Legal

Privacy Policy

Last updated: May 14, 2026

This Privacy Policy explains how Aergos Inc. ("Aergos," "we," "our," "us") collects, uses, shares, and protects personal data when you interact with our website, platform, applications, and services (the "Service"). It applies to visitors, Account holders, and users of the Service. Capitalized terms not defined here have the meaning given in our Terms of Service.

If you do not agree with this Policy, please do not use the Service.

1. Who we are (Data Controller)

Aergos Inc., a Delaware corporation
2810 N Church St, PMB 572280
Wilmington, DE 19802-4447, USA
Privacy inquiries: [email protected]

For European Union / United Kingdom residents, this address is our Controller address. We do not currently have an appointed EU representative; if you are located in the EU or UK and have a concern, please contact [email protected] and we will respond within 30 days.

2. Personal data we collect

2.1 Data you provide directly

Account information: email address, password (stored hashed, never plaintext), optional phone number (if you enable SMS verification), optional avatar image or color.
Billing information: name, billing address, and payment method tokens (card numbers are processed and stored by our payment processor, not Aergos — we never see or store full card data).
Communications: the content of support tickets, survey responses, feedback, and correspondence.
Account configuration: the websites, clients, and preferences you configure in the Service.

2.2 Data we collect automatically

Technical data: IP address, browser type and version, operating system, referring/exit pages, timestamps, and User-Agent string. This is logged on each request in server logs and retained for up to 90 days for security, abuse-prevention, and debugging purposes.
Session data: authentication tokens (stored in browser storage) and, where applicable, error context captured by our monitoring tools.
Analytics: aggregated usage data (pages visited, features used, clicks) captured via a tag-manager container, analytics tools, and (once deployed) advertising measurement pixels. See § 7 for cookies and trackers.

2.3 Data from Third-Party Services you connect

When you connect a third-party service to your Account (e.g., Google Search Console, Google Analytics 4, WordPress, SEMRush), we access and process data from that service only as necessary to provide the Service features you have requested. This may include:

Google Search Console: search queries, clicks, impressions, positions for your properties.
Google Analytics 4: aggregated traffic, source, and behavior metrics for your properties.
WordPress: post content, media, categories, and publishing metadata for your site.
SEMRush / DataForSEO: keyword, competitive, and SERP data for domains you track.

Tokens granting such access (OAuth access tokens, API keys, application passwords) are encrypted at rest using AES-256-GCM field-level encryption before storage.

2.4 AI inputs and outputs

When you use AI-powered features, the prompts and context we send to our AI Providers may include keywords, website content, and other inputs you supply or authorize. AI Providers process these inputs to generate AI Output. Aergos and the AI Providers do not use your inputs to train their public models except as expressly permitted by our contractual arrangements with them. A current list of AI Providers is maintained at https://www.aergos.ai/sub-processors.

When you use AI Visibility scanning features, the Service sends your brand name, tracked keywords, and location parameters to the AI Providers listed in § 8 (currently OpenAI, Anthropic, Google Gemini API, and Perplexity AI) and to DataForSEO, solely to query how your brand or domain is cited within those AI systems. This data consists of business identifiers, not personal data in the usual sense, unless the brand name happens to be an individual's name.

Data obtained from Google APIs (such as Google Search Console and Google Analytics 4 data) is subject to additional restrictions described in § 5.6 (Google API Services User Data — Limited Use), including a prohibition on using such data to train any AI or machine-learning model.

2.5 Data you do not need to give us

We do not intentionally collect "special categories" of personal data under the GDPR (such as health, biometric, religious, political, or sexual-orientation data). Do not submit such data to the Service. If you inadvertently do so, email [email protected] and we will remove it.

2.6 Data collected via the Aergos SDK on Customer websites

When an Aergos Customer installs our optional JavaScript SDK on its own website, the SDK transmits to Aergos a limited set of visitor-interaction data:

Page interaction: URL, page title, canonical URL, document referrer.
Session: a randomly-generated session identifier valid for the browsing session, and a Customer-account identifier (client_id).
Device: device type (desktop / tablet / mobile) and browser language.
AI-referral signals: URL parameters Aergos uses to attribute visits originating from AI assistants (prompt_hash, answer_id, link_id, ai_model).
User actions: form submissions, newsletter signups, phone-number clicks, and email-address clicks on the Customer's site.

