Legal

Privacy Policy

Effective: 1 May 2026 · Last updated: 16 May 2026

This Privacy Policy explains how we — the operator of Radar (the agency) and AI Visibility Tracker (the platform) — collect, use, share, and safeguard personal information when you visit our websites, sign up for an account, use the Service, or engage us for agency work. Please read it alongside our Terms of Service and Cookie Policy.

1. Scope and who we are

Radar,” “AI Visibility Tracker,” “we,” “us,” and “our” refer to the legal entity operating the websites at radar.agency, aivisibilitytracker.com, and the application hosted at app.aivisibilitytracker.com (together, the “Service”).

For the purposes of the EU/UK General Data Protection Regulation, the California Consumer Privacy Act (as amended by the CPRA), and India’s Digital Personal Data Protection Act, 2023, we act as the data controller (or equivalent) of personal information we collect from you directly. Where you use the Service to upload content about your own customers or end-users, we act as a processor on your behalf and the Data Processing Addendum (DPA), available on request, applies.

2. Information we collect

Information you give us

  • Account information: name, work email, password (stored hashed only), company name, role, country, and the brand(s) you wish to track.
  • Billing information: name, billing address, tax identifier (where required), and a payment method. Card numbers are tokenised and stored by Stripe; we never see or store card details on our servers.
  • Customer content: prompts, prompt variants, content URLs, brand aliases, competitor lists, integration tokens (e.g., Google Search Console, Slack), and any messages you send our team.
  • Agency engagement records: for clients of the Radar agency, briefs, strategy documents, deliverables, scopes of work, and call transcripts (where you consent to recording).

Information we collect automatically

  • Usage telemetry: pages viewed, features used, API endpoints called, response codes, durations, and click events used to operate, secure, and improve the Service.
  • Device and connection data: IP address, browser type and version, operating system, language, referring URL, and timestamps. We use truncated IPs wherever feasible.
  • Cookies and similar technologies: session cookies, authentication tokens, and a small number of first-party analytics identifiers. See our Cookie Policy.

Information from third parties

  • OAuth integrations you connect (Google Search Console, Slack, etc.) — we receive only the scopes you authorise.
  • Public sources we sample to build category baselines — domain metadata, public AI-engine responses, and aggregate citation patterns. We do not correlate this data with individual end-users.

3. How we use your information

We use personal information to:

  • Provide, operate, secure, and improve the Service and our agency engagements.
  • Authenticate accounts, enforce quotas, prevent abuse, and detect fraud.
  • Process payments, issue invoices, manage subscriptions, and recover failed charges.
  • Send transactional communications (account events, billing notices, alerts you opt into, and security messages).
  • Send service updates and limited marketing emails — only where the law permits and you have not opted out.
  • Provide customer support and respond to enquiries — including using anonymised excerpts of conversations to train internal support playbooks.
  • Comply with legal obligations, enforce our Terms, and protect our legal rights.

We do not sell personal information. We do not share personal information with third parties for cross-context behavioural advertising.

4. Legal basis for processing (EEA / UK / Switzerland)

If you are in the EEA, the UK, or Switzerland, we rely on the following legal bases:

  • Performance of a contract — to provide the Service you signed up for.
  • Legitimate interests — to secure the Service, prevent abuse, understand product usage, and grow our business in a privacy-respecting way.
  • Consent — for non-essential cookies and marketing emails where the law requires it.
  • Legal obligation — to comply with tax, accounting, and law-enforcement requirements.

5. Sharing and sub-processors

We share personal information only with vetted providers acting on our instructions under written contracts. Current sub-processors include:

ProviderPurposeRegion
SupabaseDatabase, authentication, file storageUSA / EU
VercelApplication hosting and edge CDNGlobal
StripeSubscription billing and taxUSA / EU
Resend / PostmarkTransactional email deliveryUSA / EU
InngestBackground job orchestrationUSA
Anthropic, OpenAI, Google, xAI, Perplexity, DataForSEOAI prompt execution and analysisUSA
CloudflareDNS, WAF, and DDoS mitigationGlobal
Slack, LinearInternal operations and ticketingUSA

An up-to-date sub-processor list is available on request. We may also share data when required by law, to enforce our Terms, in connection with a merger or sale of assets (with notice to you), or with your direction.

