Privacy Policy

Last updated: April 19, 2026·Effective: April 19, 2026

This Privacy Policy describes how Georion ("Georion", "we", "us", "our") collects, processes, stores, and protects personal data when you use our AI visibility and Generative Engine Optimization platform available at georion.app (the "Service").

We comply with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP/nFADP), and where applicable the California Consumer Privacy Act (CCPA/CPRA).

1. Who we are

The data controller for personal data processed through the Service is:

Georion
Villmergen, Aargau, Switzerland
Contact: privacy@georion.app

For GDPR-related inquiries, our EU representative can be reached via privacy@georion.app.

2. What we collect

2.1 Data you provide directly

  • Account data: name, email, password (hashed with bcrypt), company name, role
  • Billing data: processed exclusively by Stripe; we store only the last 4 digits of your card, expiry, and a Stripe customer ID
  • Configuration data: domains you track, prompts you monitor, competitor URLs, team members you invite
  • Support communications: emails, tickets, and chat transcripts when you contact us

2.2 Data we collect automatically

  • Technical data: IP address (hashed with per-instance salt within 24 hours), user-agent, browser, device type, operating system
  • Usage data: pages visited, features used, click events, API calls, session duration
  • Diagnostic data: crash logs, performance metrics, error traces (no PII)

2.3 Data we generate

  • AI scan results: responses from ChatGPT, Claude, Gemini, Perplexity, Copilot, and Grok probed with prompts you configure
  • Audit results: findings from the 242-check Audit Engine+ on URLs you submit
  • Derived metrics: AI visibility scores, share of voice, citation frequency

2.4 Data we do NOT collect

  • We do not collect biometric data, precise geolocation, government IDs, health data, or data from children under 16.
  • We do not purchase or scrape personal data from third-party data brokers.
  • We do not train AI models on your content. Your prompts and results remain private.

Under GDPR, we process personal data on the following legal bases (Art. 6 GDPR):

  • Contract performance (Art. 6(1)(b)): to provide the Service you subscribe to
  • Legitimate interests (Art. 6(1)(f)): to secure our platform, detect fraud, improve our product, and communicate with customers about service updates
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, anti-money-laundering, and other statutory duties
  • Consent (Art. 6(1)(a)): for optional analytics cookies, marketing emails, and optional product research

4. How we use data

We use personal data only for the following purposes:

  • Service delivery: running AI scans, audits, and reports you configure
  • Account management: authentication, billing, access control, support
  • Security: fraud detection, rate limiting, DDoS protection, abuse investigation
  • Product improvement: aggregate usage analytics to improve features (no individual targeting)
  • Communication: transactional emails (required), product updates (opt-in), and marketing emails (opt-in only)
  • Legal compliance: tax reporting, responding to lawful requests from authorities

We do not use personal data for automated decision-making with legal or similarly significant effects (Art. 22 GDPR).

5. Sharing with third parties

We share personal data only with:

  • Subprocessors strictly necessary to operate the Service (see Section 6)
  • Legal authorities when required by a valid legal request — we will notify you unless legally prohibited
  • Business transfers in the event of a merger, acquisition, or asset sale — users will be notified at least 30 days in advance

We do not sell personal data. We do not share personal data with advertisers.

6. Subprocessors

We engage the following subprocessors to help operate the Service. All are bound by GDPR-compliant Data Processing Agreements.

SubprocessorPurposeData processedLocation
Supabase (USA)Database & authenticationAll account dataUSA / EU (selectable)
Vercel (USA)Application hostingRequest logs, cacheGlobal edge network
Cloudflare (USA)CDN, DNS, DDoS protectionIP, user-agentGlobal edge network
Stripe (USA)Payment processingBilling dataUSA / EU
Resend (USA)Transactional emailEmail, message contentUSA
Anthropic (USA)Claude API for GEO content generationPrompts only (never trained on your data)USA
OpenAI (USA)ChatGPT API for AI visibility probingPublic probe queries onlyUSA
Google (USA)Gemini API for AI visibility probingPublic probe queries onlyUSA / EU
Perplexity (USA)Perplexity API for AI visibility probingPublic probe queries onlyUSA

Enterprise customers can request EU-only data residency and a restricted subprocessor list. Email sales@georion.app.

7. Data retention

  • Account data: kept for the duration of your subscription + 90 days after cancellation, then anonymized or deleted
  • Billing records: kept for 10 years (legally required under Swiss accounting law)
  • Scan & audit results: kept for the duration of your subscription; exported on request
  • Support communications: kept for 3 years after the last interaction
  • Technical logs: retained for 30 days, then deleted
  • Hashed IP addresses: retained for 12 months for fraud and abuse prevention

8. International data transfers

Some of our subprocessors are located in the United States. When personal data is transferred outside the EU/EEA or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (2021/914)
  • EU–U.S. Data Privacy Framework where applicable
  • Swiss–U.S. Data Privacy Framework for Swiss residents
  • Supplementary technical measures including encryption in transit (TLS 1.3) and at rest (AES-256)

9. Your rights

Under GDPR and Swiss FADP, you have the right to:

  • Access your personal data (Art. 15 GDPR)
  • Rectify inaccurate data (Art. 16 GDPR)
  • Erasure — request deletion ("right to be forgotten") (Art. 17 GDPR)
  • Restrict processing in certain circumstances (Art. 18 GDPR)
  • Data portability — export your data in JSON/CSV (Art. 20 GDPR)
  • Object to processing based on legitimate interests (Art. 21 GDPR)
  • Withdraw consent at any time for consent-based processing
  • Lodge a complaint with a supervisory authority — for Switzerland, the FDPIC (edoeb.admin.ch)

To exercise any right, email privacy@georion.app. We respond within 30 days (or 14 days for urgent requests) and do not charge for normal requests.

10. Security

We protect personal data using industry-standard safeguards detailed in our Security page, including:

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest
  • Row-Level Security (RLS) on every database table
  • Hashed IP addresses with per-instance salt
  • Annual third-party penetration testing
  • 24×7 monitoring with automated incident response
  • SOC 2 Type II audit in progress (expected Q3 2026)

11. Children's privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@georion.app and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy. When we do:

  • Material changes are announced via email at least 30 days before they take effect
  • Minor changes (clarifications, typos, new subprocessors with equivalent protections) take effect immediately and are listed in the changelog
  • The "Last updated" date at the top of this page always reflects the current version

13. Contact

For any privacy-related question, request, or complaint:

Email: privacy@georion.app
Response SLA: 14 days for urgent, 30 days maximum
Postal: Georion, Villmergen, Aargau, Switzerland