Privacy Policy

Brightwill ("we," "us," or "our") operates the website located at brightwill.ai and related services (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you access or use the Service. By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

We collect the following categories of information:

We use the information we collect for the following purposes:

• Service delivery: to perform AI visibility analyses by querying third-party AI engines (ChatGPT, Claude, Gemini) with your business name and publicly available business information, and to generate reports based on the responses.
• Account management: to create and maintain your account, link analysis reports to your profile, and enable you to access your dashboard and report history.
• Payment processing: to process one-time audit payments and recurring subscription charges through Stripe, and to verify payment status before delivering paid features.
• Transactional communications: to send you report delivery notifications, payment confirmations, subscription updates, and other service-related emails via Resend.
• Service improvement: to monitor system health, identify and fix bugs, analyze aggregate usage patterns, and improve the accuracy and relevance of our analysis methodology.
• Security and fraud prevention: to enforce rate limits (5 free audits per IP per hour), detect abuse, prevent unauthorized access, and protect the integrity of the Service.
• Subscription services: for GEO Managed subscribers, to generate and deploy optimization assets (schema markup, llms.txt files, FAQ content, meta tag recommendations) to your website via our script tag system, and to perform monthly re-audits.
• Legal compliance: to comply with applicable laws, regulations, legal processes, or governmental requests.

When you run an analysis, we send queries containing your business name, category, location, and publicly available information to third-party AI engines (OpenAI ChatGPT, Anthropic Claude, Google Gemini). These queries simulate how a potential customer might ask about your business. We do not send your email address, payment information, account credentials, or any private data to these AI engines. The AI engines process these queries according to their own privacy policies and terms of service.

We use the following third-party services to operate the Service. Each provider processes data according to its own privacy policy:

• Supabase (supabase.com): user authentication, database hosting, and session management.
• Stripe (stripe.com): payment processing for one-time audits and recurring subscriptions. Stripe is PCI-DSS Level 1 certified.
• OpenAI (openai.com): ChatGPT AI engine used for business visibility analysis and structured data extraction.
• Anthropic (anthropic.com): Claude AI engine used for business visibility analysis.
• Google AI (ai.google.dev): Gemini AI engine used for business visibility analysis.
• Resend (resend.com): transactional email delivery for reports, payment confirmations, and service notifications.
• Alibaba Cloud: server infrastructure and hosting.
• GitHub: source code hosting and CI/CD deployment.

We do not sell, rent, or trade your personal information to any third party for advertising or marketing purposes.

We may share your information only in the following circumstances:

• With your consent: when you explicitly authorize us to share information, such as generating a public shareable report link.
• Service providers: with the third-party providers listed in Section 5, solely to the extent necessary to operate the Service.
• Legal requirements: if required by law, regulation, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers: in connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
• Aggregate data: we may share anonymized, aggregated data that cannot reasonably be used to identify you (e.g., industry-level visibility trends) for research or marketing purposes.

• Free analysis reports: retained for 24 hours from creation, after which they expire and are no longer accessible.
• Paid analysis reports: retained indefinitely so you can access them at any time through your account or via the shareable report link.
• Account data: retained for as long as your account is active. Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., payment records for tax compliance).
• Subscription data: retained for the duration of your subscription and for 90 days after cancellation for dispute resolution and record-keeping.
• Server logs: automatically purged after 90 days.

You may request deletion of your account and associated data at any time by contacting us at [email protected].

We implement industry-standard technical and organizational measures to protect your personal information, including:

• All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
• Sensitive credentials (such as SMTP passwords for our outreach system) are encrypted at rest using AES-256-GCM encryption.
• Authentication is managed through Supabase Auth with secure HTTP-only session cookies, preventing cross-site scripting attacks.
• Payment processing is handled entirely by Stripe, which is PCI-DSS Level 1 certified. We never store or process card details on our infrastructure.
• Our servers are hosted on Alibaba Cloud VPC with restricted network access and automated deployment via GitHub Actions CI/CD.
• Administrative access to the platform is protected by separate cookie-based authentication with session expiry.

While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right of correction: request correction of inaccurate or incomplete personal data.
• Right of deletion: request deletion of your personal data, subject to legal retention requirements.
• Right to data portability: request your data in a structured, machine-readable format.
• Right to withdraw consent: withdraw your consent to data processing at any time, where processing is based on consent.
• Right to object: object to processing of your personal data for certain purposes.
• Right to unsubscribe: opt out of marketing or promotional emails at any time by clicking the unsubscribe link included in every email, or by contacting us directly.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to these countries. We take steps to ensure that your data receives adequate protection in accordance with this Privacy Policy.

If you are a California resident, you have the right to: (a) request disclosure of the categories and specific pieces of personal information we have collected about you; (b) request deletion of your personal information; (c) opt out of the sale of your personal information. We do not sell personal information. To exercise your CCPA rights, contact us at [email protected].

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases: (a) your consent; (b) performance of a contract (providing the Service); (c) our legitimate business interests (improving the Service, fraud prevention); (d) compliance with legal obligations. You have the right to lodge a complaint with your local data protection authority.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at [email protected].

Our Service does not currently respond to "Do Not Track" (DNT) browser signals. We do not use third-party advertising trackers. Our use of cookies is limited to authentication session management.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Privacy Policy on this page and update the "Last updated" at the top. If we make material changes, we will notify you by email (if you have an account) or by placing a prominent notice on the Service. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Brightwill
Email: [email protected]
Website: brightwill.ai