6. International data transfers

Where we transfer personal information out of the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and — where applicable — the EU–US Data Privacy Framework. For transfers from India, we comply with the Digital Personal Data Protection Act, 2023, and any cross-border transfer rules notified by the Central Government.

7. Data retention

  • Account data — retained while your account is active and for up to 24 months after closure, unless a longer period is required by law.
  • AI prompt runs and raw responses — kept hot for 90 days, then archived in encrypted cold storage for up to 18 months for trend analysis.
  • Aggregated brand-mention metrics — retained indefinitely in de-identified form to power category benchmarks.
  • Billing and tax records — retained for the period required by applicable financial regulations (typically 7–10 years).
  • Support communications — retained for up to 36 months.
  • Marketing site logs — truncated IPs retained 30 days.

8. Your rights

Depending on where you live, you have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your information (subject to legal retention requirements).
  • Receive a portable copy of your information.
  • Restrict or object to certain processing.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with a data protection authority.

To exercise any of these rights, email privacy@aivisibilitytracker.com. We respond within 30 days (45 days under CCPA, with a written extension if necessary).

9. Region-specific disclosures

California (CCPA / CPRA)

We do not sell or “share” (as defined under the CPRA) personal information. California residents have the right to know, delete, correct, limit use of sensitive personal information, and to be free from retaliation for exercising rights. Requests may be submitted to privacy@aivisibilitytracker.com.

EU / UK / Switzerland

See sections 4 and 6 for legal bases and transfer mechanisms. EU/UK/Swiss residents have all the rights listed in section 8 and may contact their local supervisory authority.

India (DPDP Act, 2023)

We process personal data of Indian residents as a Data Fiduciary in accordance with the DPDP Act. You may withdraw consent, request erasure or correction, and nominate a person to exercise your rights in case of incapacity. To raise a grievance, email our Grievance Officer at grievance@aivisibilitytracker.com.

10. Security

We implement industry-standard organisational and technical safeguards:

  • TLS 1.2+ for data in transit; AES-256 for data at rest (via Supabase storage).
  • Per-tenant row-level security on all customer-scoped tables.
  • Hashed credentials using bcrypt with per-user salts; never stored in plaintext.
  • HMAC-SHA256 hashing for API keys; rotation supported via the dashboard.
  • Principle-of-least-privilege access for staff, time-bound elevation, and audit logs.
  • Routine penetration tests and dependency scanning.

No system is perfectly secure. If you believe an account or data has been compromised, contact security@aivisibilitytracker.com immediately.

11. Cookies and similar technologies

We use a small number of first-party cookies for authentication, security, and preference storage, plus minimal first-party analytics. We do not use third-party advertising cookies. Full details are in our Cookie Policy.

12. AI processing and automated decisions

The Service uses third-party large language models to execute prompts you configure. Prompts and responses are processed by the providers listed in section 5; we instruct providers via their respective APIs not to retain content for model training where that option is available.

We do not use AI to make decisions that produce legal or similarly significant effects on you. Visibility scores, summaries, and recommendations are advisory outputs you may choose to act on.

13. Children

The Service is intended for business users aged 18 and over. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us with information, contact us so we can remove it.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by a prominent notice in the Service at least 14 days before the change takes effect. The “Last updated” date at the top reflects the most recent revision.

15. Contact

Privacy enquiries: privacy@aivisibilitytracker.com
Security disclosure: security@aivisibilitytracker.com
India Grievance Officer: grievance@aivisibilitytracker.com

For UK / EU data subjects who prefer postal contact, mail us via the contact form at radar.agency/contact and we will provide an address.