Privacy Policy
Last updated: 2026-06-04. This statement describes which personal data GEO.GG (“we”) processes when you use our website and our SEO audit service, the purpose, and the legal basis. The EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) apply.
1. Controller
conflict.industries digital GmbH
Neukrapohl 5
41236 Moenchengladbach
Germany
E-mail: contact@geo.gg
For privacy questions, please use the same address. We are not required to appoint a Data Protection Officer under § 38 BDSG.
2. Processing activities at a glance
| Purpose | Data | Legal basis | Retention |
|---|---|---|---|
| Website operation (log files) | IP, timestamp, user agent, requested URL | Art. 6(1)(f) GDPR (legitimate interest: security, debugging) | up to 4 months (internal rotation usually earlier) |
| Error logging (caught server errors) | HTTP method, path, submitted form/request parameters and error text (each truncated; no IP address) | Art. 6(1)(f) GDPR (legitimate interest: stability and debugging) | 30 days, then automatic deletion |
| Magic-link login | e-mail, IP, timestamp, login token | Art. 6(1)(b) GDPR (contract performance) | 15 min token, 12 months login history |
| Free audit | submitted URL, form fields, IP, audit result | Art. 6(1)(b) GDPR (pre-contractual/service); Art. 6(1)(a) GDPR for China-provider opt-in | 7 days, then automatic deletion |
| Paid audit | name, e-mail, billing address, submitted URL, form fields, audit result, PayPal transaction ID | Art. 6(1)(b) GDPR (contract); Art. 6(1)(c) GDPR (invoice retention) | Audit content 12 months (customer-deletable); invoices 10 years (German tax law) |
| LLM call log (internal) | contents of LLM calls, tokens, cost | Art. 6(1)(f) GDPR (quality assurance, cost control) | 12 months |
| Anonymous reach measurement (self-hosted PostHog instance) | path, referrer, UTM parameters — no IP retention, no geo-IP resolution, no user identification | Art. 6(1)(f) GDPR (legitimate interest: aggregated traffic statistics) | per default retention of our self-hosted PostHog instance |
| E-mail capture on free audit (lead capture) | e-mail address, verification status, optional marketing-consent flag, site reference, timestamps | Art. 6(1)(b) GDPR (sending the requested confirmation e-mail as part of the service); Art. 6(1)(a) GDPR (marketing consent, if granted) | unverified: max. 30 days; verified without marketing consent: until objection; with marketing consent: until withdrawal |
3. Processors and recipients
We use external providers as processors (Art. 28 GDPR) or independent controllers to deliver our service. We have signed Data Processing Addenda (DPAs) with all recipients in the EU/EEA or where required.
3.1 Recipients within the EU
| Recipient | Location | Purpose | Data category |
|---|---|---|---|
| Mistral AI | France | LLM calls for audit analysis | audit input (URL, brand, market text) |
| T-Systems / Deutsche Telekom (LLM Hub) | Germany | optional: LLM calls via T-Cloud | audit input |
| TurboSMTP S.R.L. | Catania, Italy | SMTP smarthost for outbound transactional mail (verification mails, magic-link login, invoices, withdrawal confirmations) | recipient e-mail address, mail body incl. magic-link tokens, invoice PDF attachment, withdrawal confirmation as applicable |
Note on mail delivery: we operate our own mail server (MTA) that hands outbound messages over a TLS-secured SMTP smarthost relay to TurboSMTP S.R.L. TurboSMTP is established in Catania, Italy (EU); no third-country transfer takes place at the provider level. Recipient mail servers outside the EU may be involved during delivery for purely address-driven reasons — that is an inherent property of the e-mail protocol and outside our control.
3.2 Recipients in the USA (third country)
Transfers to the USA rely either on the EU-US Data Privacy Framework (DPF) under Art. 45 GDPR or on Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR with a supplementary Data Processing Addendum (DPA). We verify the DPF status of each recipient quarterly against the official list at dataprivacyframework.gov/list. Last verified: 2026-06-04.
| Recipient | Purpose | Data category | Safeguard |
|---|---|---|---|
| Anthropic, PBC | LLM calls (Claude) | audit input | SCC + DPA (not DPF-certified) |
| OpenAI, L.L.C. | LLM calls (GPT) | audit input | SCC + DPA (US parent not DPF-certified; EEA contracting entity is OpenAI Ireland Ltd.) |
| Google LLC | LLM calls (Gemini) | audit input | DPF (active) + SCC as backup + Google Cloud DPA |
| Groq, Inc. | LLM calls (fast inference) | audit input | SCC + DPA (not DPF-certified) |
| Perplexity AI | LLM calls (sonar) | brand name + public search terms only | SCC; see note below |
| Serper | SERP data from Google for brand research | brand name + public search terms only | SCC; see note below |
| PayPal (Europe) S.à r.l. | payment processing | name, address, e-mail, payment data | EU establishment (Luxembourg); Merchant DPA |
Note on Perplexity and Serper: we send these providers only publicly available information (the brand name of the website being audited, generic search and competitor terms). No personal data of our users is transmitted. The transfer relies on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR; a Data Processing Addendum is not strictly required because the recipient does not act as a processor of your personal data.
