Privacy policy

1. Information we collect

1.1 Account information

When you create an account, we collect:

• Email address (required for authentication and communication)
• Name or display name (optional)
• Password (encrypted and managed by our authentication provider)
• Account creation timestamp

1.2 Business information

To provide our AI visibility analysis service, we collect information about your business:

• Business name
• Physical address (street address, city, state, ZIP code)
• Country and country code
• Phone number(s)
• Website URL
• Business category (from predefined list)
• Services offered
• Business description
• Key persons (names of important people in your business)
• Important URLs (specific pages you want to monitor)
• Top keywords (relevant to your business)
• Service area type (city-level or state-level)
• Business hours (including notes)
• Geographic coordinates (latitude/longitude derived from your address via geocoding)

This information is used to:

• Generate search prompts for AI platforms
• Analyze AI responses for accuracy
• Provide visibility insights specific to your business
• Create "ground truth" data for verification purposes

1.3 Google Analytics data

IMPORTANT: This section describes our use of Google API Services

When you connect your Google Analytics account to our Service, we request your explicit consent to access the following Google user data through Google's OAuth 2.0 authorization:

OAuth scopes we request:

• https://www.googleapis.com/auth/analytics.readonly - Read-only access to your Google Analytics data
• https://www.googleapis.com/auth/analytics.manage.users.readonly - Read-only access to user management information

What Google Analytics data we collect:

• GA4 Property ID and Property Name
• Access tokens and refresh tokens (stored encrypted)
• Token expiration timestamps
• Session data including:
  • Session dates and counts
  • Country information
  • Platform referrer data (sessionSource, firstUserSource)
  • Landing page paths (pagePath)
  • LLM (Large Language Model) referral traffic metrics

What Google Analytics data we access but do NOT store:

• Your Google Analytics account summaries
• Account display names
• Property lists (only used to help you select the property you want to connect)

How we use Google Analytics data:

We use your Google Analytics data solely to provide and improve our Service by:

• Measuring AI platform traffic to your website
• Identifying which AI platforms (ChatGPT, Perplexity, Claude, Google AI Overview, etc.) are referring visitors to your site
• Analyzing which landing pages receive AI-driven traffic
• Providing visibility insights and reports within our dashboard
• Correlating AI visibility scans with actual website traffic

We DO NOT:

• Sell Google user data to any third parties
• Use Google user data for advertising purposes
• Transfer Google user data to third parties except as necessary to provide our Service
• Use Google user data for purposes unrelated to providing or improving our Service functionality

Data retention for Google Analytics data:

• Access tokens and refresh tokens are stored securely until you disconnect your Google Analytics connection
• Tokens are automatically refreshed before expiration to maintain your connection
• Historical analytics metrics may be retained to show trends over time
• You can disconnect your Google Analytics connection at any time, which will immediately delete your access tokens from our system

Your control over Google Analytics data:

• You can disconnect your Google Analytics account at any time from the Settings page
• Disconnecting immediately revokes our access and deletes your tokens
• You can revoke our access directly through your Google Account settings at https://myaccount.google.com/permissions

Data protection for Google Analytics data:

• All access tokens are encrypted in our database
• We use HTTPS for all data transmission
• We implement CSRF protection for OAuth flows
• We never share your Google Analytics tokens with third parties

Local Glyph's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

1.4 AI scan and analysis data

When you run visibility scans, we collect and store:

Scan results including:

• Platform name (ChatGPT, Google AI Overview, Perplexity)
• Raw HTML responses from AI platforms
• Citations (URLs and titles mentioned in AI responses)
• Scan timestamps
• Prompt text used for the scan
• Country/location context for the scan

Analysis data including:

• Accuracy issues (business information verification results)
• Sentiment insights (AI sentiment analysis of mentions)
• Competitor mentions and frequency
• Source citation opportunities
• Visibility scores

1.5 Payment and credit information

For payment processing, we collect:

• Package selection (credit amount and price)
• Transaction records including:
  • Credits purchased
  • Amount paid
  • Transaction type (purchase, consumption, refund)
  • Transaction status
  • Stripe payment intent ID
  • Transaction timestamps

Important: We do NOT store credit card numbers, CVV codes, or other sensitive payment information. All payment processing is handled securely by Stripe, our payment processor. Only Stripe has access to your full payment details.

1.6 Usage information

We automatically collect certain information about how you use our Service:

• Project data (project names, creation dates, scan history)
• Auto-scan settings (enabled/disabled, frequency preferences)
• Feature usage (which features you use and how often)
• Error logs (technical errors for debugging purposes)
• Rate limiting data (to prevent abuse)

1.7 Cookies and similar technologies

We use the following types of cookies:

• Authentication cookies (to keep you logged in)
• Session cookies (to maintain your session state)
• Preference cookies (to remember your settings)

We do NOT use advertising cookies or tracking cookies for behavioral advertising.

