Privacy Policy

1. Definitions and Scope

"Personal Data" means any information relating to an identified or identifiable individual, such as a name, email address, IP address, or account credentials. In certain jurisdictions, this may also be referred to as "Personal Information."

This Policy applies when Topify acts as a data controller — that is, when we determine the purposes and means of processing your Personal Data. This includes when you visit our Site, register for an account, use the Services as an individual or in-house user, and when you communicate with us.

This Policy does not apply when we process Personal Data strictly on behalf of enterprise or business customers acting as data controllers. In those relationships, Topify acts as a data processor, and processing is governed by the applicable Data Processing Agreement ("DPA") between Topify and the relevant customer.

2. Controller and Contact

The data controller for Personal Data processed under this Policy is:

We are committed to responding to all privacy-related inquiries promptly and no later than within thirty (30) days.

3. Categories of Personal Data We Collect

3.1 Personal Data You Provide Directly

Account and Contact Information. When you register for or use the Services, we collect information such as your name, email address, company name, job title, and account credentials.

Brand and Project Inputs. To deliver the Service, we collect the brand URLs, brand names, competitor lists, prompts, and other inputs that you provide when setting up and managing projects within the platform.

Communications and Feedback. If you contact our support team, respond to surveys, or otherwise communicate with us, we collect the content of those communications and any other information you choose to provide.

Payment Information. When you subscribe to a paid plan, our payment processor Stripe collects and processes your payment details directly. We do not store your full payment card details. We may receive limited information from Stripe, such as the last four digits of your card, card type, and billing address, for invoicing and support purposes.

3.2 Personal Data Collected Automatically

When you visit our Site or use the Services, we automatically collect:

• Device and Technical Information: IP address, browser type and version, operating system, device identifiers, and device type.
• Usage Information: Pages and features viewed, actions taken within the platform, session duration, click patterns, and dates and times of access.
• Log Data: Server logs that may include your IP address, browser information, referring URLs, and error data.
• Location Information: We infer your approximate geographic location from your IP address.

3.3 Personal Data from Third Parties

If you choose to register or log in using a third-party account (such as Google), we receive certain profile data from that provider, such as your name, email address, and profile picture, as permitted by your privacy settings with that provider. We may also receive information from payment verification and data enrichment providers.

4. Purposes of Processing and Legal Bases

We process your Personal Data for the following purposes:

• Providing the Services — Processing inputs to generate GEO analytics, visibility/sentiment/position metrics, source analysis, and related outputs. Legal basis: contract performance.
• Account Management — Creating and managing your account, authenticating your identity, managing team members, and processing your subscription. Legal basis: contract performance.
• Billing and Payments — Processing subscription fees, generating invoices, and maintaining transaction records. Legal basis: contract performance; legal obligation.
• Communications and Support — Responding to inquiries, sending service notifications, and providing technical assistance. Legal basis: contract performance; legitimate interests.
• Marketing Communications — Sending newsletters, product updates, and promotional communications. Legal basis: consent (you may withdraw at any time).
• Product Analytics and Improvement — Analyzing how users interact with the Services to diagnose issues and develop new capabilities. Legal basis: legitimate interests; consent for non-essential tracking technologies.
• Security and Fraud Prevention — Detecting, preventing, and addressing fraudulent activity and unauthorized access. Legal basis: legitimate interests.
• AI Model Research and Development — Improving Topify's proprietary GEO algorithms using aggregated, de-identified usage patterns. We do not use your brand-specific Customer Data to train our models without your separate consent. Legal basis: legitimate interests; consent where required.
• Legal and Compliance — Complying with applicable laws, court orders, and governmental requests. Legal basis: legal obligation; legitimate interests.

5. Cookies and Tracking Technologies

5.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for core functionality such as authentication and session management. These cannot be disabled.
• Analytics and Performance Cookies: Help us understand how users interact with the Site and Services. We use tools such as Google Analytics and PostHog for this purpose.
• Functional Cookies: Remember your preferences (e.g., language, time zone) to provide a personalized experience.
• Targeting and Marketing Cookies: Used to deliver relevant marketing content on and off the Site. These are only placed with your consent.

5.2 Managing Your Cookie Preferences

Where required by law, we will ask for your consent before placing non-essential cookies. You can manage your preferences through:

• The cookie consent banner displayed on your first visit to the Site
• Your browser settings, which allow you to block or delete cookies
• The Google Analytics opt-out browser add-on
• Universal opt-out signals such as Global Privacy Control (GPC)

6. How We Share Personal Data

We do not sell your Personal Data to third parties. We may share your Personal Data with:

• 6.1 Service Providers and Processors. Trusted third-party vendors providing cloud infrastructure, payment processing, analytics, customer support, email delivery, and security. All service providers are contractually required to process Personal Data only as directed by us.
• 6.2 Business Transfers. If Topify is involved in a merger, acquisition, or sale of assets, your Personal Data may be transferred as part of that transaction. We will notify you of any such change.
• 6.3 Legal Disclosures. We may disclose your Personal Data if required by law, a court order, or a governmental request, or to protect the rights, property, or safety of Topify, our users, or the public.
• 6.4 With Your Consent. We may share your Personal Data with third parties when you have given us your express consent to do so.

