This privacy policy explains what data AIVZ collects, how we use it, who we share it with, and the rights you have over your data. We've written it in plain English wherever the law allows; where regulatory language is required, we've kept the legal language compact and added plain-English explanations alongside.
The short version.
Five plain-English statements. The detailed section that backs each one is linked.
- What we collect: Account data (name, email, password hash), site-scan data (URLs you submit, the content AIVZ retrieves), usage telemetry (which features you use, which integrations you've enabled), and billing data (handled by our payment processor, not stored by AIVZ).
- Why we collect it: To deliver the AIVZ service you've signed up for, to bill you, to improve the product, and to comply with legal obligations.
- Who we share it with: A small set of subprocessors (cloud hosting, email delivery, payment processing, analytics). The full list lives at /subprocessors. We don't sell customer data and we never will.
- How long we keep it: Account and usage data while your account is active and for a defined retention period after; site-scan data on a rolling retention schedule.
- Your rights: You can request access, correction, deletion, portability, and (in some jurisdictions) restriction of processing. Email
[email protected]to exercise any of these.
Who we are and how to reach us.
AIVZ is operated by AIVZ, Inc. ("AIVZ," "we," "our," "us"), with its principal place of business in the United States.
Privacy contact: [email protected]
General contact: [email protected]
Data Protection Officer: AIVZ has not appointed a DPO because we are not required to under GDPR Article 37; you can still reach us about any privacy matter at [email protected].
EU/UK representative: Available on request where applicable.
What data we collect.
We collect data in five categories. Each category lists what we collect, how we collect it, and (cross-referenced to the next section) why we collect it.
Category 1 — Account and identity data
What: Name, email address, password (stored as a hash, not in plaintext), company name, role/title (if you provide it), country, and (for paid plans) billing address.
How: Directly from you, when you create an account or update your profile.
Category 2 — Site-scan data
What: URLs you submit to AIVZ for scanning, the HTML/JSON-LD/HTTP-header responses our scanners retrieve from those URLs, and the AI-visibility analysis AIVZ generates from those responses. If you connect AIVZ to a CMS (WordPress, Shopify, Wix, Webflow, etc.), we also receive content metadata sufficient to deliver the integration's functionality (e.g., page IDs, post titles, schema markup).
How: When you submit a URL or domain to AIVZ; when you connect an integration.
Source: You and the public web — the URLs you submit return public content that AIVZ retrieves the same way a search engine crawler would.
Category 3 — Usage telemetry
What: Which features you use, which pages within the AIVZ application you visit, which integrations you've enabled, the timestamps of those interactions, your IP address (truncated for analytics; full for fraud and security), browser and device type, and crash/error logs.
How: Automatically, when you use the AIVZ application.
Category 4 — Billing data
What: Subscription tier, billing currency, billing cycle, invoice history. AIVZ does not store full payment card numbers — payment card data is collected and processed by our payment subprocessor under PCI-DSS-compliant conditions. AIVZ stores only a billing reference (the last four digits of the card and a tokenized identifier).
How: Through our payment subprocessor when you provide a payment method.
Category 5 — Communications data
What: Emails and chat messages you send to AIVZ support, feedback you submit through in-app forms, and (with your consent) screen recordings or session replays if you've opted in.
How: When you contact us or interact with optional feedback features.
How we use data, and the legal basis for using it.
This section describes the purposes for which AIVZ processes data and (for EU/UK customers under GDPR) the corresponding legal basis under Article 6.
| Purpose | Categories used | GDPR legal basis |
|---|---|---|
| Deliver the AIVZ service you've signed up for | 1, 2, 3 | Contract (Art. 6(1)(b)) |
| Bill you and process payments | 1, 4 | Contract (Art. 6(1)(b)) |
| Provide customer support | 1, 5 | Contract (Art. 6(1)(b)) |
| Improve AIVZ (analytics, error monitoring) | 3 | Legitimate interests (Art. 6(1)(f)) |
| Send product updates and marketing | 1, 5 | Consent for marketing; legitimate interests for transactional updates |
| Detect, prevent, respond to fraud and security incidents | 1, 2, 3 | Legitimate interests (Art. 6(1)(f)) |
| Comply with legal obligations | All | Legal obligation (Art. 6(1)(c)) |
Legitimate-interests balancing test
For each "legitimate interests" purpose above, AIVZ has assessed: (a) what the legitimate interest is (operating and improving the service), (b) whether the processing is necessary to achieve it, and (c) whether customer rights and freedoms override that interest. Customers can object to legitimate-interests processing at any time — see Your rights.
