Privacy Policy

Account details: your email address, optional name, and authentication credentials so you can access the product securely.

Website data: the domain you add, discovered URLs from your sitemap or import, GEO scan results (heading structure, schema, content quality scores), tracked prompts, competitor domains, and the citation history we generate by testing those prompts against AI engines.

AI engine response excerpts: when we test your tracked prompts, we store an excerpt (up to ~3,000 characters) of the AI engine's text response so we can detect brand mentions and benchmark against competitors. These excerpts are content generated by the AI engines, not content from your site.

Optional connected services: if you connect Google Analytics 4 (GA4) or Google Search Console (GSC), we store the OAuth refresh token (encrypted at rest) plus the property or site details you select. We use these only to fetch the metrics needed for the overlay or search-visibility views, and you can disconnect them at any time from Site Settings.

Integration data: if you create API tokens, we store only a one-way hash of the token plus a short visible prefix, never the full token in plaintext after creation. If you configure Slack or outgoing webhooks, we store the destination URL and any signing secret needed to deliver those events.

Operational telemetry: we keep limited request logs and error traces to operate the service reliably. These do not include the contents of your scans or citation results.

We use your data to verify domain ownership, run GEO scans on pages you own, run citation tests against AI engines using the prompts you've configured, generate reports and exec summaries, send transactional emails, and improve reliability and support.

We do not sell your customer data, and we do not use your scan or citation history to train any models.

AI engine providers (citation tracking): Anthropic (Claude), OpenAI (ChatGPT), Google (Gemini), and Perplexity. Each tracked prompt is sent to the provider you have configured; the provider's terms of service apply to that round-trip. We do not send the provider any of your account or website-discovery data — only the prompt text and the parameters needed to run a web-grounded query.

Google Analytics 4 (GA4) and Google Search Console (GSC) — only if you opt in by connecting them. We use Google's official OAuth flow and do not see your Google credentials.

PayPal — for paid subscriptions. We store the subscription identifier returned by PayPal so we can manage your plan; we never see or store your payment instrument.

Resend — for transactional emails (password reset, scheduled report delivery, alert notifications). The recipient address and the email payload pass through Resend per their terms.

Slack — only if you configure a Slack incoming webhook for workspace alerts or test messages.

Your outbound webhook receiver — only if you configure one. In that case, Sikwati sends the event payloads you asked to receive (`webhook.test`, `alerts.created`, `sov.updated`, `scan.completed`) to the URL you provided, optionally signed with your secret.

Sentry — when enabled by the operator of your deployment, used for error tracking. Configured to scrub user-identifying fields from captured events.

The hosting provider running the deployment you connect to. The operator of your deployment can name them on request.

We retain account and scan data while your account is active so your history and reports remain available. Citation results and GEO scan history accumulate over time — that's the value of using a tracker rather than a one-off prompt.

If you delete a website from your account, we delete its discovered pages, scan results, citation queries, citation results, competitor configurations, and share links. Aggregate alert and audit logs may persist briefly for operational integrity.

If you delete your account, we delete the associated websites and their data, subject to standard backup retention windows and any legal obligations. Backups roll off within 30 days.

Passwords are stored as bcrypt hashes, never plaintext. Sessions are HTTP-only cookies with the standard NextAuth protections.

Access is scoped per user: every database query that touches your data is filtered by your user ID or your workspace membership. There is no admin override path that bypasses this scoping in normal operation.

Sensitive tokens are protected before they hit the database. GA4 and GSC OAuth refresh tokens plus share-link access tokens are encrypted at rest. API tokens are stored as one-way SHA-256 hashes, and share-link lookup also uses a SHA-256 hash so the plaintext token is not present in any index.

Outbound fetches during scans go through an SSRF guard that resolves hostnames first and rejects private and link-local IP ranges, with the resolved IP pinned for the actual fetch to prevent DNS rebinding.

If you have a security question or want to disclose a vulnerability, contact the support channel for your deployment.

You can edit or remove tracked prompts, competitors, and websites from inside the app at any time, which removes the associated history.

You can disconnect GA4 or GSC from Site Settings, which removes the stored OAuth credentials for those integrations.

You can revoke API tokens, Slack webhooks, and outgoing webhooks from Settings or Workspace Integrations at any time.

You can revoke any share link you've generated, which immediately makes the report URL inaccessible to anyone holding it.

You can request account deletion through the support channel for your deployment.