Privacy Policy
AGENTLAYER LLC d/b/a GeoScored | Version 1.0 | Last Updated: March 3, 2026
1. Introduction
AGENTLAYER LLC d/b/a GeoScored ("GeoScored," "we," "us," "our") operates the GeoScored service at geoscored.ai. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use our service.
By using GeoScored, you consent to the practices described in this policy. Your use of the service is also governed by our Terms of Service, which is incorporated by reference.
2. Data Controller
The data controller for personal data processed in connection with GeoScored is:
AGENTLAYER LLC d/b/a GeoScored5450 Highway 153 Ste 126 PMB 1010
Hixson, TN 37343
United States
Email: [email protected]
GeoScored is operated from the United States.
3. Information We Collect
3a. Account Information (provided by you)
- Email address (required for AI Visibility Screening gate and account creation)
- Name (if provided via Google OAuth)
- Google account identifier (if using Google sign-in)
3b. Scan Data (provided by you)
- URLs submitted for scanning
- Brand names submitted for AI Brand Check
- Scan results, scores, grades, and recommendations (generated by our service)
3c. Technical Data (collected automatically)
- IP address (used for rate limiting and security)
- Browser type and version (from HTTP headers)
- Pages visited and actions taken (via cookie-free analytics that collects no personal data)
- Session data (authentication state, stored in server-side session via essential cookies only)
4. How We Use Your Information
The table below sets out our processing activities, the data used, the legal basis under GDPR Article 6, and the applicable retention period.
| Processing Activity | Data Used | Legal Basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Deliver scan results | URL, brand name, email | Contract performance (Art. 6(1)(b)) | Duration of account for claimed scans; unclaimed AI Visibility Screenings retained permanently as anonymous data (no PII) |
| AI Brand Check queries | Brand name | Contract performance (Art. 6(1)(b)) | Query results cached short-term; anonymized benchmark data retained permanently |
| Email verification | Email, IP address | Contract performance (Art. 6(1)(b)) | Verification code expires after a short period; verification event logged |
| Marketing emails | Email, consent record | Explicit consent (Art. 6(1)(a)) | Until consent withdrawal |
| Transactional emails (scan results) | Email, scan data | Contract performance (Art. 6(1)(b)) | Email delivery logs: limited retention period |
| Rate limiting | IP address, email hash | Legitimate interest (Art. 6(1)(f)) | Automatically expiring |
| Security and abuse prevention | IP address, request logs | Legitimate interest (Art. 6(1)(f)) | Limited retention period |
| Payment processing | Payment details (handled by Stripe) | Contract performance (Art. 6(1)(b)) | Per Stripe's retention policy; GeoScored stores no payment card data |
| Aggregated statistics | Anonymized grade, domain (AI Visibility Screenings only) | Legitimate interest (Art. 6(1)(f)) | Permanent (no PII) |
| Service improvement | Anonymized usage patterns | Legitimate interest (Art. 6(1)(f)) | Aggregated, no PII |
5. AI Provider Data Disclosure
As part of our GEO audit, we query AI search providers with the brand name you submit to assess your brand's visibility in AI-generated responses. We use commercial API tiers where your data is not used for model training. These providers may retain query data for short periods for abuse monitoring and service delivery.
The following subprocessors receive data in connection with GeoScored's service. Data processing is governed by each provider's standard terms of service and data processing terms:
| Provider | Purpose | Data Shared | Retention | Training on Data? |
|---|---|---|---|---|
| Perplexity | AI Brand Check (free + Full GEO Audits) | Brand name, URL context | Per provider's data retention policy | No (commercial API) |
| OpenAI | AI Brand Check (Full GEO Audits only) | Brand name, URL context | Per provider's data retention policy | No (commercial API) |
| Anthropic | AI Brand Check (Full GEO Audits only) | Brand name, URL context | Per provider's data retention policy | No (commercial API) |
| Google (Gemini) | AI Brand Check (Full GEO Audits only) | Brand name, URL context | Per provider's data retention policy | No (commercial API) |
| Stripe | Payment processing | Payment details, email | Per Stripe policy | No |
| Resend | Transactional email delivery (primary) | Email address, email content | Per provider's data retention policy | No |
| Postmark | Transactional email delivery (backup) | Email address, email content | Per provider's data retention policy | No |
| Hetzner | Server hosting (US data center) | All data in transit (encrypted via TLS) | Duration of service | No |
| Sentry | Error monitoring and crash reporting | Error stack traces, request metadata (no PII in payloads) | Per Sentry's data retention policy | No |
| Plausible Analytics | Website analytics (cookie-free) | Page views, referrer (no personal data, no cookies) | Per Plausible's data retention policy | No |
| Google (OAuth) | Authentication | Google account ID, email, name | Per Google policy | No |
6. AI Visibility Screening Data Handling
- AI Visibility Screening results are held in temporary storage (Redis, 30 minutes) before email verification. If you do not complete email verification within 30 minutes, the scan data is discarded.
