GDPR Compliance

Last Updated: December 22, 2024

AEOstack is committed to protecting the privacy and personal data of all individuals in the European Union (EU) and European Economic Area (EEA) in accordance with the General Data Protection Regulation (GDPR).

1. Data Controller Information

Data Controller: AEOstack

Contact Email: gdpr@aeostack.ai

Data Protection Officer: Available upon request

2. Legal Basis for Processing

We process your personal data under the following legal bases as defined in GDPR Article 6:

2.1 Consent (Article 6(1)(a))

For marketing communications, cookies, and optional features, we obtain your explicit consent.

2.2 Contract Performance (Article 6(1)(b))

Processing necessary to provide our services, manage your account, and fulfill our contractual obligations.

2.3 Legal Obligation (Article 6(1)(c))

Processing required to comply with legal obligations, such as tax and accounting requirements.

2.4 Legitimate Interests (Article 6(1)(f))

For fraud prevention, security, and improving our services, where such interests are not overridden by your rights.

3. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

3.1 Right to Access (Article 15)

You have the right to request a copy of the personal data we hold about you. We will provide this information within 30 days of your request.

3.2 Right to Rectification (Article 16)

You can request correction of any inaccurate or incomplete personal data we hold about you.

3.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed
• Erasure is required to comply with a legal obligation

3.4 Right to Restriction of Processing (Article 18)

You can request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

3.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.

3.6 Right to Object (Article 21)

You have the right to object to processing of your personal data, particularly for:

• Direct marketing purposes
• Processing based on legitimate interests
• Scientific or historical research, or statistical purposes

3.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produces legal effects or significantly affects you.

3.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time.

4. How to Exercise Your Rights

To exercise any of your GDPR rights, please:

1. Send an email to gdpr@aeostack.ai
2. Include your full name and email address associated with your account
3. Clearly state which right(s) you wish to exercise
4. Provide any additional information we may need to verify your identity

We will respond to your request within 30 days, or inform you if we need additional time (up to 90 days for complex requests).

5. Data We Collect

We collect and process the following categories of personal data:

5.1 Identity Data

• Name
• Email address
• Company name

5.2 Contact Data

• Email address
• Phone number (if provided)
• Website URL

5.3 Financial Data

• Payment information (processed securely through third-party payment processors)
• Billing address

5.4 Technical Data

• IP address
• Browser type and version
• Device information
• Cookie data

5.5 Usage Data

• How you use our services
• Features accessed
• Time spent on platform

5.6 Service Data

• Website URLs you analyze
• AEO Score™ data
• Schema and entity information

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Active accounts: Data retained while your account is active
• Closed accounts: Data deleted within 90 days after account closure, unless required by law
• Marketing data: Deleted immediately upon opt-out request
• Financial records: Retained for 7 years for tax and accounting purposes
• Backup systems: Data in backups deleted within 90 days

7. International Data Transfers

As our services may involve processing data outside the EU/EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Processing only in countries deemed adequate by the European Commission
• Additional security measures for data transfers

8. Data Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption of data in transit (TLS/SSL)
• Encryption of sensitive data at rest
• Regular security audits and assessments
• Access controls and authentication
• Employee training on data protection
• Incident response procedures

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Inform affected individuals without undue delay if the breach poses a high risk
• Provide details of the nature of the breach and measures taken

10. Cookies and Tracking

We use cookies and similar technologies in compliance with GDPR and ePrivacy Directive. You can control cookies through:

• Our cookie consent banner
• Your browser settings
• Your account preferences

For more details, see our Cookie Policy in the Privacy Policy.

11. Third-Party Data Processors

We work with third-party service providers who process data on our behalf. We ensure:

• Data Processing Agreements (DPAs) are in place
• Processors comply with GDPR requirements
• Regular audits of processor compliance
• Processors implement appropriate security measures

12. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it immediately.

13. Marketing Communications

We will only send marketing communications with your explicit consent. You can:

• Opt out at any time using the unsubscribe link in emails
• Update your preferences in your account settings
• Contact us at gdpr@aeostack.ai to opt out

14. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, workplace, or where an alleged infringement occurred.

You can find your local Data Protection Authority here: EDPB Member List

15. Updates to This Policy

We may update this GDPR compliance statement from time to time. We will notify you of any material changes by:

• Email notification
• Notice on our website
• In-app notification

16. Contact Us

For any questions or requests regarding GDPR compliance or your personal data:

• GDPR Inquiries: gdpr@aeostack.ai
• Data Protection Officer: Available upon request
• General Support: hello@aeostack.ai