Privacy Policy

1. Introduction

VISIBLEFORAI ("we," "us," or "our"), operating the website visiblefor.ai, respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI visibility optimization platform ("Service"). This policy applies to all users worldwide and addresses requirements under the General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK), and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is VISIBLEFORAI, based in Istanbul, Turkey. For any data protection inquiries, you can contact us at support@visiblefor.ai.

3. Information We Collect

3.1 Information You Provide Directly

• Account Information: Name, email address, and password when you register. If you sign up via Google OAuth, we receive your name and email from Google.
• Payment Information: Billing address and payment details are collected and processed exclusively by Paddle (our Merchant of Record). We do not store your credit card numbers or payment credentials on our servers.
• Website URLs: URLs you submit for AI visibility analysis
• Contact Form Submissions: Your name, email, and message content when you contact us through the website
• Brand Information: Business details you provide for AI Reality Check and competitor comparisons

3.2 Information We Collect Automatically

• Usage Data: Features used, scans performed, pages visited, and interaction patterns
• Device Information: Browser type, operating system, screen resolution, and device identifiers
• Log Data: IP address, access times, referring URLs, and error logs
• Cookies: Session cookies for authentication and optional analytics cookies (with your consent). See Section 9 for details.

3.3 Website Scan Data

When you scan a website, we collect and analyze publicly available information from that website including page content, meta tags, structured data, headers, and other publicly accessible elements. We only scan URLs that you explicitly submit. Scan results are stored in association with your account and the site record.

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you subscribed to, including account management, scanning, and analysis delivery
• Consent (Art. 6(1)(a) GDPR): For analytics cookies and marketing communications, where applicable. You may withdraw consent at any time.
• Legitimate Interest (Art. 6(1)(f) GDPR): For fraud prevention, security, service improvement, and responding to support inquiries
• Legal Obligation (Art. 6(1)(c) GDPR): Where required to comply with applicable laws, tax obligations, or regulatory requirements

5. How We Use Your Information

We use your information to:

• Provide, operate, maintain, and improve the Service
• Process your transactions and manage subscriptions through Paddle
• Perform website analysis, generate reports, and deliver optimization recommendations
• Send transactional communications (scan results, account notifications, subscription updates)
• Respond to your inquiries and provide customer support
• Monitor and analyze usage patterns to improve user experience and Service performance
• Detect, prevent, and address fraud, abuse, technical issues, and security threats
• Enforce our Terms of Service
• Comply with legal obligations

We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you.

6. Data Sharing and Disclosure

We share your information only with the following categories of recipients and only as necessary:

• Paddle (paddle.com): Payment processing, Merchant of Record, invoicing, and tax compliance. Paddle acts as an independent data controller for payment data. See Paddle's Privacy Policy.
• Supabase (supabase.com): Database hosting and user authentication. Data is stored in Supabase-managed infrastructure. See Supabase's Privacy Policy.
• Vercel (vercel.com): Website hosting, deployment, and content delivery. See Vercel's Privacy Policy.
• OpenAI (openai.com): AI-powered analysis for deep scans. Website content you submit may be processed by OpenAI's API. See OpenAI's Privacy Policy.
• Groq (groq.com): AI-powered analysis for standard scans. See Groq's Privacy Policy.
• Google Gemini AI (ai.google.dev): AI-powered analysis for brand checks and website scans. Website content and brand information you submit may be processed by Google's Gemini API. See Google's Privacy Policy.
• Google Analytics: Usage analytics (only with your cookie consent, managed by iubenda). See Google's Privacy Policy.
• iubenda (iubenda.com): Cookie consent management. See iubenda's Privacy Policy.
• Google: OAuth authentication (only if you choose to sign in with Google)

We may also disclose your information if required to do so by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

7. Google User Data

If you choose to sign in with Google, the following policies apply specifically to Google user data:

7.1 Data Accessed

When you sign in with Google OAuth, we access only your basic profile information: your name, email address, and profile picture. We do not request access to your Google Drive, Gmail, Calendar, Contacts, or any other Google services or data.

