1. Information We Collect
1.1 Information You Provide
- Account data: name, email address, company name, job title, and password when you register.
- Payment data: billing address and payment method details. Card numbers are processed directly by our payment processor (Stripe) and are never stored on our servers.
- Content: URLs, keywords, competitor names, and other data you input into the platform to configure monitoring and content generation.
- Communications: messages you send us via email, chat, or support tickets.
1.2 Information Collected Automatically
- Usage data: pages visited, features used, session duration, clicks, and navigation paths.
- Device and log data: IP address, browser type, operating system, referring URLs, and timestamps.
- Cookies and similar technologies: see Section 6 for details.
1.3 Information from Third Parties
- If you connect a third-party account (e.g., Google Search Console), we receive data you authorize through that integration.
- We may receive business contact information from lead enrichment services to personalise outreach.
2. How We Use Your Information
- Deliver services: operate your account, run AI visibility monitoring, generate content, and provide analytics.
- Process payments: bill your subscription, handle renewals, and issue refunds.
- Improve the platform: analyse usage patterns, train and improve our models (using aggregated, de-identified data only), fix bugs, and develop new features.
- Communicate with you: send transactional emails (receipts, password resets, service alerts) and, with your consent, marketing emails.
- Comply with legal obligations: respond to lawful requests, enforce our Terms, and prevent fraud.
AI / LLM Processing
Our platform uses large language models (LLMs) operated by third-party providers (including OpenAI and Anthropic) to generate content recommendations. Inputs you provide may be sent to these providers as part of service delivery. We do not permit these providers to use your data to train their models beyond what their standard API terms allow. We will update this section if our AI data-processing practices change materially.
3. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases:
- Contract performance — processing necessary to deliver the services you subscribed to.
- Legitimate interests — product improvement, security, fraud prevention, and direct marketing to existing customers (subject to your right to object).
- Consent — marketing emails to prospects; cookies beyond strictly necessary.
- Legal obligation — compliance with applicable laws.
4. How We Share Your Information
We do not sell your personal data. We share it only as described below.
4.1 Sub-processors and Service Providers
We use the following categories of trusted vendors, each bound by data processing agreements:
- Payments: Stripe (billing and subscription management)
- Cloud infrastructure: Amazon Web Services, DigitalOcean, Cloudflare
- AI models: OpenAI, Anthropic
- Analytics: Cloudflare Analytics, Google Analytics (anonymised)
- CRM / email: customer communication and support tools
- Scheduling: Calendly (demo bookings)
- Consent management: Compile7 (via Cloudflare Zaraz)
4.2 Business Transfers
If GrackerAI is involved in a merger, acquisition, or asset sale, your data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.
4.3 Legal Requirements
We may disclose your data where required by law, court order, or to protect the rights, property, or safety of GrackerAI, our users, or others.
5. Data Retention
- Active accounts: we retain your data for the duration of your subscription.
- After cancellation: account data is retained for 90 days to allow reactivation, then deleted or anonymised.
- Payment records: retained for 7 years for tax and accounting compliance.
- Logs: typically retained for 90 days.
6. Cookies and Tracking Technologies
We use the following categories of cookies:
- Strictly necessary: session authentication, security tokens. Cannot be disabled.
- Analytics: understand how visitors use our site (e.g., Cloudflare Analytics, Google Analytics). You can opt out via our cookie consent banner.
- Marketing: track campaign performance. Only set with your consent.
You can manage your cookie preferences at any time via the cookie consent banner or your browser settings. For more detail, see our Cookie Policy.
7. Your Rights
7.1 GDPR Rights (EEA / UK residents)
You have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations.
- Restriction — ask us to limit how we process your data in certain circumstances.
- Data portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests, including direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
- Lodge a complaint — with your local data protection authority (e.g., the ICO in the UK).
7.2 CCPA / CPRA Rights (California residents)
As a California resident, you have the right to:
- Know — what personal information we collect, use, disclose, and sell.
- Delete — request deletion of your personal information.
- Correct — request correction of inaccurate personal information.
- Opt out of sale / sharing — we do not sell personal information. We do not share it for cross-context behavioural advertising.
- Non-discrimination — we will not discriminate against you for exercising your rights.
To exercise any of these rights, email us at [email protected]. We will respond within 30 days (GDPR) or 45 days (CCPA).
8. Data Security
We implement industry-standard security measures including TLS encryption in transit, encryption at rest, access controls, and regular security reviews. Our SSL configuration has received an A grade from Qualys SSL Labs. No method of transmission over the Internet is 100% secure; we cannot guarantee absolute security.
Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (where required) and notify affected users without undue delay.
9. International Data Transfers
GrackerAI is based in the United States. If you are accessing our services from outside the US, your data will be transferred to and processed in the US. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) and, where applicable, adequacy decisions to legitimise these transfers.
10. Children's Privacy
Our services are not directed to children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Customer Logos and Testimonials
We display logos and testimonials from customers on our website for marketing purposes. This is done pursuant to our Terms of Service or separate written consent obtained from each customer. If you are a customer and wish to have your logo or testimonial removed, contact us at [email protected].
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and/or by posting a prominent notice on our website at least 14 days before the change takes effect. The updated date at the top of this page will always reflect the most recent revision.
13. Contact Us
For privacy questions, data requests, or concerns:
For EEA/UK users: our representative for GDPR purposes can be reached at the email above.
