Privacy notice.
Last updated 2026-05-04. GEOlens is operated by the GEOlens team ("we", "us"). This notice explains what personal data we process, why, our lawful basis, your rights, and how to contact us. We hold ourselves to the same data hygiene we measure other sites against.
Data we process
| Category | Examples | Purpose |
|---|---|---|
| Account | Email, Clerk user id | Sign-in, scan history, paid features |
| Network | SHA-256 hash of your IP (with rotating salt) | Rate limiting, ownership of anonymous scans |
| Audit input | URL you submit + URL hostname | Run the audit you requested |
| Audit output | SEO + AEO scores, finding text, AI engine probe responses | Display your report; let you re-open it later |
| Telemetry | Pseudonymous event id, scan/account id, event name | Product analytics (counts, errors, conversion) |
| Waitlist | Email + the gap that triggered the signup | Notify you when the fixer agent ships |
Lawful basis (GDPR Art. 6)
- Contract (Art. 6(1)(b)) — running scans, account features, paid PDF (when launched).
- Consent (Art. 6(1)(a)) — joining the waitlist with your email. You can withdraw at any time.
- Legitimate interest (Art. 6(1)(f)) — pseudonymous telemetry, IP-hash rate limiting, and abuse prevention. Balanced against your interest in privacy: we never store plaintext IPs and never sell or share telemetry with third parties.
What we never store
- Raw HTML of audited pages. Pages are fetched into memory only for the duration of a scan. We persist computed signals (scores, schema types present, hygiene results) but never the source HTML.
- Plaintext IP addresses. We hash the IP with a rotating salt and store only the hash.
- Cookies for tracking. We use only first-party cookies set by Clerk for authentication; no advertising or cross-site tracking cookies.
Retention
- Anonymous scans — deleted 30 days after creation by an automated daily job.
- Signed-in scans — retained until you delete them. Deleting your account removes all your scans.
- Telemetry — kept up to 24 months for trend analysis, then aggregated and the row-level data is purged.
- Waitlist email — kept until you unsubscribe (one-click link in any email we send) or 36 months of inactivity, whichever is sooner.
Your rights
Under GDPR, the UK Data Protection Act 2018, and CCPA where applicable, you have the right to:
- Access a copy of your personal data
- Rectify inaccuracies
- Erase your data ("right to be forgotten")
- Restrict our processing
- Object to legitimate-interest processing
- Receive your data in a portable format
- Withdraw consent (waitlist) at any time
- Lodge a complaint with your supervisory authority
To exercise any of these rights, email privacy@geolens.xyz or delete your account directly from the dashboard. We respond within 30 days.
Subprocessors & international transfers
GEOlens uses the following processors. Several are based in the United States; transfers from the EEA/UK rely on the EU Commission's adequacy decision for the US (where applicable) or Standard Contractual Clauses (SCCs) included in each processor's data processing addendum.
- Vercel, Inc. (USA) — hosting, edge networking, image generation. SCCs.
- Neon Inc. (USA) — managed Postgres for scans, findings, accounts. SCCs.
- Upstash, Inc. (USA) — Redis for rate limiting. SCCs.
- Clerk, Inc. (USA) — authentication and account management. SCCs.
- OpenAI, Anthropic, Google (Gemini), Perplexity (USA) — AI engines we query through the Vercel AI Gateway. We send only the prompts described in our methodology, never your account data. SCCs in their respective DPAs.
- Google LLC (USA) — PageSpeed Insights API for SEO scoring. SCCs.
AI-generated content
Reports include text generated by external AI engines (ChatGPT, Claude, Perplexity, Gemini) in response to our probe queries. This text is shown verbatim and is labelled as an AI engine probe response in the report. AI output may be inaccurate, incomplete, or biased; we surface it as a measurement of how AI sees your site, not as factual advice about your business.
Data controller & contact
Data controller: the GEOlens team. Reach us at privacy@geolens.xyz. If you are in the EEA/UK and are not satisfied with our response, you may contact your national data protection authority. Within the EEA, you may use the EDPB members directory.
Changes
Material changes to this notice will be communicated by email to signed-in users and posted here at least 14 days before they take effect. The effective date at the top of this page tracks the latest revision.