GGeoFundamentals

Privacy Policy

Last updated: 21 May 2026

When we change data practices or features, update the date in lib/legal.ts.

1. Who we are and scope

GeoFundamentals ("we", "us", "our") operates https://geofundamentals.com and related tools and services for Generative Engine Optimisation (GEO).

We are the data controller for personal data collected through this website. This Privacy Policy applies to visitors, free-tool users, email subscribers, and paying customers.

For privacy questions or to exercise your rights, contact us at hello@geofundamentals.com.

2. Personal data we collect

We may collect the following categories of data depending on how you use the Service:

  • Identity & contact — email address, and name if you provide it when contacting us or creating an account.
  • Account & subscription — Stripe customer ID, subscription plan, status, billing period end, and (when you use account login) your Supabase user ID linked to your subscription.
  • Tool inputs — URLs, page content, brand names, keywords, images metadata, and other data you submit to free or paid tools so we can run analyses and generate outputs.
  • Lead & marketing — GEO scores, signal breakdowns, marketing opt-in preference, nurture stage, and source (e.g. geo-score-checker).
  • Usage & technical — IP address (for rate limiting and abuse prevention), browser type, pages visited, referrer, and approximate analytics via privacy-oriented analytics (see Cookies).
  • Communications — content of emails or enquiries you send us.
  • Payment — we do not store card numbers. Stripe processes payments as an independent controller/processor under Stripe's privacy policy.

3. Legal bases (UK GDPR)

We process personal data only where we have a lawful basis:

  • Contract — to provide tools and subscriptions you have signed up for, issue access after payment, and deliver transactional emails (e.g. score reports you request).
  • Legitimate interests — to secure and improve the Service, prevent abuse, analyse aggregate usage, and send service-related messages to existing customers (balanced against your rights).
  • Consent — for optional marketing emails and GEO tips. You may withdraw consent at any time via unsubscribe or by emailing us.
  • Legal obligation — where we must retain records (e.g. tax/accounting) or comply with law enforcement requests where required.

4. How we use your data

We use personal data to operate, deliver, and improve GeoFundamentals, including running tools, storing score intelligence, sending reports and (with consent) marketing emails, managing subscriptions, support, abuse prevention, and legal compliance.

We do not sell your personal data. We do not share it with third parties for their own marketing.

  • Running GEO Score Checker, Rewriter, Alt Text Optimiser, and other tools
  • Storing anonymous and identified score submissions for product intelligence (where configured)
  • Sending requested reports and, if you opt in, scheduled nurture emails via Resend
  • Managing subscriptions, restore-access flows, and Stripe Customer Portal
  • Responding to support and audit enquiries
  • Detecting fraud, abuse, and enforcing rate limits

5. Processors and international transfers

We use trusted sub-processors who may process data on our behalf. Key providers include:

  • Vercel — hosting and serverless functions (may process in the US; safeguards such as UK IDTA/SCCs where applicable)
  • Supabase — database, authentication, and storage (configure EU region where available)
  • Stripe — payments
  • Resend — email delivery
  • Anthropic — AI processing for rewriter, alt text, answer capsules, and related tools
  • OpenAI — AI processing where used (e.g. citation monitoring)
  • Perplexity — AI processing where used (e.g. citation monitoring)
  • Plausible Analytics (or equivalent privacy-oriented analytics) — aggregated site usage without advertising profiles

Where data is transferred outside the UK/EEA, we rely on appropriate safeguards (UK International Data Transfer Agreement, Standard Contractual Clauses, or adequacy decisions) as required by UK GDPR.

Content you submit to AI-powered tools may be transmitted to AI providers under their respective terms and privacy policies. Do not submit confidential, special-category, or third-party personal data unless you have a lawful basis and our tools are appropriate for that use.

6. Cookies and similar technologies

We use essential cookies for subscription session management (signed httpOnly cookie for paid access) and, when you log in, Supabase authentication session cookies.

We use analytics that aim to minimise personal tracking (e.g. Plausible). We do not use advertising or cross-site retargeting cookies.

You can block cookies in your browser; some features (paid tool access, login) may not work without essential cookies.

7. Retention

We retain data only as long as necessary:

  • Leads table — until you unsubscribe, request deletion, or we no longer need it for the purpose collected; marketing opt-out is honoured immediately for future emails.
  • Subscriptions — for the life of the subscription and a reasonable period after cancellation for billing disputes and legal compliance.
  • GEO submissions (anonymous/intelligence) — aggregated domain/score data may be retained for analytics; identifiable history will be tied to accounts when that feature launches.
  • Tool inputs — typically processed per request; not stored longer than needed unless you have an active account feature that saves history.
  • Payment records — up to 7 years for UK tax and accounting requirements.
  • Support emails — up to 2 years after the matter is closed.

8. Your rights

Under UK GDPR you may have the right to access, rectify, erase, restrict processing, data portability, object (including to direct marketing), and withdraw consent.

To exercise these rights, email hello@geofundamentals.com. We aim to respond within one month.

You may complain to the ICO (Information Commissioner's Office) at ico.org.uk. We encourage you to contact us first so we can resolve concerns.

9. Security

We use HTTPS, access controls on databases, signed session cookies, webhook signature verification (Stripe), rate limiting on sensitive APIs, and Row Level Security policies in Supabase where applicable.

No online service is completely secure; we cannot guarantee absolute security against all threats.

10. Children

The Service is not directed at children under 18. We do not knowingly collect children's personal data. Contact us if you believe we have done so and we will delete it.

11. Changes to this policy

We may update this policy when we add features (e.g. new tiers, monitoring, accounts), processors, or legal requirements.

Material changes will be reflected by updating the Last updated date at the top of this page and, where appropriate, notifying active subscribers by email.

Continued use after the effective date constitutes acceptance of the updated policy, except where the law requires explicit consent.