- After email verification, scan data is persisted to the database and associated with your account.
- Unclaimed AI Visibility Screenings (no email verification) are retained as anonymous analytical data. All user identifiers (email, IP address, session data) are discarded. Only the scanned URL and scan results are kept for benchmarking and service improvement.
- AI Visibility Screening domain and grade may appear in anonymized, aggregated public statistics (see Terms of Service, Section 8).
- Full (paid) scan results are private and never included in public aggregations.
7. Cookies and Tracking
GeoScored uses only strictly necessary cookies:
- Essential session cookie (
geo_session): Authentication state. Required for service delivery. Expires on browser close or after inactivity. - Essential security cookie (
csrf_token): Cross-site request forgery protection. Required for form submission security.
We use no tracking cookies, no advertising cookies, and no third-party cookies.
Website analytics are provided by a cookie-free, privacy-focused service that collects no personal data and requires no consent banner.
No cookie consent banner is required because all cookies are strictly necessary (ePrivacy Directive Article 5(3) exemption for cookies essential to service delivery).
8. Data Sharing and Disclosure
We do not sell your personal data. We share data only as follows:
- Service providers (subprocessors): Listed in Section 5, for service delivery purposes only.
- Legal requirements: If required by law, court order, or government request.
- Business transfers: In connection with a merger, acquisition, or sale of assets (with notice to affected users).
- Aggregated data: Anonymized, aggregated statistics contain no PII and may be shared publicly.
9. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account data | Until account deletion | Anonymized within 30 days of request |
| Paid scan results | Duration of account | Deleted with account |
| AI Visibility Screening results (claimed) | Duration of account | Deleted with account |
| AI Visibility Screening results (unclaimed) | Permanent (anonymous, no PII) | User identifiers discarded; URL and results retained for analytics |
| AI Brand Check cache | Short-term | Automatic expiry |
| Anonymized benchmark data | Permanent | Not deletable (no PII) |
| Consent records | Permanent (append-only audit trail) | Not deletable (legal requirement) |
| Server logs | Limited retention period | Automatic rotation |
| Rate limit counters | Automatically expiring | Automatic expiry |
10. Your Rights
All users
- Access: Request a copy of your personal data by emailing [email protected].
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your account and associated data.
- Export: Download your scan history.
EU/EEA/UK users (GDPR/UK GDPR)
- Right to erasure (Article 17): Request deletion; we comply within 30 days.
- Right to data portability (Article 20): Data export satisfies this right.
- Right to restrict processing (Article 18).
- Right to object to processing based on legitimate interest (Article 21).
- Right to withdraw consent for marketing emails at any time via the unsubscribe link in every email.
- Right to lodge a complaint with your local supervisory authority.
Note: Consent records are retained as an append-only legal audit trail even after account deletion, per GDPR Article 7(1) requirement to demonstrate consent was obtained.
California users (CCPA)
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. California residents may exercise their rights under the CCPA by contacting [email protected].
11. Data Security
- All data is encrypted in transit (TLS/HTTPS).
- Session data is stored server-side, not in client cookies.
- Payment data is handled entirely by Stripe (PCI DSS Level 1 certified); GeoScored never sees or stores payment card numbers.
- Access controls: API key authentication for API access, session authentication for web access.
- Regular security monitoring and server log review.
12. International Data Transfers
GeoScored operates from servers in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States.
For EU/EEA users: transfers to our subprocessors are governed by the data transfer mechanisms included in each provider's standard terms, which may include Standard Contractual Clauses (SCCs) and participation in the EU-US Data Privacy Framework.
13. Children's Privacy
GeoScored is not directed at children under 13 (or 16 in the EU/EEA). We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will delete it promptly. Contact [email protected] if you believe a child has submitted data to our service.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email to registered users. The "Last Updated" date at the top of this page will be revised to reflect any changes. Continued use of GeoScored after changes are posted constitutes acceptance of the updated policy.
15. Contact and Data Controller
For privacy-related requests, questions, or to exercise your rights, contact the data controller:
AGENTLAYER LLC d/b/a GeoScored5450 Highway 153 Ste 126 PMB 1010
Hixson, TN 37343
United States
Email: [email protected]
For GDPR inquiries, contact the Data Controller at the address above. We aim to respond to all privacy requests within 30 days.