Privacy Policy

    Last updated: 12 April 2025 · Effective: 12 April 2025

    AIO Labs Limited ("AIO", "we", "us", "our") operates the website at aio.io and the AIO platform - an Artificial Intelligence Optimisation (AISO) SaaS application ("Platform"). This Privacy Policy explains how we collect, use, share, and protect personal information about you when you visit our website, use our Platform, or interact with us in any way.

    This policy applies to users worldwide, with specific provisions for residents of the United Kingdom and European Economic Area (UK/EEA) under UK GDPR / EU GDPR, and for residents of California and other US states under applicable state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the CPRA.

    By using our website or Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please stop using our services.

    1. Who We Are and How to Contact Us

    AIO Labs Limited is the data controller for personal data collected through our website and Platform.

    Registered address: AIO Labs Limited, 60 Tottenham Court Road, Office 1097, Fitzrovia, London, W1T 2EW, United Kingdom

    Privacy enquiries: [email protected]

    General contact: [email protected]

    For California residents: you may also submit privacy requests via email at the address above, and we will respond within 45 days as required by the CCPA.

    2. Information We Collect

    2.1 Information You Provide Directly

    • Account registration: your name, email address, and password (or magic-link credential). We use a secure authentication system and never store plaintext passwords.
    • Organisation profile: your company name, website URL, industry, and any business information you enter when setting up your AIO account.
    • Platform content: prompts, competitor names, keywords, and other business data you input into the Platform to generate AI visibility reports and recommendations.
    • Communications: emails, support tickets, or messages you send to us, including their content and metadata.
    • Free report requests: your name, email address, and website URL submitted through our free AI visibility report tool.
    • Team member invitations: email addresses of colleagues you invite to join your Organisation on the Platform.

    2.2 Information Collected Automatically

    • Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and time zone.
    • Usage data (website): pages visited, time spent on each page, referring URLs, links clicked, scroll depth, and navigation paths across our marketing website.
    • Usage data (dashboard): features accessed, prompts run, reports generated, reports downloaded, team actions, billing actions, and session duration within the authenticated Platform.
    • Authentication tokens: session tokens stored in your browser's localStorage to keep you logged in. These are cryptographically signed and expire automatically.
    • Log data: server-side logs recording API requests, timestamps, response codes, and error events for security monitoring and debugging purposes.

    2.3 Payment Information

    All payment processing is handled by Stripe, Inc., a PCI DSS-compliant payment processor. We do not store, transmit, or have access to your full card number, CVV, or bank account details. When you subscribe to a plan:

    • Stripe collects and processes your card or payment method details directly.
    • We receive a tokenised payment method reference, the last 4 digits of your card, card brand, and expiry date.
    • We store your Stripe customer ID, subscription ID, plan details, billing history, and invoice records.
    • We receive webhook events from Stripe (e.g. payment succeeded, subscription cancelled) to update your account status.

    Stripe's privacy policy is available at stripe.com/privacy.

    2.4 Cookies and Tracking Technologies

    We use the following types of cookies and similar technologies:

    • Strictly necessary cookies: session tokens and authentication state stored in localStorage. These are required for the Platform to function and cannot be disabled. They do not track you across other websites.
    • Preference cookies: storing your cookie consent choice (aio_cookie_consent) and UI preferences. These expire after 1 year.
    • Analytics cookies (with consent): Google Analytics 4 (_ga, _ga_*, _gid) to measure website traffic, page views, and user journeys. These are only set after you accept analytics cookies. GA4 data is anonymised, with IP anonymisation enabled. Data is retained for 26 months.
    • Stripe cookies: Stripe may set cookies during the checkout process for fraud prevention and payment security. These are governed by Stripe's cookie policy.

    You can manage your cookie preferences at any time via our cookie consent banner or our Cookie Policy page. Withdrawing analytics consent does not affect the lawfulness of prior processing.

