Privacy Policy

How GEOrge handles your data.

Effective 30 April 2026

Sections 1. What we collect 2. Why we collect it 3. Third parties 4. Cookies & sessions 5. Retention 6. Your rights 7. International transfers 8. Security 9. Children 10. Changes 11. Contact

1. What we collect

Account information

When you sign up, we collect your name, email address, organization name, destination type and country, and a hashed password. Stripe also collects billing details for paid subscriptions; we receive only the metadata needed to fulfill your subscription (subscription ID, plan, status, and the last four digits of the card).

Configuration data

What you configure inside the product: prompts you add, competitor and partner names and keywords, target markets, alert recipients, and sector settings.

Measurement data

We send your prompts to large language model providers (see "Third parties" below) and store the responses, parsed metrics (mention rate, sentiment, citations, etc.), and our derived scores. This data is keyed to your organization and only visible to your authorized users.

Usage and telemetry

We log access events (sign-ins, IP address, user agent) for security and abuse detection, and we record pipeline-level metrics (LLM API call counts, error rates, costs) for service operation.

2. Why we collect it

Provide the service: running GEO measurement, computing your GVI, sending alerts and digests, displaying dashboards.
Billing: processing subscriptions through Stripe.
Security: detecting abuse, account takeover, and rate-limit violations.
Improvement: aggregated, anonymized telemetry helps us prioritize what to build.
Compliance: meeting tax, accounting, and legal obligations.

3. Third parties

We share data with the following processors strictly to operate the service:

Stripe — payment processing. Receives billing details directly; we don't store full card numbers. stripe.com/privacy
Supabase — Postgres database hosting (Canada region). Stores your account and measurement data. supabase.com/privacy
Render — application hosting and cron jobs. render.com/privacy
OpenAI — ChatGPT API. We send your prompts; OpenAI's API data-usage policy states they don't train on API inputs.
Anthropic — Claude API. Same usage model. anthropic.com/legal/privacy
Google — Gemini API and Google Maps (for the co-mention map). policies.google.com/privacy
Perplexity — Sonar API. perplexity.ai/hub/legal/privacy-policy
Resend — transactional email (signup verification, alerts, digests). resend.com/legal/privacy-policy

We do not sell your data. We do not use your data to train AI models, and we configure third-party LLM providers with API endpoints that exclude training where they offer the option.

4. Cookies and sessions

GEOrge uses a single first-party browser-storage entry (dmo_session_token) to keep you signed in. We do not use third-party tracking cookies, advertising pixels, or analytics tags on the dashboard. The public marketing pages (/, /pricing, /help) currently use no analytics either.

5. Data retention

We keep your account and configuration data for the life of your subscription. Measurement data is retained per the data-retention limit of your tier (30 days on Spark, 90 days on Essential, 365 days on Professional, 730 days on Premium). On account termination we retain everything for up to 90 days to allow for export or reactivation, then delete it. Aggregated, anonymized statistics may be retained indefinitely.

6. Your rights

Depending on your jurisdiction (GDPR, PIPEDA, CCPA, etc.), you may have the right to:

Access the personal data we hold about you
Correct inaccuracies
Request deletion ("right to be forgotten")
Export your data in a machine-readable format
Object to or restrict certain processing
Withdraw consent (where processing is based on consent)

To exercise any of these rights, email s@hawes.ai. We respond within 30 days.

7. International data transfers

GEOrge's primary infrastructure is hosted in Canada (Supabase ca-central-1). Some third-party processors (OpenAI, Anthropic, Stripe, Render) operate primarily in the United States. By using the service, you consent to your data being transferred to and processed in those jurisdictions. We rely on the standard contractual clauses, processor-specific safeguards, and adequacy frameworks where applicable.

8. Security

Passwords are hashed with bcrypt-equivalent strength. All connections use TLS. The database enforces row-level security so cross-tenant data access requires an explicit super-admin context. We log security-relevant events and review them regularly. No system is perfectly secure, but we treat this as a serious responsibility — please report any concerns to s@hawes.ai.

9. Children

GEOrge is a B2B tool for destination marketing organizations and is not directed at children under 16. We don't knowingly collect data from children. If you believe a child has submitted data, contact us and we'll delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via email or an in-product notice at least 14 days before they take effect.

11. Contact

Privacy questions or rights requests: s@hawes.ai. Subject line "GEOrge Privacy" gets fastest routing.