Legal

Privacy Policy

Effective date: January 1, 2026 · Last updated: January 1, 2026

    Plain-English summary: We collect only the data we need to generate your monthly visibility report. We never sell your data. We use trusted third-party services (Google, Stripe, Anthropic, Resend, Supabase) to operate the product. You can delete your account and all associated data at any time.
  

Contents

Who we are
Data we collect
How we use your data
Third-party services
Data retention
Your rights
Cookies and tracking
Security
Children's privacy
International transfers
Changes to this policy
Contact us

1. Who we are

VisibilityIQ ("we," "us," "our") is an online service that generates monthly digital visibility reports for business owners. The service is accessible at visibilityiq.co.

For the purposes of applicable data protection laws, VisibilityIQ is the data controller of personal information we collect through the service.

2. Data we collect

Information you provide directly

Account information: Your email address and password (stored as a salted hash — we never store passwords in plain text).
Business profile: Your business name, website URL, industry, location, target keywords, and competitor URLs you choose to track.
Report preferences: Your preferred report delivery day, notification email addresses, and feature toggles.
Payment information: Billing details are collected and stored directly by Stripe. We store only your Stripe customer ID and subscription status — we never see or store your card number, CVV, or bank details.

Information collected automatically

Google Search Console data: When you connect GSC via OAuth, we request read-only access to your site's search performance data (clicks, impressions, average position, top queries, and top pages). We store this data to generate your reports and track trends over time. We never request write access and never modify your GSC settings.
Website analysis data: We periodically fetch and analyze the publicly accessible HTML of your website to check for schema markup, heading structure, page speed, and technical signals. This is the same data any web crawler can access.
Usage data: We collect standard server logs including IP address, browser type, pages visited, and timestamps. We use this data solely for security monitoring and service improvement.
Cookies: See Section 7 below.

Data we access on your behalf

Data source	What we access	Purpose
Google Search Console	Search clicks, impressions, positions, queries, pages (read-only)	SEO score calculation and report generation
Google PageSpeed Insights	Public PageSpeed and Core Web Vitals scores for your URL	SEO score calculation
Your public website	Publicly accessible HTML content	AEO and GEO signal analysis
Google Custom Search	Search results for your brand name query	Brand authority signal (GEO scoring)

3. How we use your data

We use the information we collect for the following purposes:

Providing the service: Generating your monthly visibility reports, calculating SEO/AEO/GEO scores, and delivering reports by email.
Account management: Creating and maintaining your account, processing payments, and communicating with you about your subscription.
AI report generation: Your website data and scores are sent to Anthropic's Claude API to generate the written narrative sections of your report. We do not send your personal account details (email, name) to Anthropic — only the anonymised technical metrics.
Service improvement: Aggregate, anonymised usage patterns help us improve scoring algorithms and report quality. We do not sell or share individual data for this purpose.
Legal compliance: We may use and retain data as required by applicable law.

We do not use your data for advertising. We do not sell your data to third parties. We do not allow third parties to advertise to you through our service.

4. Third-party services

We use the following sub-processors to operate VisibilityIQ. Each has been evaluated for privacy and security standards:

Service	Purpose	Data shared	Privacy policy
Supabase	Database and authentication	All account and report data	supabase.com/privacy
Stripe	Payment processing	Email, billing address, subscription details	stripe.com/privacy
Anthropic	AI narrative generation	Anonymised report metrics (no PII)	anthropic.com/privacy
Resend	Transactional email delivery	Your email address and report content	resend.com/privacy
Google APIs	Search Console, PageSpeed, Custom Search data	OAuth tokens, website URL	policies.google.com/privacy

We do not use any other third-party analytics services (no Google Analytics, no Meta Pixel, no tracking SDKs).

5. Data retention

We retain your data for as long as your account is active. Specifically:

Account data: Retained until you delete your account or request deletion.
Report data and score history: Retained for the life of your account, then permanently deleted 30 days after account closure.
Google OAuth tokens: Stored encrypted and deleted immediately if you disconnect Google Search Console or delete your account.
Payment records: Stripe retains billing records for legal compliance. We retain Stripe customer IDs and subscription history for 7 years as required by financial regulations.
Server logs: Retained for 90 days for security monitoring, then automatically deleted.

After account deletion, we may retain anonymised, non-identifiable aggregate statistics (e.g., industry-level score averages) indefinitely for product improvement purposes.

6. Your rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of all personal data we hold about you.
Correction: Request correction of inaccurate personal data.
Deletion: Request deletion of your account and all associated data. You can do this directly from Settings → Danger Zone, or by emailing us.
Portability: Request an export of your data in a machine-readable format (JSON).
Objection: Object to processing of your personal data in certain circumstances.
Withdrawal of consent: Disconnect Google Search Console at any time from your Settings page, revoking our access to your GSC data.

To exercise any of these rights, email us at privacy@visibilityiq.co. We will respond within 30 days. For EEA and UK residents, you also have the right to lodge a complaint with your local data protection authority.

California residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act. We do not sell personal information. We do not share personal information for cross-context behavioral advertising. To submit a rights request, email privacy@visibilityiq.co with "CCPA Request" in the subject line.

7. Cookies and tracking

We use a minimal set of cookies necessary to operate the service:

Authentication cookie: A session token set by Supabase Auth to keep you logged in. This is strictly necessary and cannot be disabled without logging you out.
Theme preference: A localStorage key storing your dark/light mode preference. This is not a cookie and contains no personal data.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. We do not use fingerprinting or other cross-site tracking technologies.

8. Security

We implement industry-standard security practices to protect your data:

All data is transmitted over HTTPS/TLS encryption.
Google OAuth tokens are stored encrypted at rest using AES-256 encryption.
Passwords are never stored — authentication is handled by Supabase Auth using bcrypt hashing.
Database access is restricted by Row Level Security (RLS) policies — every query is scoped to the authenticated user.
Our infrastructure runs on Supabase's SOC 2 Type II certified platform.

Despite these measures, no internet transmission is 100% secure. In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by applicable law.

9. Children's privacy

VisibilityIQ is a business-to-business service not directed at children. We do not knowingly collect personal information from anyone under 16 years of age. If we become aware that a child under 16 has provided personal information, we will delete it promptly. If you believe we have inadvertently collected such information, please contact us at privacy@visibilityiq.co.

10. International data transfers

VisibilityIQ is operated from the United States. If you access the service from the European Economic Area (EEA), United Kingdom, or other regions with data protection laws that may differ from those in the United States, your information will be transferred to and processed in the United States.

For transfers of personal data from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) with our sub-processors to ensure an adequate level of data protection. A copy of our SCCs is available on request.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 14 days before the changes take effect, and update the "Last updated" date at the top of this page. Your continued use of the service after changes take effect constitutes acceptance of the revised policy.

12. Contact us

Privacy questions and requests

Email: privacy@visibilityiq.co

Response time: We aim to respond to all privacy requests within 5 business days and complete them within 30 days.

For general support questions, email support@visibilityiq.co.