    2.5 Information from Third Parties

    • AI engine data: when our Platform queries AI engines (ChatGPT, Claude, Gemini, Perplexity, Grok) to generate visibility reports, the responses - including citations, rankings, and summaries - are stored and associated with your account.
    • Public web data: our crawlers may index publicly available web pages associated with your domain to assess crawlability and structured data. We do not access password-protected content.

    3. How We Use Your Information

    • To create and authenticate your account and manage team members.
    • To deliver, maintain, and improve the AIO Platform and its features.
    • To generate AI visibility reports, prompt tracking data, competitor analyses, citation builds, and crawlability assessments for your organisation.
    • To process subscription payments, issue invoices, and manage billing events via Stripe.
    • To send transactional emails: magic-link logins, billing receipts, subscription confirmations, team invitations, and report notifications.
    • To send marketing emails and product updates where you have consented or where we have a legitimate interest (you can unsubscribe at any time).
    • To provide customer support and respond to your enquiries.
    • To monitor Platform security, detect fraud, and investigate misuse.
    • To analyse aggregate usage patterns and improve the Platform's performance and user experience.
    • To comply with legal obligations, enforce our Terms and Conditions, and resolve disputes.

    We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects without human review.

    4. Legal Basis for Processing (UK/EEA Users)

    For users in the UK or EEA, we rely on the following legal bases under UK GDPR / EU GDPR:

    • Contractual necessity (Art. 6(1)(b)): processing account data, organisation data, platform content, and payment records is necessary to perform our contract with you.
    • Legitimate interests (Art. 6(1)(f)): improving our Platform, preventing fraud and abuse, sending relevant marketing to existing customers, and maintaining security logs. We balance these interests against your rights and will not override your fundamental interests.
    • Consent (Art. 6(1)(a)): analytics cookies and optional marketing communications. You may withdraw consent at any time without affecting prior lawful processing.
    • Legal obligation (Art. 6(1)(c)): retaining financial records, responding to lawful government requests, and complying with applicable law.

    5. Your Rights

    5.1 UK/EEA Rights (UK GDPR / EU GDPR)

    • Right of access: request a copy of the personal data we hold about you.
    • Right to rectification: correct inaccurate or incomplete data.
    • Right to erasure: request deletion of your data, subject to our legal retention obligations.
    • Right to restrict processing: ask us to pause processing in certain circumstances.
    • Right to data portability: receive your data in a structured, machine-readable format (e.g. JSON or CSV).
    • Right to object: object to processing based on legitimate interests, including direct marketing (we will always honour marketing opt-outs).
    • Right to withdraw consent: at any time, where processing is consent-based.

    To exercise these rights, email [email protected]. We will respond within 30 days. You may also lodge a complaint with the Information Commissioner's Office (ICO) (UK) or your local supervisory authority (EEA).

    5.2 California Residents (CCPA / CPRA)

    If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:

    • Right to Know: request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties we share it with.
    • Right to Delete: request deletion of personal information we have collected, subject to certain exceptions (e.g. completing a transaction, legal compliance).
    • Right to Correct: request correction of inaccurate personal information.
    • Right to Opt Out of Sale or Sharing: we do not sell personal information and do not share it for cross-context behavioural advertising. No opt-out is required, but you may contact us to confirm this.
    • Right to Limit Use of Sensitive Personal Information: we do not collect sensitive personal information as defined by the CPRA beyond what is necessary to provide the service.
    • Right to Non-Discrimination: we will not deny you services, charge different prices, or provide a lower quality of service because you exercised any of these rights.

    To exercise your California rights, email [email protected] with the subject line "California Privacy Request". We will verify your identity and respond within 45 days (extendable by a further 45 days with notice). You may designate an authorised agent to submit requests on your behalf.

    We do not knowingly collect personal information from California residents under 16 years of age. If we learn we have done so, we will delete it promptly.

    5.3 Other US State Rights

    Residents of Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with comprehensive privacy laws may have similar rights to access, correct, delete, and opt out of certain processing. We honour these rights on request - email us at [email protected].

