Privacy Policy

1. Information We Collect

We collect information that you provide directly to us and information collected automatically when you use our services:

• Account Data: name, email address, password (hashed and salted), company name (if provided), and account preferences.
• Usage Data: pages visited, features used, search queries, API calls, timestamps, IP addresses (anonymized), browser type, device information, and session data.
• Payment Data: processed securely by Stripe (PCI DSS Level 1 certified). We do not store credit card numbers, CVV codes, or full card details. We only store payment method identifiers and billing addresses.
• Communication Data: support tickets, email correspondence, feedback, and survey responses.
• Brand Data: brand names, domains, and monitoring preferences you configure.
• Technical Data: log files, error reports, performance metrics, and system diagnostics.

2. How We Use Your Data

We use your information for the following purposes:

• Service Delivery: To provide, maintain, and improve our AI tracking and monitoring services.
• Account Management: To create and manage your account, authenticate users, process payments, and deliver purchased services.
• Communication: To send service-related notifications, respond to support requests, send security alerts, and provide customer support.
• Legal Compliance: To comply with legal obligations, enforce our terms, protect our rights, and respond to legal requests.
• Analytics & Improvement: To analyze usage patterns, improve our services, develop new features, and conduct research (using aggregated, anonymized data).
• Security: To detect, prevent, and address security threats, fraud, and unauthorized access.
• Marketing: To send marketing communications (with your consent) about features, updates, and promotions. You can opt-out at any time.

3. Legal Basis for Processing (GDPR/UK GDPR)

We process your personal data under the following legal bases:

• Contract Performance: To fulfill our contractual obligations when you use our services.
• Legitimate Interests: For security, fraud prevention, service improvement, and business operations (where our interests don't override your rights).
• Consent: For marketing communications and optional features (you can withdraw consent at any time).
• Legal Obligation: To comply with applicable laws, regulations, and court orders.
• Vital Interests: To protect the safety and security of users and the public.

4. Sharing Data

We do not sell your personal data. We may share your information only in the following circumstances:

• Service Providers: With trusted third-party service providers who perform services on our behalf under strict data processing agreements:
  • Stripe: Payment processing (PCI DSS Level 1 certified) - Privacy Policy
  • Hosting Providers: Cloud infrastructure and data storage (with encryption and security measures)
  • Email Services: Transactional and marketing emails
  • Analytics Providers: Usage analytics (anonymized data where possible)
  • Support Tools: Customer support and ticketing systems
• Legal Requirements: When required by law, court order, or government request, or to protect our rights and safety.
• Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users).
• With Your Consent: When you explicitly authorize us to share your information.

All third-party processors are contractually bound to handle your data in accordance with GDPR requirements and our privacy standards.

5. Data Security & Protection

We implement comprehensive technical and organizational measures to protect your data:

• Encryption:
  • Data in transit: TLS 1.3 encryption for all web traffic and API communications
  • Data at rest: AES-256 encryption for sensitive data stored in databases
  • Password hashing: bcrypt with salt rounds for secure password storage
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) for administrative accounts, least privilege principles, and regular access reviews.
• Network Security: Firewalls, intrusion detection systems (IDS), DDoS protection, and regular security monitoring.
• Infrastructure Security: Secure cloud hosting with SOC 2 Type II compliant providers, regular security audits, and vulnerability assessments.
• Application Security: Secure coding practices, regular dependency updates, automated security scanning, and penetration testing.
• Data Backup: Encrypted backups stored in geographically distributed locations with regular testing of restoration procedures.
• Incident Response: Security incident response plan, 24/7 monitoring, and regular security training for staff.

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Account Data: Retained while your account is active and for 7 years after account closure (for legal and tax compliance).
• Usage Data: Retained for 2 years for analytics and service improvement purposes, then anonymized or deleted.
• Payment Records: Retained for 7 years as required by financial regulations.
• Communication Data: Retained for 3 years after the last interaction.
• Marketing Data: Retained until you opt-out or withdraw consent.

Upon expiration of the retention period, data is securely deleted or anonymized. You can request early deletion of your data (subject to legal requirements).

7. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) or the UK. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for transfers to non-EEA countries.
• Adequacy Decisions: We rely on adequacy decisions where applicable (e.g., UK-US Data Bridge).
• Binding Corporate Rules: Where available, we use binding corporate rules for international transfers.
• Data Processing Agreements: All international processors are bound by GDPR-compliant data processing agreements.

By using our services, you consent to the transfer of your data to these locations in accordance with this policy.

8. Your Rights

Under GDPR, UK GDPR, and CCPA, you have the following rights:

• Right of Access: Request a copy of your personal data and information about how it's processed.
• Right to Rectification: Correct inaccurate or incomplete personal data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (subject to legal obligations).
• Right to Restrict Processing: Request limitation of how we process your data in certain circumstances.
• Right to Data Portability: Receive your data in a structured, machine-readable format and transfer it to another service.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Non-Discrimination (CCPA): Exercise your privacy rights without discrimination.
• Right to Opt-Out (CCPA): Opt-out of the sale of personal information (we do not sell personal data).

To exercise these rights, contact us at privacy@llmscout.co. We will respond within 30 days (or as required by applicable law).

9. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (e.g., ICO in the UK) within 72 hours of becoming aware of the breach.
• Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms.
• Provide clear information about the nature of the breach, data affected, potential consequences, and measures taken to address it.
• Provide guidance on steps users can take to protect themselves.

We maintain an incident response plan and conduct regular security assessments to minimize breach risks.

10. Compliance & Certifications

We are committed to compliance with data protection laws and industry standards:

• GDPR Compliance: Fully compliant with EU General Data Protection Regulation (Regulation 2016/679).
• UK GDPR Compliance: Compliant with UK GDPR and Data Protection Act 2018.
• CCPA Compliance: Compliant with California Consumer Privacy Act requirements.
• Data Processing Agreements: All third-party processors are bound by GDPR-compliant data processing agreements.
• Security Standards: Our hosting infrastructure adheres to SOC 2 Type II standards.
• Payment Security: Payment processing through Stripe (PCI DSS Level 1 certified).

For questions about our compliance posture, contact our Data Protection Officer at dpo@llmscout.co.

11. Cookies

We use cookies and similar technologies to enhance your experience. For detailed information about our cookie usage, including types, purposes, and how to manage them, please see our Cookie Policy.

12. Children's Privacy

Our services are not intended for individuals under 16 years of age (or 13 in the US). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@llmscout.co, and we will take steps to delete such information.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last updated" date.
• Sending an email notification to registered users.
• Displaying a prominent notice on our website.

Your continued use of our services after changes become effective constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or wish to exercise your privacy rights, please contact us:

For UK GDPR complaints, you also have the right to lodge a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint