Privacy Policy
Last updated:
Summary
FixAEO is an Answer Engine Optimization (AEO) and Generative Engine Optimization (GEO) platform. To run your account, scans, subscription, and optional integrations we collect the personal data described below. We collect only what we need, we do not sell personal data, and we do not run third-party advertising trackers. This policy covers both the public site and the authenticated app at fixaeo.com and api.fixaeo.com.
Who we are (data controller)
FixAEO is the data controller for the personal data described here. The operating legal entity and registered address are listed in our Imprint. For any privacy question or to exercise your rights, contact hello@fixaeo.com.
What we collect
- Account data — your email address (used for passwordless magic-link sign-in) and, if you sign in with Google or GitHub, the profile your provider returns (a provider user id, email, name, and avatar). You may set a display name.
- Billing data — your subscription status, plan, amount, and the identifiers our payment provider returns. Payments are processed by Lemon Squeezy (our Merchant of Record), which collects your billing name, address, and card details and handles tax/VAT — we never see or store full card numbers. (Some legacy subscriptions were processed via Razorpay.)
- Product data you create — the brands, domains, tracked prompts, competitors, and the scan results, snapshots, and recommendations we generate for you.
- URLs and public website data you submit for scanning — HTML, robots.txt, llms.txt, sitemap.xml. We never request authenticated endpoints on the sites you scan.
- Google Analytics tokens (optional) — if you connect Google Analytics, we store a read-only OAuth token, encrypted at rest, used solely to read your own analytics for AI-traffic attribution. Disconnect any time in Settings.
- Analytics-tag data (optional) — if you install our JavaScript tag on your own website, we receive visit events (a hashed/salted IP, user agent, referrer, path) to classify AI-bot and AI-referred traffic for you. We process this on your behalf as a processor; we hash IPs and do not use them to identify individuals.
- Technical data — your IP address, hashed and salted, used for short-term rate limiting and abuse prevention, plus standard request logs.
- Cookieless site analytics via Cloudflare Web Analytics (no cookies, no fingerprinting).
Google user data & Limited Use
When you connect Google Analytics, FixAEO accesses your Google Analytics 4 data through the read-only analytics.readonly scope — solely to attribute which AI engines drive sessions, conversions, and revenue on your own site. We store only an encrypted, read-only OAuth token and never request write access. You can revoke access at any time in Settings or from your Google Account.
FixAEO's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, use it for advertising, or transfer it to others except as needed to provide the feature you requested, to comply with law, or in connection with a merger or acquisition.
How we use it and our legal basis
For users in the EEA/UK, we rely on the following legal bases under Article 6(1) GDPR:
- Performance of a contract (Art. 6(1)(b)) — creating and running your account, delivering scans and measurements, and managing your subscription.
- Legitimate interests (Art. 6(1)(f)) — securing the service, preventing abuse (rate-limiting via hashed IPs), and cookieless product/site analytics. You may object at any time.
- Legal obligation (Art. 6(1)(c)) — keeping billing/tax records required by law (handled largely by our Merchant of Record).
- Consent (Art. 6(1)(a)) — where we ask for it (e.g. optional product emails). You can withdraw consent at any time.
AI providers and the scan pipeline
To measure how AI engines recognize a brand, we send the brand name, the prompt text, and the brand's public self-description to AI providers and, for some engines, drive logged-in browser sessions. Providers include Google (Gemini), OpenAI (ChatGPT), Anthropic (Claude), Microsoft (Copilot), xAI (Grok), DeepSeek, and Google AI Overviews (via SerpAPI). We send the minimum needed for the query and never share your IP address or analytics data with them. Each provider processes data under its own privacy policy.
Who we share data with
We share data only with the subprocessors needed to run the service — payments, hosting/CDN, email delivery, analytics providers, and the AI providers above. We do not sell personal data. The current list, with what each receives and where, is on our Subprocessors page.
International transfers
Some providers (including our payment, hosting, and AI providers) are located in the United States. Where we transfer personal data outside the EEA/UK, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and providers' approved data-transfer frameworks.
Data retention
We keep account, product, and billing data for as long as your account is active. When you delete your account (see below), we remove your personal data, except records we must retain for legal or tax reasons (e.g. invoices) and routine backups that age out on a rolling schedule. Hashed IPs used for rate limiting are short-lived.
Your rights
Subject to applicable law (including the GDPR and UK GDPR), you can access, rectify, erase, restrict, or object to the processing of your personal data, and request portability. Two of these are self-serve in Settings:
- Download my data — export a copy of your data (portability, Art. 20).
- Delete my account — permanently erase your account and personal data (erasure, Art. 17).
For anything else, email hello@fixaeo.com. You also have the right to lodge a complaint with your local data-protection authority.
California residentshave the right to know what personal information we collect, to request deletion, and to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. Exercise these rights via the same controls above or by emailing us.
Cookies
We use one essential cookie (fixaeo_session) to keep you signed in; it is not used for tracking or advertising. Our site analytics are cookieless. Details are in our Cookie Policy.
Children
FixAEO is a business tool not directed to children. We do not knowingly collect personal data from anyone under 16.
Changes to this policy
We'll update this page when our practices change and revise the “Last updated” date above. Material changes will be communicated in-app or by email where appropriate.
Contact
Questions about this policy or your data: hello@fixaeo.com.