The SDK does not collect form-field values, free-text inputs, names, email addresses, or other directly-identifying data. Where the SDK identifies a visitor session, the identifier is a randomly-generated value that cannot be reverse-mapped to a real-world identity by Aergos in isolation.

Aergos processes SDK data on behalf of, and under the instructions of, the Customer who installed it. Aergos is a data processor with respect to this data; the Customer is the data controller. Visitors with questions about SDK data collection should contact the Customer who operates the website on which the SDK is installed. Customers are solely responsible for obtaining any required consents from their site visitors and for updating their own privacy notices to identify Aergos as a data processor. See also ToS § 8.4.

3. How we use personal data

Providing the Service: authenticating your Account, delivering features, processing your transactions, and responding to support requests.
Billing and collections: charging your payment method, sending invoices and receipts, dunning for failed payments, and reconciling taxes.
Communications: sending transactional emails (Account confirmations, password resets, billing notices, security alerts), responding to inquiries, and, where you have consented, sending marketing updates (you may opt out at any time).
Security and abuse prevention: detecting fraud, unauthorized access, Acceptable Use Policy violations, and integrity threats.
Analytics and product improvement: understanding how users engage with the Service to improve features and fix bugs (in aggregate or de-identified form where practicable).
Legal compliance: meeting tax, accounting, regulatory, and law-enforcement obligations.
Enforcement: enforcing our Terms of Service and other agreements.

4. Legal bases for processing (GDPR / UK GDPR)

Contract (Art. 6(1)(b)) — to create and service your Account and provide the features you request.
Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, product improvement, and limited analytics. We balance our interests against your rights and provide opt-outs where appropriate.
Legal obligation (Art. 6(1)(c)) — for tax, accounting, and regulatory compliance.
Consent (Art. 6(1)(a)) — for non-essential cookies and marketing email, where required. You may withdraw consent at any time.

5. How we share personal data

5.1 Sub-processors

We share personal data with service providers ("sub-processors") that help us run the Service, under contracts requiring them to protect your data. Current sub-processors are listed in § 8.

5.2 Agency Customers and end-clients

If you are an end-client of an Agency Customer using Aergos, your data is processed on behalf of that Agency. Aergos is a sub-processor of the Agency. The Agency, not Aergos, is your primary contact for data-rights requests. The Agency is responsible for its own privacy notice and for lawful bases for sharing your data with Aergos. End-clients may also receive access to a read-only branded client portal presenting reporting data selected by the Agency; such access is governed by the Agency's agreement with its end-clients.

5.3 Legal and safety disclosures

We may disclose personal data when required by law, legal process, subpoena, or court order; to protect the rights, property, or safety of Aergos, our users, or others; to enforce our agreements; or in connection with a government investigation.

5.4 Business transfers

If Aergos is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal data may be transferred as part of that transaction, subject to continued protections at least as strong as this Policy.

5.5 With your consent or direction

We share personal data with other parties when you direct us to (e.g., by publishing AI Output to your connected WordPress site) or when you explicitly consent.

We do not sell personal data.

5.6 Google API Services User Data — Limited Use

When you connect your Google account to the Service (for example, to enable Google Search Console or Google Analytics 4 features), Aergos receives data from Google APIs. Aergos's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Google OAuth scopes we request, and how each is used. Aergos requests only the minimum scopes necessary to provide the features you have enabled:

https://www.googleapis.com/auth/webmasters.readonly — read-only access to your Google Search Console properties. Used to import search-performance data (queries, clicks, impressions, positions, page-level metrics) into the Service so we can present SEO insights, audits, and reports for the site you authorize.
https://www.googleapis.com/auth/analytics.readonly — read-only access to your Google Analytics 4 properties. Used to import traffic, source, and engagement metrics into the Service so we can present analytics dashboards and reports for the property you authorize.
https://www.googleapis.com/auth/userinfo.email — read-only access to the email address of the Google account you are connecting. Used solely to label the connection in the Service so you and other administrators on your Account can identify which Google account each connection belongs to.

You can revoke Aergos's access at any time from your Google Account permissions page or by disconnecting the integration inside the Service.

