Privacy Policy
Last Updated: January 20, 2026
TL;DR
- We crawl your website when you submit it for audit
- We send your business info to AI models (GPT, Claude, Gemini, Perplexity) via OpenRouter
- We hash your IP to enforce free trial limits
- We store audit results until you delete them or cancel your subscription
- We don't train AI models with your data - we query what they already know
- You can delete your data anytime from your dashboard
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address
- Password (hashed and encrypted)
- Business name (optional)
- Payment information (processed by Stripe, not stored by us)
1.2 Website Data You Submit
When you submit a website for audit, we:
- Crawl the submitted website URL
- Extract business information (name, location, services, contact info)
- Analyze page structure, content, and metadata
- Store this extracted information as part of your audit results
1.3 AI Model Queries
We send queries about your business to AI models via OpenRouter:
- Models queried: OpenAI ChatGPT, Anthropic Claude, Google Gemini, Perplexity
- Data sent: Your business name, location, service descriptions, and related context
- Purpose: To discover what these AI models already know about your business
- Important: We query what AI models know - we don't train them with your data
- Responses: AI model responses are stored as your audit results
1.4 Usage Data
- IP address (hashed for free trial enforcement)
- Browser type and version
- Pages visited and features used
- Audit requests and results
- Timestamps of activity
2. How We Use Your Information
2.1 Service Delivery
- Perform AI Engine Optimization audits on your website
- Generate personalized action plans and recommendations
- Track your AEO progress over time
- Send audit completion notifications
2.2 Free Trial Enforcement
- We hash IP addresses to enforce the one-free-audit-per-visitor limit
- Hashed IPs cannot be reverse-engineered to identify you
- We do not store raw IP addresses
2.3 Billing and Account Management
- Process subscription payments via Stripe
- Send billing receipts and subscription updates
- Manage account settings and preferences
2.4 Service Improvement
- Analyze aggregate usage patterns (not individual behavior)
- Improve audit accuracy and recommendations
- Develop new AEO features
3. Third-Party Services
We use the following third-party services to operate Xomer:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| OpenRouter | AI model access | Business info, queries | OpenRouter Privacy |
| Supabase | Database and auth | Account and audit data | Supabase Privacy |
| Cloudflare | Hosting and security | Website traffic data | Cloudflare Privacy |
| Stripe | Payment processing | Payment information | Stripe Privacy |
4. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Until account deletion | Service access |
| Audit results | Until manual deletion or account cancellation | Progress tracking |
| Free audit IP hashes | 90 days | Trial enforcement |
| Usage logs | 30 days | Service improvement |
| Billing records | 7 years | Legal requirement |
5. Your Rights
5.1 Access and Control
- View your data: Access all stored audit results from your dashboard
- Delete audits: Remove individual audit results anytime
- Export data: Download your audit results in JSON format
- Delete account: Permanently delete your account and all associated data
5.2 Communication Preferences
- Unsubscribe from marketing emails anytime
- Control audit completion notifications in settings
- We'll still send critical service emails (billing, security)
6. Data Security
- All data transmitted via HTTPS encryption
- Passwords hashed with industry-standard algorithms
- Database access restricted to essential services
- Regular security audits and updates
- IP addresses hashed with one-way encryption
7. California Privacy Rights (CCPA)
California residents have additional rights:
- Right to know: Request what personal information we collect
- Right to delete: Request deletion of your personal information
- Right to opt-out: Opt out of data sales (we don't sell data)
- Non-discrimination: We won't discriminate for exercising your rights
8. Children's Privacy
Xomer is not intended for users under 18 years old. We do not knowingly collect information from children. If you believe we've inadvertently collected information from a child, contact us immediately.
9. Changes to This Policy
We may update this Privacy Policy periodically. We'll notify you of significant changes via:
- Email to your registered address
- Prominent notice on our website
- Updated "Last Updated" date at the top of this page
10. Contact Us
For privacy questions or to exercise your rights:
- Email: privacy@xomer.com
- Support: support@xomer.com