7. International Data Transfers

Topify is headquartered in the United States and may store and process your Personal Data in the United States and other countries where our service providers operate. When we transfer Personal Data outside the EEA, UK, or Switzerland, we rely on appropriate legal safeguards, which may include Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement, or equivalent mechanisms. You may request a copy of the relevant transfer mechanism documentation by contacting us at support@topify.ai.

8. Data Retention

We retain Personal Data for as long as necessary to fulfill the purposes described in this Policy. Specific retention periods:

• Account Data: Retained for the duration of your active account and up to 30 days thereafter.
• Customer Data (Inputs, Projects, Outputs): Retained for the duration of your subscription, plus 30 days post-termination to allow data export.
• Billing and Transaction Records: Retained for a minimum of 7 years as required by applicable tax regulations.
• Support Communications: Retained for the duration of our relationship plus up to 2 years.
• Usage and Analytics Data: Retained in aggregated or de-identified form for up to 24 months.
• Cookies: Session cookies expire when you close your browser; persistent cookies are retained for up to 13 months.

9. Your Rights and Choices

9.1 Rights Available to All Users

• Right to Access: Request a copy of the Personal Data we hold about you.
• Right to Correction: Request that we correct inaccurate or incomplete Personal Data.
• Right to Deletion: Request that we delete your Personal Data.
• Right to Data Portability: Request a copy of your Personal Data in a machine-readable format.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw at any time.
• Right to Opt Out of Marketing: Unsubscribe from marketing emails via the unsubscribe link or by contacting us.

9.2 Additional Rights for EEA, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you also have the right to restriction of processing, the right to object to processing based on legitimate interests, and the right to lodge a complaint with your local data protection supervisory authority.

9.3 Additional Rights for California Residents (CCPA/CPRA)

California residents have the right to know, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information. We do not sell your Personal Data. We will not discriminate against you for exercising any of your CCPA/CPRA rights.

9.4 How to Exercise Your Rights

Contact us at support@topify.ai. We may ask you to verify your identity before fulfilling your request. We will respond within thirty (30) days.

10. Data Security

We implement commercially reasonable technical and organizational security measures to protect your Personal Data, including encryption in transit (TLS 1.2 or higher), encryption at rest (AES-256), role-based access controls with multi-factor authentication, and regular security reviews. No method of electronic transmission or storage is 100% secure. If you become aware of any unauthorized access to your account, please notify us immediately at support@topify.ai.

11. Third-Party Links and Services

The Services or Site may contain links to third-party websites or services that are not owned or operated by Topify. This Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through the Services.

12. Children's Privacy

The Services are not intended for individuals under the age of 18. We do not knowingly collect Personal Data from anyone under 18. If we become aware that we have inadvertently collected Personal Data from a child under 18, we will promptly delete that information. Please contact us at support@topify.ai if you believe we may have collected such data.

13. Automated Decision-Making

Topify uses automated processing to generate GEO analytics metrics (Visibility, Sentiment, Position, CVR, AI Volume, and Source analysis). These metrics are provided to assist your business decision-making and do not constitute automated decisions that produce legal or similarly significant effects on you. We do not engage in automated profiling of individuals for purposes other than providing and improving the Services.

14. AI Processing and Third-Party AI Platforms

The Services involve querying third-party AI platforms (such as ChatGPT, Gemini, and Perplexity) with prompts to collect AI-generated responses for analysis. We send prompts designed to be general industry or market queries — we do not intentionally include your Personal Data in prompts sent to third-party AI platforms. Third-party AI platforms process data in accordance with their own privacy policies, and we are not responsible for their data practices.

We do not use your Customer Data to train third-party AI models or to train our own AI models without your separate consent.

15. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Site at least thirty (30) days before the changes take effect. Non-material changes may take effect immediately upon posting. Your continued use of the Services after notice of any changes constitutes your acceptance of the revised Policy.

16. Contact and Supervisory Authorities

If you have questions, concerns, or requests regarding this Policy or our processing of your Personal Data, please contact us:

If you are located in the European Economic Area, the United Kingdom, or Switzerland and believe we have not addressed your concern adequately, you have the right to lodge a complaint with the relevant supervisory authority in your country of residence.