GrepIQ/Privacy Policy

Privacy Policy

Effective Date: March 10, 2026

1. Introduction

Welcome to GrepIQ ("we," "us," or "our"). GrepIQ is an AI visibility platform that helps local businesses understand and improve how they appear in AI search engines such as ChatGPT, Google Gemini, and Perplexity.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights regarding that data. It applies globally and is designed to comply with the EU General Data Protection Regulation (GDPR), the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL), UAE data protection principles, and international best practices.

By using GrepIQ, you agree to the practices described in this policy. If you do not agree, please do not use our services.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Full name
  • Phone number and/or WhatsApp number (optional)
  • Role or job title (optional)

2.2 Business Data

We fetch publicly available business information from the Google Places API, including:

  • Business name, address, and geographic coordinates
  • Google rating and review count
  • Photos, opening hours, and service attributes (dine-in, takeout, delivery)
  • Business category and type
  • Website URL and phone number

2.3 AI Search Results

To assess your AI visibility, we send queries about your business to AI search engines (ChatGPT, Google Gemini, and Perplexity) and store the responses. These queries include your business name, category, and location.

2.4 QR Code and Feedback Data

  • QR code scan counts and timestamps
  • Staff names associated with QR codes
  • Private customer feedback: ratings (1–3 scale), optional messages, and optional contact information submitted via review forms

2.5 Menu and Service Data

If you use our menu or service listing features, we store item names, descriptions, prices, and categories that you enter. We may also generate AI-enriched descriptions using Google Gemini to optimize your listings for AI search engines.

2.6 Usage Data

We collect basic usage data including page visits, feature usage patterns, and interaction timestamps to improve our services.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the GrepIQ platform
  • Calculate your AI Visibility Score and generate competitive analyses
  • Test how AI search engines perceive and recommend your business
  • Generate AI-optimized business profiles and menu descriptions
  • Send transactional emails (account verification, password resets, weekly briefings)
  • Monitor and prevent abuse, fraud, and security threats
  • Aggregate anonymized data to improve our scoring algorithms

4. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data on the following legal bases:

  • Contractual necessity: Processing required to provide our services to you (account management, AI visibility scoring, competitor analysis).
  • Consent: Where you have given explicit consent, such as opting into marketing communications or enabling AI-enriched content generation.
  • Legitimate interest: Processing necessary for our legitimate business interests, such as improving our services, preventing fraud, and conducting aggregate analytics, provided these interests do not override your rights.

5. Third-Party Services and Data Sharing

We do not sell your personal data. We share data only with the following third-party service providers, solely to operate our platform:

  • Supabase — Authentication and database hosting
  • Google Places API — Fetching publicly available business data
  • OpenAI API — AI search testing (ChatGPT queries)
  • Google Gemini API — AI search testing, search term generation, content enrichment, and weekly briefings
  • Perplexity API — AI search testing
  • Vercel — Application hosting and deployment
  • Upstash Redis — Rate limiting
  • Resend — Transactional email delivery

Each provider processes data in accordance with their own privacy policies and our data processing agreements. We may also disclose data if required by law, court order, or governmental authority.

6. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States and the European Union. Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent protections required by applicable local laws.

7. Data Retention and Deletion

We retain your personal data for as long as your account is active or as needed to provide our services. Historical audit data (AI Visibility Scores, competitor snapshots) is retained to show trends over time.

When you request account deletion, we process the request within 30 days. Upon deletion, we remove your account data, business data, and associated records from our systems. Some anonymized, aggregated data may be retained for analytical purposes.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under the GDPR (EU/EEA)

  • Right of access — request a copy of your personal data
  • Right to rectification — correct inaccurate or incomplete data
  • Right to erasure — request deletion of your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to restrict processing — request limited processing under certain conditions
  • Right to withdraw consent — withdraw consent at any time where processing is based on consent

Under the KSA Personal Data Protection Law (PDPL)

  • Right to be informed about data collection and its purpose
  • Right to access and obtain a copy of your personal data
  • Right to request correction or destruction of your data

Under UAE Data Protection Principles

  • Right to access your personal data
  • Right to correction of inaccurate data
  • Right to request deletion of your data

To exercise any of these rights, please contact us at privacy@grepiq.com. We will respond to your request within 30 days.

9. Cookies and Tracking

GrepIQ uses essential cookies required for authentication and session management. We do not use third-party advertising trackers or analytics cookies. Our authentication provider (Supabase) sets secure, HTTP-only cookies to maintain your login session.

10. Children's Privacy

GrepIQ is designed for business professionals and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will notify you via email or through an in-app notification. The "Effective Date" at the top of this page indicates when the policy was last revised.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: privacy@grepiq.com