2. How we use your information

We use your information for the following purposes:

2.1 Service delivery

• Creating and managing your account
• Running AI visibility scans across platforms
• Generating prompts tailored to your business
• Analyzing AI platform responses
• Calculating visibility scores
• Providing competitor analysis
• Generating reports and insights
• Managing your credit balance
• Tracking Google Analytics referral traffic

2.2 Communication

• Sending welcome emails (including free credit offers)
• Sending low credit notifications
• Responding to your support requests
• Sending important service updates
• Notifying administrators of new user signups (for support purposes)

2.3 Payment processing

• Processing credit purchases
• Generating transaction records
• Providing invoices and receipts
• Managing refunds if applicable

2.4 Service improvement

• Analyzing how users interact with our Service
• Identifying and fixing bugs
• Improving our algorithms and accuracy
• Developing new features
• Optimizing performance

2.5 Security and fraud prevention

• Detecting and preventing fraudulent activity
• Enforcing rate limits to prevent abuse
• Protecting against security threats
• Complying with legal obligations

3. How we share your information

We share your information only in the following limited circumstances:

3.1 AI platform providers

When you run visibility scans, we send only the following information to AI platforms (OpenAI/ChatGPT, Google AI, Perplexity):

• Search prompt text (e.g., "best electrician in Austin, TX")
• Location context (country code, city, region, and geographic coordinates if available)

We DO NOT send your business name, phone number, email address, website URL, or any other personally identifiable business information to AI platforms during scans.

3.2 Payment processor (Stripe)

When you purchase credits, we share the following with Stripe:

• Your email address
• Purchase amount and package description
• Metadata (user ID, package ID, credit amount)

Stripe processes your payment information according to their own privacy policy. We receive confirmation of payment status but do NOT receive your full credit card details.

3.3 Email service provider (Resend)

We use Resend to send transactional emails. We share:

• Your email address
• Your name (if provided)
• Email content (welcome messages, low credit notifications)

3.4 Service providers and infrastructure

We use the following service providers to operate our Service:

• Supabase (database and authentication hosting) - stores all data described in this policy
• Geocoding API (to convert addresses to coordinates)

These providers have access to your data only to perform services on our behalf and are obligated to protect your information.

3.5 Legal requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal requests from government authorities
• Court orders or subpoenas
• Requests to protect our rights, property, or safety
• Requests to protect the rights, property, or safety of our users or the public

3.6 Business transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership or use of your personal information.

3.7 What we do NOT do

We DO NOT:

• Sell your personal information to third parties
• Rent your personal information to third parties
• Share your information for advertising purposes
• Use your data for purposes unrelated to providing our Service
• Share your Google Analytics data with any third parties

4. Data security

We take the security of your data seriously and implement multiple layers of protection:

4.1 Technical security measures

• Encryption in transit: All data transmitted between your browser and our servers uses HTTPS/TLS encryption
• Encryption at rest: Sensitive data including Google Analytics tokens are encrypted in our database
• Row Level Security (RLS): Database policies ensure users can only access their own data
• Authentication: JWT-based authentication with secure session management
• Rate limiting: Protects against brute force attacks and abuse (10-50 requests/minute per user)
• CSRF protection: Prevents cross-site request forgery attacks on OAuth flows
• Service role isolation: Sensitive operations use secure service keys not exposed to clients

4.2 Access controls

• User data is isolated using Row Level Security policies
• Each user can ONLY access their own projects, scans, and results
• Anonymous users are blocked from accessing any sensitive data
• Administrative access is strictly limited and logged

4.3 OAuth security

• Google OAuth tokens are encrypted before storage
• Tokens are proactively refreshed before expiration
• Random UUID state parameters prevent CSRF attacks
• Expired tokens are automatically cleaned up

4.4 Third-party security

• Payment processing uses PCI-compliant Stripe infrastructure
• We never store credit card numbers or CVV codes
• Third-party service providers are vetted for security practices

While we implement strong security measures, please remember that no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

5. Data retention and deletion

5.1 How long we keep your data

Account information:

• Retained for as long as your account is active
• Deleted upon account deletion request

Business information:

• Retained for as long as your project exists
• Deleted when you delete the project

Google Analytics connections:

• Access tokens stored until you disconnect
• Automatically deleted when you click "Disconnect"
• Historical analytics metrics retained to show trends (you can request deletion)

Scan results:

• Retained indefinitely to provide historical analysis
• You can delete individual scan results at any time
• Bulk deletion available upon account deletion

Credit transactions:

• Retained permanently for accounting, tax, and legal compliance purposes
• Required for financial auditing and fraud prevention