Who we share data with.
AIVZ shares data with three categories of recipients: subprocessors, professional advisors, and (in narrow circumstances) governmental authorities.
Subprocessors
We use a small set of third-party services to deliver AIVZ. The current list, with what each subprocessor processes and where they're located, lives at /subprocessors. We update that list when it changes and we offer customers an email-notification subscription so you're informed of changes before they take effect.
We require all subprocessors to (a) process customer data only on AIVZ's documented instructions, (b) implement appropriate technical and organizational security measures, and (c) flow down equivalent commitments to any sub-subprocessors they engage.
Professional advisors
We share data with our legal counsel, accountants, auditors, and insurers as needed to operate the business. These advisors are subject to confidentiality obligations.
Governmental authorities
We may disclose data when required by law (e.g., subpoena, court order, regulatory inquiry). When we receive such a request and the law permits, we'll notify the affected customer so they can challenge the request before disclosure.
Business transactions
If AIVZ is involved in a merger, acquisition, financing, or asset sale, customer data may be transferred to the successor entity. We'll notify customers in advance so they can exercise applicable rights.
What we don't do
We don't sell customer data. We don't share customer data with advertisers, data brokers, or any party for purposes unrelated to delivering the AIVZ service. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under California law.
Where your data is stored and how we handle international transfers.
AIVZ's primary infrastructure is located in the United States. Some subprocessors may process data in other regions; the subprocessor list at /subprocessors lists each subprocessor's processing location.
For EU/UK customers
When personal data of EU or UK individuals is transferred outside the EEA/UK to a country without an adequacy decision, AIVZ relies on Standard Contractual Clauses (SCCs) as the transfer mechanism, supplemented where appropriate by additional safeguards (encryption in transit and at rest, access controls, audit logging). The current SCC version in use is the EU Commission's 2021 SCCs (and the UK ICO's IDTA / Addendum, where applicable).
Transfer impact assessments
For transfers from the EU/UK to the United States, AIVZ has assessed (per the Schrems II framework) the laws of the destination jurisdiction and the additional safeguards in place. The assessment is updated as relevant law develops, including the EU–US Data Privacy Framework where applicable.
How long we keep data.
| Data category | While account is active | After closure |
|---|---|---|
| Account and identity (Cat. 1) | For the life of the account | 90 days, then deleted |
| Site-scan data (Cat. 2) | Rolling 12-month window | Deleted on closure (or sooner on request) |
| Usage telemetry (Cat. 3) | Rolling 13-month window | 13 months for security/audit purposes |
| Billing (Cat. 4) | For the life of the account | 7 years for tax and audit compliance |
| Communications (Cat. 5) | For the life of the account | 24 months |
Customer-initiated deletion: Customers can request deletion of their account and all associated data at any time by emailing [email protected]. We process verified deletion requests within 30 days. Some data may be retained for the periods listed above for legitimate business or legal-compliance reasons; the email confirming completion of the deletion request will identify any data retained and the basis for retention.
How we secure data.
The detailed description of AIVZ's security architecture, encryption practices, access controls, audit logging, incident response, and certification posture lives at /security. The short version:
- Encryption in transit: TLS 1.2+ for all customer-facing endpoints.
- Encryption at rest: Industry-standard AES-256 for primary data stores.
- Access controls: Least-privilege internal access, MFA required for AIVZ personnel, audit logging on data-access events.
- Incident response: Documented incident-response plan; we'll notify affected customers without undue delay (and within 72 hours, where GDPR Article 33 applies) once a confirmed breach affecting their data is identified.
Your rights over your data.
