Privacy Policy
This policy explains what personal data GetAiVIS collects about you, how we use it, who we share it with, and the rights you have over it. It is written to comply with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the UK GDPR, the EU GDPR, and the California Consumer Privacy Act (CCPA).
1. Who we are
GetAiVIS ("GetAiVIS", "we", "us", "our") operates the AI visibility intelligence platform at getaivis.ai. We are the data controller for personal data collected through the service.
Legal entity: 161820 Online Seller (sole establishment), trading as GetAiVIS
Owner: Robert Anthony Jones
Jurisdiction of operation: United Arab Emirates
Trade licence: 1618543 (E-Trader Commercial Licence, Dubai Department of Economy and Tourism)
Registered address: Palm Jumeirah, Dubai, United Arab Emirates
Privacy contact: hello@getaivis.ai
2. Data we collect
Account data
- Email address (required to register)
- Password (stored as a one-way bcrypt hash — we cannot read your password)
- Plan, billing status, and account creation timestamp
Business profile data (you provide)
- Business name, website URL, industry, description, geography
- Key competitor names you enter during onboarding
- Optional notes, custom queries, and pillar priorities
Scan data (generated by the service)
- Queries generated for your business by our AI query generator
- Raw responses returned by third-party AI engines for your queries
- Narrative classifications, authority scores, descriptor drift snapshots, source citations, and other derived metrics
Payment data
- Subscription tier, Stripe customer ID, invoice history
- We do not store card numbers, CVV, or bank details — all payment data is held by Stripe
Technical & usage data
- IP address, browser user-agent, device type, referring URL
- Pages visited, scan events, feature usage
- Server logs (retained up to 30 days, then rotated)
3. Our legal basis for processing (UK/EU GDPR Article 6)
| Purpose | Legal basis |
|---|---|
| Operating your account and running scans you request | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance + legal obligation |
| Security, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Product analytics (via cookie consent) | Consent (Art. 6(1)(a)) |
| Marketing emails (opt-in only) | Consent |
| Tax and accounting record-keeping | Legal obligation (Art. 6(1)(c)) |
| Responding to legal requests | Legal obligation |
4. How we use your data
- To provide, operate, and improve the AiVIS service
- To generate AI visibility reports, scan history, and trend tracking on your behalf
- To send transactional emails (scan results, billing notices, security alerts)
- To investigate and prevent fraud, abuse, and violations of our terms
- To improve scan accuracy and query generation quality using aggregated and anonymised data only
- To comply with legal, tax, and regulatory obligations
We do not sell your personal data. We do not use your business data to train AI models. Your scan inputs and outputs are not shared with any third party except the subprocessors listed below, and only to the extent required to deliver the service.
5. Sharing & subprocessors
We share the minimum data necessary with the third-party services listed below. A full, up-to-date list is maintained at /subprocessors.html.
| Subprocessor | Purpose | Data shared | Location |
|---|---|---|---|
| Anthropic (Claude) | Query generation, narrative analysis, commentary | Business description, industry, query text | US |
| Perplexity AI | Web-grounded scan engine + business research | Business name, query text | US |
| OpenAI (ChatGPT) | Scan engine (Pro/Agency) | Query text only | US |
| Google (Gemini) | Scan engine (Pro/Agency) | Query text only | US / global |
| xAI (Grok) | Scan engine (Pro/Agency) | Query text only | US |
| DeepSeek | Scan engine (Pro/Agency) | Query text only | Singapore / HK |
| Stripe | Payment processing | Name, email, billing address, card tokens | Ireland / US |
| Railway | Cloud hosting, PostgreSQL database | All data at rest | US (GCP regions) |
| Resend | Transactional email delivery | Email address, message content | US |
| Google Analytics 4 | Website analytics (consent-gated) | Pseudonymised usage events, anonymised IP | US / EU |
| HubSpot | CRM & marketing (consent-gated) | Email, marketing interactions | US / EU |
We require each subprocessor to provide appropriate contractual and technical safeguards, including signed Data Processing Agreements and (where applicable) Standard Contractual Clauses.
6. International data transfers
Several of our subprocessors are located outside the United Kingdom and European Economic Area, primarily in the United States. Where this is the case, we rely on one or more of the following lawful transfer mechanisms:
- UK International Data Transfer Agreement (IDTA) for transfers from the UK
- EU Standard Contractual Clauses (SCCs) for transfers from the EEA
- EU-US Data Privacy Framework where the recipient is certified
- Adequacy decisions where applicable
Copies of these safeguards are available by request to hello@getaivis.ai.
7. Data retention
| Category | Retention |
|---|---|
| Account data | Lifetime of account + 30 days after deletion |
| Scan data | Lifetime of account (to support history and trend features); deleted on account closure |
| Billing records | 5 years after final transaction (UAE VAT / Federal Tax Authority requirement) |
| Server logs | 30 days rolling |
| Marketing email subscriptions | Until you unsubscribe |
| Security incident logs | Up to 2 years |
You may request deletion of your account and all associated personal data at any time by emailing hello@getaivis.ai. We will comply within 30 days.
8. Security
We take technical and organisational measures proportionate to the risk, including:
- TLS 1.2+ encryption for all data in transit
- Encryption at rest for database and backups (managed by Railway / underlying cloud)
- One-way bcrypt hashing of passwords — we cannot read your password
- Role-based access controls and principle of least privilege for engineering staff
- Session cookies marked
Secure,HttpOnly, andSameSite=Lax - Automated dependency vulnerability scanning
- Incident response and access review procedures
9. Cookies & tracking
Strictly necessary (always on)
- Session cookie — keeps you logged in. No personal data stored in the cookie itself.
Analytics & marketing (consent-gated)
These are loaded only after you click "Accept all" on our consent banner. Google Consent Mode v2 is used to enforce the default-denied state.
- Google Analytics 4 — aggregated usage analytics with IP anonymisation
- HubSpot — marketing attribution and CRM
You can change your choice at any time:
10. Your rights
Under the UAE PDPL, UK GDPR, and EU GDPR you have the following rights. We will respond to verified requests within 30 days free of charge.
- Right of access — obtain a copy of the personal data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — request deletion of your data
- Right to restrict processing — limit how we use your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interest or for direct marketing
- Right to withdraw consent — where processing is based on consent, withdraw it at any time
- Right not to be subject to automated decision-making — including profiling with legal effects
- Right to lodge a complaint with a supervisory authority — UAE Data Office (uaedataoffice.gov.ae), UK ICO (ico.org.uk), or your local EU data protection authority
California residents additionally have the rights to know, delete, correct, and opt out of sale/sharing under the CCPA. GetAiVIS does not sell personal information as defined by the CCPA.
To exercise any of these rights, email hello@getaivis.ai from the address associated with your account.
11. Children
GetAiVIS is a B2B SaaS product and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a minor, contact hello@getaivis.ai and we will delete it.
12. Breach notification
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, as required by Article 33 of the UK/EU GDPR. Where the breach is likely to result in high risk to you, we will also notify you directly without undue delay.
13. Changes to this policy
We may update this policy from time to time. Material changes will be notified to registered users by email at least 14 days before taking effect. The "Effective" date at the top of this page always reflects the current version. Historical versions are available on request.
14. Contact
Questions, requests, or complaints about this policy or our handling of your data:
Email: hello@getaivis.ai
Post: GetAiVIS (c/o Robert Jones) — Privacy, Palm Jumeirah, Dubai, United Arab Emirates
If you are not satisfied with our response you have the right to lodge a complaint with your local data protection authority. In the UK this is the Information Commissioner's Office.