How we use Google user data. Data obtained from Google APIs is used solely to provide and improve user-facing features of the Service for the Account that authorized the connection. Specifically:

We do not use Google user data to develop, train, fine-tune, evaluate, or improve any generalized or non-personalized AI or machine-learning model, whether owned by Aergos or by any third party (including any AI Provider listed at https://www.aergos.ai/sub-processors).
We do not sell or transfer Google user data, and we do not share Google user data with advertising networks, data brokers, or any third party for advertising, marketing, marketing-measurement, credit, lending, or interest-based-advertising purposes. This restriction applies to Google user data regardless of any general advertising or marketing-measurement activities described elsewhere in this Policy. Aergos does not engage in advertising or marketing to its customers using Google user data.
We do not allow humans to read Google user data except (a) with your explicit consent, (b) where necessary for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.
Google user data may be sent at runtime to the AI Providers listed at https://www.aergos.ai/sub-processors as context for an inference request, solely to generate the user-facing output you have requested. Aergos engages those AI Providers under contractual terms that prohibit them from retaining your inputs for model training. Google user data is not used to train any AI model, period.
We transfer Google user data only to sub-processors strictly necessary to provide the Service (for example, our cloud hosting provider for storage and processing), and only under contracts requiring those sub-processors to provide protections at least as strong as those described in this Policy.

6. Data retention

Data	Retention
Account profile	For the life of the Account, plus up to 30 days after deletion to complete purge.
Billing records and invoices	7 years (U.S. federal and state tax retention requirements).
Transactional emails sent	90 days, except where required longer for dispute defense.
Request logs (IP, User-Agent)	90 days.
Error monitoring data	Per our error-monitoring provider's default retention (currently up to 30 days).
Analytics	Up to 14 months (in line with our analytics provider's standard retention).
Customer Content you delete	30-day soft-delete grace period, then purged.
OAuth tokens	Until you disconnect the integration or delete your Account, then purged.
Passwords	Hashes only; deleted when Account is deleted.

After the retention period, personal data is either deleted or anonymized. Backups containing personal data may persist for up to 90 days beyond the retention period in secure, read-only archives.

7. Cookies and similar technologies

Strictly necessary (always on): authentication tokens (stored in browser storage, not HTTP cookies in most cases), load balancing, security.
Analytics: a tag-manager container and analytics cookies (retention up to 14 months). Used to measure product usage in aggregate.
Advertising (once enabled): advertising-measurement pixels and associated cookies (typical retention up to 90 days). Used to measure marketing-campaign effectiveness. Not currently deployed; we will update this Policy when deployment begins.
Error monitoring: our error-monitoring provider may place a first-party cookie for session correlation during error reporting.

Specific vendors providing these technologies are listed at https://www.aergos.ai/sub-processors.

Your choices:

The cookie consent banner we present to visitors in regions that require it (currently EU/UK).
Your browser's privacy settings (e.g., block third-party cookies, Do Not Track).
Industry opt-outs such as the Network Advertising Initiative and Digital Advertising Alliance.

We respect Global Privacy Control (GPC) signals as an opt-out of "sale" or "sharing" under CCPA/CPRA (see § 14).

8. Sub-processors (service providers)

Sub-processor / Category	Purpose	Personal data received	Location
Payment processing	Billing and subscription management	Billing name, email, payment method token, transaction metadata	United States
Communications — transactional and (where opted in) marketing email and SMS	Email and SMS delivery	Email address, phone number, name, message content	United States and European Union
Analytics and tag management	Product usage analytics	Pseudonymous analytics identifiers, IP address (truncated where configured), event data	United States and global edge networks
OpenAI, L.L.C.	AI content generation; AI Visibility web-search query	Prompts, AI Visibility queries (brand + keyword + location)	United States
Anthropic, PBC	AI content generation; AI Visibility query	Prompts, AI Visibility queries	United States
Google LLC (Gemini API)	AI content generation; AI Visibility grounded-search query	Prompts, AI Visibility queries	United States
Perplexity AI, Inc.	AI Visibility citation discovery	AI Visibility queries (brand + keyword + location)	United States
DataForSEO LLC	SERP data, AI Overviews data, keyword data	Keywords, domains tracked	United States
Advertising measurement (once enabled)	Marketing campaign measurement	Pseudonymous browser identifiers, page events	United States

A current and authoritative list of specific sub-processors is maintained at https://www.aergos.ai/sub-processors. We update that page as sub-processors change. Customers subject to a Data Processing Addendum receive advance notice of material sub-processor changes as required by their DPA.

