AEOBuzz

Draft status

This is a draft pending final legal review. It has not been reviewed by a licensed attorney and is not legal advice. No clause is binding until counsel completes the review gate.

AEOBuzz Privacy Policy

Effective Date: [DATE — to be set upon attorney review completion]
Version: Draft 1 (pre-attorney-review)

1. Who We Are

1.1 AEOBuzz (“we,” “us,” “our”) operates a software service that audits how local businesses appear in AI-generated answers and provides visibility reports, scoring, recommendations, and monitoring dashboards. Our legal entity is [LEGAL ENTITY NAME, STATE OF FORMATION — to be confirmed].

1.2 This Privacy Policy describes what information we collect, how we use it, how we store it, how long we keep it, and the rights you have over it. It applies to two groups: (a) customers who purchase an audit (“Customers”) and (b) businesses we prospect as potential customers (“Prospects”). Sections 2–4 describe Customer data; Sections 5–7 describe Prospect data. If you are both a Prospect and a Customer, both sets of disclosures apply.

1.3 This Policy does not apply to third-party platforms (ChatGPT, Perplexity, Gemini, Claude, Google AI Overviews, Google Search, etc.) whose services we query to produce an audit. Those platforms' own privacy policies govern your relationship with them. We query them using business names and keywords, not your personal accounts.

2. Information We Collect From Customers (Audit Subjects)

2.1 Business information you provide. When you purchase an audit, you provide your business name, business website URL, business contact information (for billing and delivery), and the service keywords and geographic area you want us to audit. This is business contact data.

2.2 Public information we collect about your business. To perform the audit, we collect and analyze publicly available information about your business, including:

  • Your business website content — we fetch your robots.txt, sitemap.xml, and your primary pages (homepage, about, services, contact). We analyze your site structure, schema markup, and the presence or absence of an /llms.txt file.
  • Your public business listings and citations across the web.
  • Your public presence in AI-generated answers — we query ChatGPT, Perplexity, Gemini, and Google AI Overviews using your business name and service keywords, and we record whether and how you are mentioned, what sources the AI cites, and the sentiment of any mention.
  • Your public reviews and ratings that are already published on the open web.

2.3 What we do NOT collect from audit subjects. We do not knowingly collect personal information about your end-customers (your patients, clients, homeowners, buyers, etc.). We audit your business's public visibility, not your customer lists. We do not access your customer databases, your patient records, your CRM, your analytics accounts, or any authenticated area of your site. We do not request and you should not provide Social Security numbers, medical records, financial account credentials, or other regulated personal data. See Section 9 (No Sensitive Data).

2.4 Incidental public content. Your public website pages may contain names of staff, reviewers, or testimonials published by you. When we crawl your public pages, we ingest that page content. We do not separately extract or store individual names from your site beyond what appears in the crawl of the page as a whole. We retain crawled page content only for the audit period plus the retention window in Section 8.

3. How We Use Customer Information

3.1 We use the information in Sections 2.1–2.2 to produce your audit report, visibility scoring, recommendations, and monitoring dashboards, and to deliver those to you.

3.2 We use your business contact information to bill you, deliver the report, send service notifications, and provide support.

3.3 We may aggregate and anonymize audit data across customers to produce industry benchmarks and research. No individual Customer or their end-customers will be identifiable in any aggregated or anonymized output.

3.4 We do not sell Customer information to third parties. We do not share Customer information with third parties for cross-context behavioral advertising.

4. Customer Rights

4.1 Access. You may request a copy of the personal information we hold about you or your business.

4.2 Deletion. You may request deletion of your personal information. We will delete it within [TIMEFRAME — to be set by counsel, e.g., 45 days] of a verified request, except where retention is required by law or to defend a legal claim.

4.3 Correction. You may request correction of inaccurate personal information.

4.4 Opt-out. We do not sell your personal information, so there is no sale to opt out of. If our practices change, we will provide the opt-out mechanism required by your state's law and update this Policy.

4.5 How to exercise rights. Send requests to [CONTACT EMAIL — to be set]. We will verify your identity before acting on a request. We will not discriminate against you for exercising any right.

4.6 Authorized agent. You may authorize an agent to act on your behalf by providing written authorization consistent with [your state's requirements — counsel to specify].

5. Information We Collect From Prospects

5.1 What we collect. To identify businesses that may benefit from our service, we collect publicly available information about prospect businesses from public business directories, public web pages, public review platforms, and public social profiles. For each prospect we may collect: business name, domain, business phone, business address, owner or principal name (where publicly associated with the business), estimated business attributes (employee count, years in business, service area, services offered), public website signals (presence of schema markup, llms.txt, blog, page-load estimates), public review signals (review counts and ratings on public platforms), public social signals, and estimated marketing and revenue attributes derived from public signals.

5.2 Estimated attributes. Some fields are estimates or inferences we derive from public signals — for example, an estimated owner age band, an estimated revenue band, and an owner persona (e.g., “Gen-X core,” tech-comfort level). These are inferences, not facts, and are used only to prioritize outreach.

5.3 What we do NOT collect from prospects. We do not collect Social Security numbers, government IDs, financial account credentials, medical records, or data from non-public sources. We do not access prospect accounts, inboxes, or authenticated areas.

6. How We Use Prospect Information and Prospect Rights

6.1 We use Prospect information to decide whether and how to reach out about our service, to personalize outreach, and to stop outreach to businesses that are not a fit. We do not sell Prospect information to third parties. We do not share Prospect information for cross-context behavioral advertising.

6.2 Opt-out of outreach. Every outreach email includes an unsubscribe link. You may also request that we stop contacting you and delete your prospect record by emailing [CONTACT EMAIL]. We will process opt-out and deletion requests within [TIMEFRAME — to be set, e.g., 10 business days for opt-out; 45 days for deletion per state law].

6.3 Access, deletion, correction. If your state's privacy law grants you these rights over your prospect personal information, you may exercise them by emailing [CONTACT EMAIL]. We will verify your identity and respond within the statutory window. The deletion right applies to the prospect record and to the estimated/derived attributes in Section 5.2.

6.4 We do not sell your prospect information. If our practices change, we will provide the opt-out mechanism required by your state's law and update this Policy.

7. Lawful Basis and Notice at Collection

7.1 For Customers, we process business contact data to perform the contract (deliver the audit you purchased) and public business information to provide the service you requested.

7.2 For Prospects, we process public business contact data for our legitimate interest in offering our service to businesses that may benefit from it, balanced against your right to opt out. We provide notice through this Policy and through the unsubscribe mechanism in each outreach.

8. Data Storage and Retention

8.1 Storage. Customer and Prospect data is stored in [STORAGE LOCATION — e.g., U.S.-based cloud infrastructure provider, region — to be confirmed]. Access is restricted to authorized personnel and systems. We use industry-standard technical and organizational measures (encryption in transit and at rest, access controls, logging). No method of transmission or storage is completely secure; we cannot guarantee absolute security.

8.2 Customer data retention. We retain Customer audit data for the duration of your subscription and for [RETENTION PERIOD — to be set by counsel, e.g., 12 months] after subscription termination, except where longer retention is required by law or to defend a legal claim. Crawled page content is retained for the same window. Aggregated and anonymized benchmark data may be retained indefinitely because it is not linked to identifiable individuals.

8.3 Prospect data retention. We retain Prospect data for [RETENTION PERIOD — to be set by counsel, e.g., 24 months] from the last outreach or interaction, or until you request deletion or opt out, whichever is earlier. Prospects who request deletion are removed from active outreach within [opt-out window] and their records are deleted within the statutory window.

8.4 Deletion mechanism. Deletion is performed by [METHOD — to be set, e.g., removal from active databases and backup rotation per the retention schedule]. We will confirm deletion to you on request.

9. No Sensitive Data

9.1 AEOBuzz's Service is not designed to process sensitive personal data, including Social Security numbers, government IDs, medical or health records (PHI), financial account credentials, racial or ethnic origin, religious or philosophical beliefs, sexual orientation, or data about children under 16.

9.2 Do not provide sensitive personal data to AEOBuzz through the Service, through outreach replies, or through support channels. If you inadvertently provide it, contact [CONTACT EMAIL] immediately so we can delete it.

9.3 If you are a healthcare practice and your public website contains patient information on a public page, do not direct us to crawl pages that expose PHI. Our crawler targets business, structure, and schema content; it is not designed to process patient records. You remain the covered entity for any PHI on your site.

10. Data Sharing

10.1 We share data only with service providers who process data on our behalf under contract (e.g., cloud hosting, email delivery, payment processing) and only to provide the Service. Our service providers are bound by written agreements that restrict their use of the data to providing services to us.

10.2 We may disclose information when required by law, court order, or to protect our rights, or in connection with a merger, acquisition, or sale of all or substantially all of our assets (in which case we will notify you before the transfer if required by law).

10.3 We do not sell Customer or Prospect personal information to third parties. We do not share personal information for cross-context behavioral advertising.

11. Security

11.1 We implement industry-standard technical and organizational measures to protect data, including encryption in transit and at rest, access controls, and audit logging. However, no method of transmission or storage is completely secure.

11.2 In the event of a data breach affecting personal information, we will notify affected individuals and regulators as required by applicable state breach-notification laws.

12. Children's Privacy

12.1 AEOBuzz does not knowingly collect personal information from children under 16. Our Service is directed to business owners and operators. If you believe we have collected information from a child, contact [CONTACT EMAIL] and we will delete it.

13. Your State-Specific Rights

13.1 If you are a resident of a state with a comprehensive privacy law (including California, Virginia, Colorado, Connecticut, Utah, Texas, and others as the list grows), you have the rights described in Section 4 (for Customers) and Section 6 (for Prospects), subject to the exemptions and limitations in your state's law.

13.2 California residents. Under the CCPA/CPRA, you have the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of its sale or sharing. We do not sell or share your personal information as those terms are defined in the CCPA. To exercise any right, email [CONTACT EMAIL]. We will verify your identity and respond within 45 days. We will not discriminate against you for exercising any right.

13.3 [Counsel to add state-specific notices for each target state as applicability thresholds are confirmed — e.g., Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others. Each statute has its own required notice elements.]

14. Changes to This Policy

14.1 We may update this Policy. We will post the updated Policy with a new effective date. For material changes, we will provide notice [e.g., on our website or by email to active Customers] at least [30 days] before the change takes effect.

15. Contact

AEOBuzz [LEGAL ENTITY NAME]
[ADDRESS]
[EMAIL]
[PHONE — if applicable]