Depending on where you live, you have one or more of the following rights. To exercise any right, email [email protected] with your name, the email associated with your AIVZ account, and the right you'd like to exercise. We'll verify your identity and respond within the regulatory timeframe.
| Right | Available to | What it means |
|---|---|---|
| Access | Everyone | Get a copy of the data AIVZ holds about you |
| Rectification | Everyone | Correct inaccurate data |
| Erasure | EU/UK; California (with exceptions) | Request deletion of your data |
| Restrict processing | EU/UK | Pause processing while a dispute is resolved |
| Data portability | EU/UK; California | Receive your data in a machine-readable format |
| Object | EU/UK | Object to processing based on legitimate interests or for direct marketing |
| Withdraw consent | Where processing is based on consent | Withdraw at any time without affecting prior processing |
| No automated decisions | EU/UK | Not be subject to decisions based solely on automated processing producing legal effects |
| Opt out of sale or share | California | N/A in practice — AIVZ doesn't sell or share for that purpose |
| Non-discrimination | California | AIVZ won't discriminate against you for exercising your rights |
| Appeal | Several US states | Appeal a denied request |
If we deny your request: We'll explain why, and (where applicable) explain your right to appeal or to lodge a complaint with a supervisory authority.
EU/UK supervisory authority complaints: If you're in the EU/UK and you believe AIVZ has violated your data-protection rights, you have the right to lodge a complaint with your national supervisory authority.
Cookies and similar technologies.
AIVZ uses cookies and similar technologies (local storage, session tokens) on the AIVZ application and on aivz.app. Categories of cookies used:
- Strictly necessary: Authentication, session management, security. These cannot be disabled.
- Functional: Remember your preferences (e.g., dark/light mode, language).
- Analytics: First-party analytics on usage patterns. Disabled in jurisdictions requiring opt-in until consent is provided.
- Marketing: Disabled until consent is provided, where applicable.
A consent banner appears the first time you visit aivz.app from a jurisdiction where consent is required; your choices are stored and respected. You can change your choices at any time via the cookie-preferences link in the footer.
Children's privacy.
AIVZ is a B2B service intended for use by individuals 18 years of age or older. We do not knowingly collect personal information from children under 13 (under COPPA in the United States) or under 16 (under GDPR Article 8 in many EU member states). If we learn we've collected personal information from a child under those ages, we'll delete it.
If you believe a child has provided AIVZ with personal information, please contact [email protected].
Changes to this privacy policy.
We update this policy when our practices change, when we add or remove subprocessors or features, or when applicable law changes. When we make material changes, we'll:
- Update the Effective date at the top.
- Notify account holders by email.
- Display a notification in the AIVZ application for 30 days after the change takes effect.
- Maintain a public changelog of material changes.
For non-material changes (e.g., correcting typos, clarifying existing language without changing substance), we update the Last reviewed date at the top without separate notice.
How to reach us about privacy.
For privacy questions, data-rights requests, complaints, or any other privacy matter:
- Email:
[email protected] - DPO (if appointed): contact via the privacy email
- EU/UK Article 27 representative (if applicable): contact via the privacy email
We acknowledge privacy emails within 2 business days and substantively respond within the timeframe required by applicable law.
Additional information for specific jurisdictions.
California residents (CCPA / CPRA)
Includes notice at collection, categories of personal information sold or shared (none, in AIVZ's case), retention by category (cross-references the retention schedule above), explicit "Do Not Sell or Share" link, and contact for the California-specific privacy rights described above.
EEA / UK residents (GDPR / UK GDPR)
References the legal-basis section, the international-transfers section, and the data-subject-rights section. Identifies the EU/UK Article 27 representative if applicable.
Brazil residents (LGPD)
References LGPD-specific data subject rights and the AIVZ DPO/representative for Brazilian customers, if applicable.
Other jurisdictions
As additional jurisdictions adopt comprehensive privacy laws, AIVZ updates this policy and provides jurisdiction-specific notices as required.
Questions?
Email [email protected] for privacy matters or [email protected] for legal questions. For security inquiries, see the security overview.