Usage logs:

• Typically retained for 90 days for debugging and service improvement
• Personal identifiers removed after this period

5.2 Your deletion rights

You have the right to delete your data. You can:

Self-service deletion:

• Delete individual scan results from the dashboard
• Delete scan progress records
• Delete projects (which cascades to delete related scans, analysis, and insights)
• Disconnect Google Analytics (immediately deletes your access tokens)

Contact us for:

• Complete account deletion
• Bulk data export before deletion
• Deletion of specific data categories

When you request account deletion, we will:

1. Delete your account and profile information
2. Delete all projects and associated business information
3. Delete all scan results and analysis data
4. Delete Google Analytics connections and tokens
5. Anonymize transaction records (required for legal compliance)
6. Complete deletion within 30 days of your request

Some data may remain in backup systems for up to 90 days but will not be accessible or used.

6. Your rights and choices

Depending on your location, you may have the following rights:

6.1 Access and portability

• Right to access: Request a copy of the personal information we hold about you
• Right to data portability: Receive your data in a structured, commonly used format

6.2 Correction and deletion

• Right to correction: Update or correct inaccurate information in your account settings
• Right to deletion: Request deletion of your personal information (subject to legal retention requirements)

6.3 Restriction and objection

• Right to restrict processing: Request we limit how we use your data
• Right to object: Object to processing based on legitimate interests

6.4 Withdraw consent

• Google Analytics connection: Disconnect at any time from Settings
• Email communications: Manage preferences or opt out (except transactional emails)
• Account: Delete your account to withdraw all consent

6.5 How to exercise your rights

To exercise any of these rights, please contact us at:

• Email: [email protected]
• Or use the in-app settings to manage your data directly

We will respond to your request within 30 days. Some requests may require identity verification to protect your privacy.

7. Children's privacy

Our Service is not intended for children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will delete such information from our systems.

8. International data transfers

Our Service is hosted in the United States. If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States.

We ensure that any international data transfers comply with applicable data protection laws, including:

• EU-US Data Privacy Framework (if applicable)
• Standard Contractual Clauses for transfers outside the EEA
• Adequate safeguards as required by GDPR Article 46

9. California privacy rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

9.1 Right to know

You can request:

• Categories of personal information we collect
• Specific pieces of personal information we hold
• Categories of sources from which we collect information
• Business purposes for collecting information
• Categories of third parties with whom we share information

9.2 Right to delete

You can request deletion of your personal information, subject to certain exceptions.

9.3 Right to opt-out

You have the right to opt-out of the "sale" of personal information. We DO NOT sell personal information.

9.4 Right to non-discrimination

We will not discriminate against you for exercising your CCPA rights.

9.5 Shine the light

California residents can request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

10. European privacy rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

10.1 Legal basis for processing

We process your personal data based on the following legal grounds:

• Contract performance: Processing necessary to provide our Service to you
• Legitimate interests: Improving our Service, fraud prevention, security
• Consent: Google Analytics connection, email communications
• Legal obligation: Tax reporting, fraud prevention, responding to legal requests

10.2 Your GDPR rights

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict processing
• Data portability
• Object to processing
• Withdraw consent at any time
• Lodge a complaint with your supervisory authority

10.3 Data protection officer

For GDPR-related inquiries, contact: [email protected]

10.4 EU representative

For users in the European Economic Area, you may contact us at: [email protected]

11. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• Legal or regulatory changes
• New features or services
• User feedback

When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email (if you have an account)
• Display a prominent notice on our Service
• Request your consent if required by law

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Inventige, LLC (dba Local Glyph)

• Email: [email protected]
• Website: https://localglyph.com

Response time: We aim to respond to all privacy inquiries within 30 days.

Summary of key points

To make this policy easier to understand, here are the key points:

What we collect:

• Your email and basic account info
• Business details you provide
• Google Analytics data (with your consent)
• AI scan results
• Payment transaction records

How we use it:

• To provide our AI visibility analysis service
• To measure AI platform traffic to your website
• To process payments
• To communicate with you
• To improve our service

How we share it:

• AI platforms: Only prompts and location (not your personal info)
• Stripe: For payment processing
• Email provider: For transactional emails
• We DO NOT sell your data to anyone

Your control:

• Delete your scans and projects anytime
• Disconnect Google Analytics anytime
• Request complete account deletion
• Export your data
• Manage email preferences

Google API Services:

• Read-only access to your Google Analytics
• Used ONLY to show you AI traffic insights
• Not used for advertising
• Not sold to third parties
• You can disconnect anytime

Security:

• Encrypted data transmission and storage
• Strict access controls
• Regular security updates
• PCI-compliant payment processing

If you have questions about anything in this policy, please contact us at [email protected]. We're here to help!