Privacy policy

AuthorityOn AI (“we”, “our”, “us”) operates the website authorityon.ai and the AuthorityOn AI software platform (the “Service”). This privacy policy explains what data we collect, how we use and store it, the lawful basis on which we process it, and the rights you have over it.

We comply with the EU General Data Protection Regulation (GDPR) and the revised Swiss Federal Act on Data Protection (nFADP, in force since 1 September 2023). Where the two regimes differ, we apply whichever is stricter.

By using the Service, you accept this policy. If you do not accept it, please do not use the Service.

We collect only the data we need to deliver the Service and communicate with you.

2.1 Account data

• Identity: name, email address, organisation, role (when provided at sign-up)
• Authentication: hashed password, session tokens
• Billing: invoice address, VAT number (Stripe handles payment data, we never see the card number)

2.2 Service data

• Brands, products, leaders, competitors and other entities you configure
• Custom prompts you submit and the verbatim model responses we received
• Scores, dashboards, recommendations and stories derived from your entity set
• Usage logs: which pages you visited, which features you used

2.3 Technical data

• IP address (truncated to /24 for analytics purposes)
• Browser type, operating system, device class
• Referrer URL, UTM parameters

• Directly from you when you sign up, fill in a form, or configure the Service
• Automatically as you use the Service (usage logs, technical data)
• From third-party LLM providers (the verbatim responses they give us when we query them on your behalf)
• From integrations you authorise (Slack, your CRM, etc.)

We process data for the following lawful purposes:

• Contractual necessity, to operate the Service: run scans, generate reports, send alerts, bill you.
• Legitimate interest, to improve the Service (debugging, performance, methodology refinement) using anonymised, aggregated usage data.
• Consent, for marketing emails about new features, product updates, or the rare research request. You can unsubscribe at any time.
• Legal obligation, to meet tax, accounting and regulatory requirements in Switzerland and the EU.

We do not sell your data. We do not share it with advertisers.

Data is encrypted at rest and in transit. Our primary infrastructure sits in the EU (Vercel + Supabase). Enterprise customers can elect Swiss data residency under a Data Processing Addendum.

Retention: account data is kept for the life of your subscription plus 12 months for accounting purposes. Service data (scan results, recommendations) is kept for the life of your subscription. On cancellation, you can export everything as JSON or CSV from your account; we delete it 30 days after the export window closes.

We use a small number of vendors to deliver the Service. All have signed Data Processing Agreements with us.

• Vercel, hosting (EU region). DPA signed; SCCs in place.
• Supabase, database (EU region). DPA signed.
• Stripe, payments. PCI-DSS Level 1; we never see your card number.
• Resend, transactional email. DPA signed.
• LLM providers, OpenAI, Anthropic, Google, Mistral, xAI, Perplexity. We send only your configured prompts; we never share account-identifying information with them.
• Flagged for legal review: add any analytics or chat vendors once enabled.

Under GDPR (Article 15-22) and nFADP (Articles 25-32), you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erasedata we no longer have a lawful basis to keep (“right to be forgotten”)
• Restrict processing in defined circumstances
• Object to processing based on legitimate interest or for direct marketing
• Portability, receive your data in a structured, commonly-used, machine-readable format (we deliver JSON and CSV)
• Withdraw consent at any time, where consent is the lawful basis we relied on

To exercise any of these rights, email dpo@authorityon.ai. We will respond within one month and free of charge in nearly all cases (Articles 12-15 GDPR; equivalent under nFADP).

We use cookies sparingly and never without consent for anything beyond strict functional necessity. Choose your preferences via the banner that appears on your first visit; you can change them later from the footer link.

8.1 Functional (strictly necessary, no consent needed)

• next-auth.session-token, keeps you signed in
• aoa-cookies, records your cookie preference
• active_brand, remembers which brand you last viewed

8.2 Analytics (only if you accept)

• First-party analytics for aggregate page-view counts. No cross-site tracking, no profiling, no advertising IDs.

You can clear or block cookies at any time through your browser settings. Blocking the session cookie will sign you out.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Authentication uses bcrypt-hashed passwords with a minimum 16 character work factor; sessions are signed and httpOnly. We log all administrative access.

Breach notification: in the event of a data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, per Articles 33-34 GDPR.

The Service is not intended for users under 16. We do not knowingly collect data from minors. If you believe a child has provided us data, please email dpo@authorityon.ai.

Pages linked from authorityon.ai (methodology references, external sources cited in reports) are governed by the privacy policies of those sites, not this one.

We will post material changes to this page and email account-holders 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

Data Protection Officer: dpo@authorityon.ai

General privacy inquiries: privacy@authorityon.ai

Postal: AuthorityOn AI, by The Content Engine, Geneva, Switzerland

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the relevant supervisory authority:

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch
• EU: the data protection authority of your member state. A directory is at edpb.europa.eu