In addition to the above, we engage infrastructure providers (cloud hosting, crawler infrastructure, application monitoring) to run our own Service code. These providers process personal data on our behalf under written data-protection terms but are not independent recipients of your personal data. The specific infrastructure providers we use are listed in our Data Processing Addendum; email [email protected] to request a copy.

9. International data transfers

Aergos is headquartered in the United States and hosts the primary Service infrastructure in U.S. regions. If you are located outside the United States, your personal data will be transferred to, and processed in, the United States and other countries where our sub-processors operate.

For transfers from the EEA, United Kingdom, or Switzerland to countries without an adequacy decision, we rely on:

Standard Contractual Clauses (SCCs) adopted by the European Commission, as supplemented by the UK International Data Transfer Addendum where applicable; and
Supplementary measures such as field-level encryption of sensitive credentials and access controls.

A Transfer Impact Assessment is available to enterprise customers on request at [email protected].

10. Security

Encryption in transit for all connections to the Service (TLS 1.2+).
Encryption at rest for database storage, using our cloud hosting provider's default database encryption.
Field-level encryption (AES-256-GCM) for OAuth tokens and Third-Party Service credentials.
Password hashing using bcrypt with industry-standard cost parameters.
Role-based access control (RBAC) limiting internal access on a need-to-know basis.
Secure secret management using our cloud provider's managed secret-storage service.
Continuous error monitoring and security logging.

No system is perfectly secure. If you believe your Account is compromised, contact [email protected] immediately.

11. Your rights

Access — know what personal data we hold about you.
Rectification — correct inaccurate data.
Erasure / deletion — request deletion of your personal data, subject to legal retention obligations.
Portability — receive a machine-readable copy of data you provided.
Objection / restriction — object to or restrict certain processing (e.g., direct marketing).
Withdraw consent — where processing is based on consent.
Non-discrimination — we will not deny or degrade the Service for exercising your rights.

How to exercise your rights: email [email protected] from the Account email of the request. We will respond within 30 days (or within the period required by applicable law). Residents of the EU/UK may also lodge a complaint with their local supervisory authority.

12. Marketing communications

We send transactional emails necessary to operate the Service (these are not opt-out). For marketing emails (product updates, promotional content), we obtain opt-in consent where required by law and provide an unsubscribe link in every such email. You can also email [email protected] to opt out.

13. Data Processing Addendum (Agency Customers)

If you are an Agency or Agency Pro Customer processing personal data of your end-clients or their site visitors through Aergos, a Data Processing Addendum (DPA) is available on request at [email protected]. The DPA governs Aergos's role as a sub-processor, incorporates the EU SCCs, and specifies roles, responsibilities, and breach-notification timelines.

14. California, Colorado, and other U.S. state privacy rights

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or other U.S. states with comprehensive consumer-privacy laws, you have rights specific to your state, generally including the right to know, delete, correct, and limit the use of your personal data, and to opt out of "sale" or "sharing" for targeted advertising.

We do not sell personal data as "sale" is commonly defined. Once advertising pixels are deployed for marketing, that activity may constitute "sharing" for targeted advertising under CCPA/CPRA; at that point we will provide a conspicuous "Do Not Sell or Share My Personal Information" link. We currently honor Global Privacy Control (GPC) signals as an opt-out.

To exercise your state privacy rights, email [email protected]. We will respond within the time period required by applicable law (typically 45 days for CCPA).

Notice at collection (California residents). We collect the categories of personal data described in § 2 for the purposes described in § 3. We do not knowingly collect personal data of Californians under age 16.

15. Children

The Service is not directed to children under 18. We do not knowingly collect personal data from children under 18. If you believe a child under 18 has provided personal data to us, contact [email protected] and we will delete it.

16. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will notify Account holders by email to the Account email on file and post a notice on our website at least 30 days before the changes take effect. The "Last Updated" date above reflects the current version. Prior versions are available on request at [email protected].

17. Contact

Privacy inquiries, rights requests, and complaints:

Aergos Inc.
Attn: Privacy
2810 N Church St, PMB 572280
Wilmington, DE 19802-4447, USA
Email: [email protected]

End of Privacy Policy v1.3.1