3.3 Recipients in China (third country without adequacy decision) — only with explicit consent
When you tick the opt-in checkbox in the audit form, your brand name and audit request are additionally sent to the following providers in the People’s Republic of China. No GDPR adequacy decision exists for China. The transfer takes place exclusively on the basis of your explicit consent under Art. 49(1)(a) GDPR and is voluntary — the audit also works without it.
| Recipient | Purpose | Data category | Safeguard / Risk |
|---|---|---|---|
| DeepSeek | LLM calls for surface coverage | brand name, short audit prompt | SCC + DPA; no adequacy decision, elevated risk (Chinese state authority access powers) |
| MiniMax | LLM calls for surface coverage | brand name, short audit prompt | SCC + DPA; no adequacy decision, elevated risk (Chinese state authority access powers) |
3.4 Self-hosted infrastructure
The following components run on our own infrastructure in Germany; no transfer to third parties takes place:
- web frontend, database, master daemon
- Crawl4AI (web crawler) — fetching the URL you provide is done by our own crawler
- SearxNG (search meta-engine) — brand name and public search terms only; no personal data to third parties
- Zitadel (authentication)
3.5 E-mail capture on free audit (lead capture, double opt-in)
When you submit your e-mail address as part of the free audit flow, we store it together with a verification token, the site reference, the time of the request, and — if you actively tick the separate marketing checkbox — a marketing-consent flag. We then send you a confirmation e-mail with a single-use link to verify your address (double opt-in).
Legal basis: sending the confirmation e-mail and the related processing of your address relies on Art. 6(1)(b) GDPR, because dispatching the confirmation is an integral part of the service you requested. To the extent you also consented to the use of your address for product information, that processing is based on your consent under Art. 6(1)(a) GDPR. Marketing consent is voluntary and independent of receiving the confirmation e-mail — without it you only receive the confirmation message.
Retention: unverified addresses are deleted automatically after no more than 30 days. Verified addresses without marketing consent are stored until you object. Verified addresses with marketing consent are stored until you withdraw your consent; after withdrawal the address is moved to a suppression list to prevent future unwanted contact.
Recipients: the data is not passed on to third parties. Confirmation e-mails and any later product-information e-mails are delivered exclusively via our own mail server with an SMTP smarthost relay to TurboSMTP S.R.L. (Catania, Italy) acting as a processor under Art. 28 GDPR — see Section 3.1.
Withdrawal: you may withdraw your marketing consent at any time with effect for the future — either via the unsubscribe link in any marketing e-mail or informally by e-mail to contact@geo.gg.
3.6 Internal incident notifications (Telegram)
To resolve operational incidents promptly, on a failed audit run or a caught server error we send an internal notification to a private, non-public chat of our operations team via the Telegram bot interface. This notification contains internal reference codes only, with no personal data (e.g. a random transaction code, an error-record reference, the affected processing step). No error texts, no paths, no form inputs and no other personal data are transmitted — the actual diagnostic data stays in our database. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the stability and security of the service).
4. Retention details
- Quick Free audits: automatic, complete deletion after 7 days. We do not retain quick-free audit results for marketing or training purposes.
- Error logs (caught server errors): 30 days, then automatic, complete deletion. Without IP address, with truncated parameters and error texts.
- Paid audits: 12 months default. You can delete your account yourself at any time via Delete account in your account area; your personal data is then anonymised (invoice master data is retained as required by statutory retention obligations, see below).
- Invoices: 10 years retention obligation under German tax/commercial law. Even on account deletion, invoice master data is anonymised and retained.
- Log files (web server, application): up to 4 months, usually earlier — internal rotation every 3 months wipes all log data.
- LLM calls (internal): 12 months for quality and cost control.
- Magic-link tokens: 15 minutes validity, then invalidated.
- E-mail lead capture (free audit): unverified addresses max. 30 days; verified addresses without marketing consent until objection; with marketing consent until withdrawal, after which the address is added to a suppression list.
5. No automated decision-making
We do not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you. The scores and reports our audit produces relate to websites and brands — not to individual persons.
6. Cookies and tracking
We do not use third-party advertising cookies and no analytics cookies. Technically necessary cookies are set for session management only (technically required, no consent needed under § 25(2) TDDDG).
Anonymous reach measurement: We operate self-hosted, anonymous reach measurement using PostHog on our own infrastructure. No personal data is collected:
- your IP address is not stored (the
$ipfield is discarded before persisting); - no user identification — even logged-in users are never mapped to their account ID;
- no cookies and no
localStorageentry in your browser — § 25 TTDSG/TDDDG therefore does not apply and no consent is required; - no client-side JavaScript SDK; capture happens server-side on our own infrastructure.
We capture only the requested path, the referrer, and any UTM parameters.
No geo-IP resolution takes place ($geoip_disable is set), so no
country is determined. Bots are filtered out by user-agent. The
sole purpose is aggregated statistical analysis of website traffic
— no linkage to purchases, conversions or account activity.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in
aggregated traffic statistics).
7. Your rights
- Access to data stored about you (Art. 15 GDPR)
- Rectification of incorrect data (Art. 16 GDPR)
- Erasure of your data (Art. 17 GDPR), subject to legal retention obligations
- Restriction of processing (Art. 18 GDPR)
- Data portability in a structured, common format (Art. 20 GDPR)
- Objection to processing on the basis of legitimate interests (Art. 21 GDPR)
- Withdrawal of given consent with effect for the future (Art. 7(3) GDPR)
Please address requests to contact@geo.gg. We respond within the statutory one-month period (Art. 12(3) GDPR).
8. Right to complain
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Postfach 20 04 44, 40102 Düsseldorf, Germany
Kavalleriestraße 2-4, 40213 Düsseldorf
Phone: +49 211 38424-0
E-mail: poststelle@ldi.nrw.de
Web: www.ldi.nrw.de
If you are located in a different German federal state or outside Germany, you may also contact the data protection authority there.
9. Changes to this privacy policy
We update this policy when processing activities or legal requirements change. The current version is available on this page; the date at the top reflects the last update.