7.2 How We Use Google User Data

We use Google user data exclusively for the following purposes:

• Authentication: To create and manage your VisibleForAI account
• Account Identification: To identify you when you sign in and associate your scans, sites, and subscription with your account
• Communication: To send transactional emails (scan results, account notifications) to your email address

We do not use Google user data for advertising, retargeting, or any purpose other than providing and improving the VisibleForAI Service.

7.3 Sharing of Google User Data

We do not sell, share, or transfer Google user data to any third parties, except:

• Supabase: Our authentication and database provider, which stores your account information securely. This is necessary to provide the Service.
• Paddle: Our payment processor receives your name and email only when you initiate a subscription purchase, solely for billing purposes.
• Legal Requirements: If required by law, court order, or governmental authority.

We do not share Google user data with any advertising networks, data brokers, or information resellers.

7.4 Storage and Protection of Google User Data

Google user data is stored securely in our Supabase-managed database with the following protections:

• Encryption in transit (TLS/HTTPS) and at rest
• Row-Level Security (RLS) policies ensuring users can only access their own data
• Access restricted to authenticated service-role operations only
• No Google user data is stored in logs, analytics, or publicly accessible locations

7.5 Retention and Deletion of Google User Data

Your Google user data (name, email, profile picture) is retained for as long as your account is active. You can request deletion of your data at any time by:

• Emailing support@visiblefor.ai with a deletion request
• Requesting account deletion through your dashboard settings

Upon receiving a deletion request, we will remove all your personal data, including Google user data, within 30 days. You can also revoke VisibleForAI's access to your Google account at any time through your Google Account permissions page.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States (where our infrastructure providers Supabase, Vercel, OpenAI, and Groq are based). These countries may have different data protection laws than your jurisdiction. Where required by GDPR or other applicable laws, we ensure appropriate safeguards are in place for such transfers, including reliance on the service providers' Standard Contractual Clauses (SCCs) or other approved transfer mechanisms. By using the Service, you acknowledge and consent to the transfer of your data to these jurisdictions.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Row-Level Security (RLS) policies on all database tables
• Secure authentication via Supabase Auth with bcrypt password hashing
• Rate limiting and input sanitization to prevent abuse
• Regular review of access controls and security practices

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Cookies and Tracking

We use the following types of cookies:

10.1 Strictly Necessary Cookies

Authentication session cookies required for the Service to function. These do not require consent and cannot be disabled.

10.2 Analytics Cookies

Google Analytics cookies that help us understand how users interact with the Service. These are only loaded after you give consent through our iubenda cookie consent banner. You can withdraw consent at any time by adjusting your cookie preferences via the consent banner.

You can also control cookies through your browser settings. Disabling strictly necessary cookies may affect Service functionality.

11. Data Retention

We retain your personal data according to the following schedule:

• Account Data: Retained for as long as your account is active. After account deletion, personal data is removed within 30 days, except where we are legally required to retain it.
• Scan Data: Retained according to your subscription plan for trend tracking and monitoring purposes. Historical scan data may be deleted when you remove a site from your dashboard.
• Payment Records: Retained by Paddle in accordance with applicable tax and financial regulations (typically 7 years).
• Support Communications: Retained for up to 2 years after the last interaction for quality and reference purposes.
• Log Data: Automatically purged after 90 days.

12. Your Rights

Depending on your location, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to legal retention requirements
• Right to Restrict Processing: Request that we limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for analytics cookies and marketing at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at support@visiblefor.ai. We will respond to your request within 30 days. If we need more time, we will inform you of the reason and extension period. We may ask you to verify your identity before processing your request.

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Turkish Personal Data Protection Authority (KVKK) or the supervisory authority in your country of residence.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights, we will also notify you directly via the email address associated with your account, providing details of the breach and steps you can take to protect yourself.

14. Children's Privacy

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take prompt steps to delete that information. If you believe a child has provided us with personal data, please contact us at support@visiblefor.ai.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. For material changes, we will notify you by posting a prominent notice on the Service and/or sending an email to your registered email address at least 30 days before the changes take effect. We will update the "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your data protection rights, please contact us at: