on our homepage to run a free scan without signing up, we store that scan. This section explains exactly what we store, why, and for how long, because we want to be specific.

For each anonymous scan we record:

The URL that was scanned.
The full scan results (the same data we collect for signed-in scans).
A SHA-256 hash of the visitor’s IP address. We never store the raw IP. The hash is one-way; we cannot recover the IP from it. We use the hash to rate-limit abusive scanning patterns and to count distinct scans without identifying who ran them.
A truncated User-Agent string and (optionally) the page that referred you, used for product analytics.
A short, unguessable share token that lets you (and anyone you share the link with) view the scan results without authentication.

We delete anonymous scans permanently after 7 days. After that window, the row and all associated data are removed from our database — not soft-deleted, not archived, not retained for analytics.

Our lawful basis for this processing under UK/EU GDPR is legitimate interest (Article 6(1)(f)) — specifically: providing the visitor the scan results they requested, preventing abuse of a free service, and improving our scanner across the broad patterns of websites we encounter. You may object to this processing at any time by emailing privacy@aiseolab.ai with the URL you scanned, and we will delete the corresponding rows.

4. Cookies and similar technologies

We use a small number of cookies, all functional. We do not use tracking cookies, advertising cookies, or fingerprinting techniques. See our Cookie Policy for the full list and purpose of each cookie.

5. Why we collect data

We process data only for these specific purposes:

To provide the Service — running scans, storing history, generating files, sending alerts, and giving you access to your dashboard.
To take payment — processing subscriptions through Stripe, calculating tax, sending invoices.
To communicate — service emails (alerts, billing updates, security notices) and, only if you opt in, product updates.
To improve the Service — anonymised aggregate analysis of scan results to improve our checks. We never combine this data with anyone’s identity.
To prevent abuse — rate-limiting based on hashed IPs and detecting unusual patterns.
To meet legal obligations — tax records, audit logs, responding to lawful requests.

6. Lawful basis (UK/EU GDPR)

For users in the UK and EU, our lawful bases are:

Contract (Art. 6(1)(b)) — for processing necessary to provide the Service to signed-in users.
Legitimate interest (Art. 6(1)(f)) — for anonymous scan storage, abuse prevention, and product analytics on aggregated data.
Consent (Art. 6(1)(a)) — for marketing emails (which you opt into and may withdraw at any time).
Legal obligation (Art. 6(1)(c)) — for tax and audit retention.

We do not sell your data. Ever. We share data only with vendors who process it on our behalf to operate the Service. The full list of sub-processors:

Supabase — Database, authentication, file storage. Hosted in European Union (eu-central-1). Privacy policy →
Vercel — Application hosting and edge runtime. Hosted in Global edge network. Privacy policy →
Stripe — Payment processing and tax calculation. Hosted in Global. Privacy policy →
Resend — Transactional and product emails. Hosted in United States. Privacy policy →
Inngest — Background job orchestration (scanning, alerts). Hosted in United States. Privacy policy →
Upstash — Rate limiting and ephemeral cache (Redis). Hosted in European Union. Privacy policy →
Cloudflare — DDoS protection, bot challenge (Turnstile). Hosted in Global edge network. Privacy policy →
Brave Search API — Citation rank tracking (Pro tier only). Hosted in United States. Privacy policy →

Each sub-processor is bound by a Data Processing Agreement that requires equivalent privacy protections. We update this list when sub-processors change; substantial changes are notified via email to active customers.

8. How long we keep data

Anonymous scans: 7 days, then permanently deleted.
Account data and scan history: retained while your account is active.
After account closure: all account data is permanently deleted within 30 days. Some derived, anonymised aggregates (e.g. industry benchmarks) may persist indefinitely, but cannot be linked back to you.
Audit and security logs: 2 years, in line with industry standard for compliance and forensics.
Billing and tax records: retained for the period required by tax law in our jurisdiction (typically 6–7 years).

9. Your rights

Under UK and EU GDPR (and similar laws elsewhere), you have the right to:

Access the personal data we hold about you.
Correct any data that is inaccurate or incomplete.
Delete your data (the “right to be forgotten”).
Export your data in a portable format (we offer JSON and CSV export from your account settings).
Object to processing based on legitimate interest, including for direct marketing.
Withdraw consent for marketing emails at any time.
Lodge a complaint with a supervisory authority (in the UK, that’s the ICO at ico.org.uk).

To exercise any of these rights, email privacy@aiseolab.ai. We respond within 30 days, usually faster.

10. Security

We protect your data with the practical measures that matter: encryption in transit (TLS 1.3) and at rest, role-based database access via Postgres row-level security, principle-of-least-privilege on every service credential, and audit logging of administrative actions.

No service is impenetrable. If we discover a breach affecting your data, we will notify you within 72 hours of becoming aware of it, along with what happened, what data was affected, and what we are doing about it.

11. International data transfers

Some of our sub-processors operate in countries outside the UK and EU. Where we transfer personal data to those countries, we rely on appropriate safeguards: UK International Data Transfer Agreements, EU Standard Contractual Clauses, or transfer to countries with adequacy decisions.

12. Children

The Service is not directed to anyone under 16. We do not knowingly collect data from children. If you believe a child has provided us data, email privacy@aiseolab.ai and we will delete it.

13. Changes to this policy

When we change this policy substantively, we update the “Effective” date at the top and email all active customers at least 14 days before the new version takes effect. Material changes that require your consent (e.g. new sub-processors handling sensitive data) will be opt-in, never opt-out.

14. Contact

For privacy questions: privacy@aiseolab.ai.

For data protection officer enquiries: dpo@aiseolab.ai.

For everything else: hello@aiseolab.ai. We answer every email.

1. Who we are

AISEOLab is the data controller for personal data processed through our website and product (the “Service”). Our jurisdiction is the United Kingdom.

For data protection enquiries, contact us at dpo@aiseolab.ai. For everything else, hello@aiseolab.ai reaches a real person.

2. What we collect

We collect three buckets of data:

2.1 Account data (when you sign up)

Your email address.
Your name (if you enter one) and an avatar URL from your OAuth provider if you sign in with one.
Your locale and timezone, used only for formatting dates and times consistently.
Your billing details, processed by Stripe — we never store full card numbers ourselves, only the last four digits and a non-sensitive Stripe customer ID.

2.2 Site data (when you add a site)

The URL and hostname of the site you want to monitor.
A name and (optional) description you choose for the site inside our dashboard.
The verification token we generate to confirm site ownership.
The full results of every scan — including HTTP responses, parsed files (your robots.txt, llms.txt, sitemap, structured data, etc.), per-check scores, and any recommendations we generated.

2.3 Operational data (automatically)

Server logs covering each request: HTTP method, path, response status, duration, a hashed IP address, and a truncated User-Agent string.
For anonymous public scans (where someone scans a URL without signing up), see section 3.
For Pro citation tracking, the queries you choose to track and the search results we receive in response.

3. Anonymous scans

When anyone enters a URL on our homepage to run a free scan without signing up, we store that scan. This section explains exactly what we store, why, and for how long, because we want to be specific.

For each anonymous scan we record:

The URL that was scanned.
The full scan results (the same data we collect for signed-in scans).
A SHA-256 hash of the visitor’s IP address. We never store the raw IP. The hash is one-way; we cannot recover the IP from it. We use the hash to rate-limit abusive scanning patterns and to count distinct scans without identifying who ran them.
A truncated User-Agent string and (optionally) the page that referred you, used for product analytics.
A short, unguessable share token that lets you (and anyone you share the link with) view the scan results without authentication.

4. Cookies and similar technologies

5. Why we collect data

We process data only for these specific purposes:

To provide the Service — running scans, storing history, generating files, sending alerts, and giving you access to your dashboard.
To take payment — processing subscriptions through Stripe, calculating tax, sending invoices.
To communicate — service emails (alerts, billing updates, security notices) and, only if you opt in, product updates.
To improve the Service — anonymised aggregate analysis of scan results to improve our checks. We never combine this data with anyone’s identity.
To prevent abuse — rate-limiting based on hashed IPs and detecting unusual patterns.
To meet legal obligations — tax records, audit logs, responding to lawful requests.

6. Lawful basis (UK/EU GDPR)

For users in the UK and EU, our lawful bases are:

Contract (Art. 6(1)(b)) — for processing necessary to provide the Service to signed-in users.
Legitimate interest (Art. 6(1)(f)) — for anonymous scan storage, abuse prevention, and product analytics on aggregated data.
Consent (Art. 6(1)(a)) — for marketing emails (which you opt into and may withdraw at any time).
Legal obligation (Art. 6(1)(c)) — for tax and audit retention.

We do not sell your data. Ever. We share data only with vendors who process it on our behalf to operate the Service. The full list of sub-processors:

Supabase — Database, authentication, file storage. Hosted in European Union (eu-central-1). Privacy policy →
Vercel — Application hosting and edge runtime. Hosted in Global edge network. Privacy policy →
Stripe — Payment processing and tax calculation. Hosted in Global. Privacy policy →
Resend — Transactional and product emails. Hosted in United States. Privacy policy →
Inngest — Background job orchestration (scanning, alerts). Hosted in United States. Privacy policy →
Upstash — Rate limiting and ephemeral cache (Redis). Hosted in European Union. Privacy policy →
Cloudflare — DDoS protection, bot challenge (Turnstile). Hosted in Global edge network. Privacy policy →
Brave Search API — Citation rank tracking (Pro tier only). Hosted in United States. Privacy policy →

8. How long we keep data

Anonymous scans: 7 days, then permanently deleted.
Account data and scan history: retained while your account is active.
After account closure: all account data is permanently deleted within 30 days. Some derived, anonymised aggregates (e.g. industry benchmarks) may persist indefinitely, but cannot be linked back to you.
Audit and security logs: 2 years, in line with industry standard for compliance and forensics.
Billing and tax records: retained for the period required by tax law in our jurisdiction (typically 6–7 years).

9. Your rights

Under UK and EU GDPR (and similar laws elsewhere), you have the right to:

Access the personal data we hold about you.
Correct any data that is inaccurate or incomplete.
Delete your data (the “right to be forgotten”).
Export your data in a portable format (we offer JSON and CSV export from your account settings).
Object to processing based on legitimate interest, including for direct marketing.
Withdraw consent for marketing emails at any time.
Lodge a complaint with a supervisory authority (in the UK, that’s the ICO at ico.org.uk).

To exercise any of these rights, email privacy@aiseolab.ai. We respond within 30 days, usually faster.

10. Security

11. International data transfers

12. Children

The Service is not directed to anyone under 16. We do not knowingly collect data from children. If you believe a child has provided us data, email privacy@aiseolab.ai and we will delete it.

13. Changes to this policy

14. Contact

For privacy questions: privacy@aiseolab.ai.

For data protection officer enquiries: dpo@aiseolab.ai.

For everything else: hello@aiseolab.ai. We answer every email.

Privacy Policy

1. Who we are

2. What we collect

2.1 Account data (when you sign up)

2.2 Site data (when you add a site)

2.3 Operational data (automatically)

3. Anonymous scans

4. Cookies and similar technologies

5. Why we collect data

6. Lawful basis (UK/EU GDPR)

8. How long we keep data

9. Your rights

10. Security

11. International data transfers

12. Children

13. Changes to this policy

14. Contact

Privacy Policy

1. Who we are

2. What we collect

2.1 Account data (when you sign up)

2.2 Site data (when you add a site)

2.3 Operational data (automatically)

3. Anonymous scans

4. Cookies and similar technologies

5. Why we collect data

6. Lawful basis (UK/EU GDPR)

8. How long we keep data

9. Your rights

10. Security

11. International data transfers

12. Children

13. Changes to this policy

14. Contact

Privacy Policy

1. Who we are

2. What we collect

2.1 Account data (when you sign up)

2.2 Site data (when you add a site)

2.3 Operational data (automatically)

3. Anonymous scans

4. Cookies and similar technologies

5. Why we collect data

6. Lawful basis (UK/EU GDPR)

7. Who we share data with

8. How long we keep data

9. Your rights

10. Security

11. International data transfers

12. Children

13. Changes to this policy

14. Contact

Privacy Policy

1. Who we are

2. What we collect

2.1 Account data (when you sign up)

2.2 Site data (when you add a site)

2.3 Operational data (automatically)

3. Anonymous scans

4. Cookies and similar technologies

5. Why we collect data

6. Lawful basis (UK/EU GDPR)

7. Who we share data with

8. How long we keep data

9. Your rights

10. Security

11. International data transfers

12. Children

13. Changes to this policy

14. Contact