    6. How We Share Your Information

    We do not sell, rent, or trade your personal information. We share it only in the following circumstances:

    6.1 Service Providers (Processors)

    We share data with trusted third-party providers who process it on our behalf under written data processing agreements:

    • Stripe - payment processing and subscription management.
    • Supabase / PostgreSQL - database hosting and user authentication.
    • Google Analytics - website and app analytics (consent-only).
    • AI API providers (Anthropic, OpenAI, Google, Perplexity, xAI) - when our Platform queries these services to generate AI visibility data for your account. Queries contain your business domain and prompt text, not your personal contact details.
    • Email delivery provider - sending transactional and marketing emails on our behalf.
    • Cloud infrastructure - hosting, storage, and content delivery. Our primary infrastructure is located in the EU/UK.

    6.2 Legal and Safety Disclosures

    We may disclose personal information when we believe in good faith that disclosure is necessary to: (a) comply with applicable law or respond to valid legal process (e.g. subpoenas, court orders); (b) protect the rights, property, or safety of AIO, our users, or the public; (c) detect and prevent fraud or security incidents.

    6.3 Business Transfers

    If AIO is acquired, merges with another company, or sells all or part of its assets, your personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

    7. International Data Transfers

    AIO operates globally. Your data may be transferred to, stored in, and processed in countries other than your country of residence, including the United Kingdom, the United States, and the European Union. These countries may have different data protection laws than your own.

    For transfers from the UK/EEA to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office or the European Commission, as applicable. For data transfers to the United States, our service providers are required to maintain appropriate safeguards under their respective data processing agreements.

    8. Data Retention

    • Account data: retained for the lifetime of your account and for 7 years after closure to comply with financial and legal obligations (e.g. VAT records, contract disputes).
    • Platform content (prompts, reports, AI data): retained for the lifetime of your account. You may delete individual items via the dashboard. All data is deleted within 90 days of account closure.
    • Payment records: billing history, invoices, and Stripe references are retained for 7 years for financial compliance.
    • Analytics data: Google Analytics data is retained for 26 months. Server logs are retained for 12 months.
    • Marketing suppression lists: if you opt out of marketing, we retain your email address on a suppression list indefinitely to honour the opt-out.
    • Free report submissions: retained for 24 months for follow-up purposes, unless you request deletion.

    9. Security

    We implement technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure, including:

    • All data in transit is encrypted via TLS 1.2 or higher (HTTPS).
    • Authentication tokens are cryptographically signed and time-limited.
    • Database access is restricted by role-based access controls with the principle of least privilege.
    • Payment data is handled exclusively by Stripe and is never transmitted through our servers in raw form.
    • We conduct regular security reviews and dependency auditing.
    • We employ server-side logging and alerting for anomalous access patterns.

    No method of electronic storage or transmission is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights, we will notify you without undue delay as required by applicable law (within 72 hours of us becoming aware, where required by UK/EU GDPR).

    10. Children's Privacy

    The AIO Platform is not directed at children under the age of 16 (or 13 in the United States). We do not knowingly collect personal information from children under these ages. If you believe we have inadvertently collected such information, please contact us at [email protected] and we will delete it promptly.

    11. Do Not Track

    Our website does not currently respond to browser "Do Not Track" signals, as there is no agreed industry standard for doing so. However, you may opt out of analytics cookies via our Cookie Policy settings, which achieves the same practical effect for our analytics tracking.

    12. Links to Third-Party Sites

    Our website and Platform may contain links to third-party websites (e.g. Stripe, AI engine providers, blog references). We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

    13. Changes to This Policy

    We may update this Privacy Policy at any time. We will notify you of material changes by email (to the address on your account) and by updating the "Last updated" date above. For significant changes, we will provide at least 14 days' notice before the change takes effect. We encourage you to review this page periodically.

    Continued use of our website or Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

    14. Contact and Complaints

    For any questions, concerns, or requests relating to this Privacy Policy or your personal data:

    UK/EEA users: if you are not satisfied with our response, you may lodge a complaint with the Information Commissioner's Office (ICO) or your local EU supervisory authority.

    California users: you may also contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.