Privacy Policy

1. Data Controller & Contact

The data controller responsible for your personal data is:

If you have any questions about how we handle your data, please contact us at the email address above.

2. What This Policy Covers

This Privacy Policy explains how OBIT collects, uses, stores, and protects your personal data when you:

• Visit our website
• Create an account and sign in
• Use our AI search visibility tracking product
• Make a payment or manage your subscription
• Receive communications from us

OBIT is an AI search visibility tracking platform that helps brands monitor how they appear in AI-generated search results.

3. Information We Collect When You Visit Our Website

When you visit our website, we may collect the following data:

• Google Analytics: Anonymised usage data including pages visited, session duration, referring source, and general geographic location. This data is processed by Google LLC.
• Cookies: We use cookies to remember your preferences (such as cookie consent and theme settings). See Section 12 for details on our cookie usage.
• Hosting: Our website is hosted on infrastructure that may log IP addresses and basic request data for security and performance purposes.

4. Information We Collect When You Create an Account

When you sign up for OBIT, we collect:

• Authentication data: Your email address and, if you sign in via a social provider (e.g. Google), the profile information shared by that provider. This is processed through Clerk, our authentication provider.
• Account data: Your user profile, subscription status, and account preferences, stored in our database hosted on Convex.

5. Information We Collect When You Use Our Product

When you use OBIT to track your AI search visibility, we collect and store:

• Brand names and keywords you configure for tracking
• AI search prompts used for visibility monitoring
• Visibility results, citation data, and competitor analysis outputs
• Dashboard preferences and configuration settings

This data is stored in our Convex database and is associated with your account.

6. Information We Collect When You Make a Payment

Payments are processed by Stripe. We do not store your full credit card number or bank details on our servers. Stripe is PCI DSS compliant and handles all payment card data directly. We receive and store:

• Stripe customer and subscription identifiers
• Payment status and billing history
• The last four digits of your card (for display purposes)

7. Communications

We may send you:

• Transactional emails: Account verification, password resets, payment receipts, and subscription updates. These are necessary for delivering our service.
• Product communications: Service announcements, feature updates, and important changes to our platform.

8. Lawful Basis for Processing

Under Article 6 of the UK General Data Protection Regulation (UK GDPR), we process your personal data on the following lawful bases:

• Performance of a contract (Art. 6(1)(b)): Processing necessary to provide our service to you, including account creation, subscription management, and AI visibility tracking.
• Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including service improvement, security, fraud prevention, and analytics, where these interests are not overridden by your rights and freedoms.
• Consent (Art. 6(1)(a)): Where we rely on your consent, such as for analytics cookies and any future marketing communications. You may withdraw your consent at any time.
• Legal obligation (Art. 6(1)(c)): Where we are required by law to process your data, for example for tax and accounting purposes.

9. International Data Transfers

Some of our third-party service providers are based in the United States. When your personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place as required by UK GDPR, including:

• UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to EU Standard Contractual Clauses
• Adequacy decisions by the UK Secretary of State where applicable

Our key US-based processors include:

• Clerk — Authentication and user management
• Convex — Database and backend infrastructure
• Stripe — Payment processing
• Google LLC — Analytics (Google Analytics)

10. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our services. Specifically:

• Account data: Retained while your account is active. Deleted within 30 days of account termination upon request.
• Visibility data: AI tracking results and analytics are retained while your account is active.
• Payment records: Retained for up to 7 years as required by tax and accounting regulations.
• Analytics data: Google Analytics data is retained in accordance with Google's data retention policies.

11. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data in certain circumstances.
• Right to restriction: Request that we limit how we use your data.
• Right to data portability: Receive your data in a structured, commonly used format.
• Right to object: Object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making: We do not carry out solely automated decision-making that produces legal effects concerning you.

To exercise any of these rights, please contact us at team@obitinsights.com. We will respond within one month, as required by law.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

12. Cookies

We use a small number of cookies on our website:

• Essential cookies: Cookie consent preference and theme setting. These are necessary for the website to function and do not require consent.
• Analytics cookies: Google Analytics cookies that help us understand how visitors use our site. These are only set with your consent.
• Authentication cookies: Set by Clerk to maintain your signed-in session. These are necessary for the service to function when you have an account.

You can manage your cookie preferences at any time using the cookie consent banner that appears when you first visit our site, or by adjusting your browser settings.

13. Children's Data

OBIT is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you via email or through a notice on our website.

15. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us: