Security and data handling.

What Noetio collects, where it lives, who processes it, and how long we keep it. Written to be checked, not to reassure.

EUdata residency for application data
0customer records needed to run an audit
7subprocessors, all listed below
≤30dGDPR requests honored, usually much faster

What we collect

Audits and free scans run against public information: your website, and what public AI engines say about your brand. We do not need access to your systems, analytics, or customer data to run an audit.

If you buy an audit or book a call, we store your contact details (name, email, company, domain) and the audit artifacts we produce for you. The free visibility scan stores the domain you entered and the scan result so we can serve it back to you.

Where data lives

Application data is stored in an EU-hosted Postgres database. The website is served via a global CDN; audit deliverables are prepared and stored on EU-located infrastructure and shared with you directly.

Subprocessors

Running an AI-visibility audit means querying AI engines. Prompts contain buyer-style questions and your brand or domain name, never your customer data. This table is updated whenever the list changes.

ProviderPurposeWhat it sees
OpenAIEngine queries (ChatGPT)Buyer-style prompts + your brand/domain name
GoogleEngine queries (Gemini)Buyer-style prompts + your brand/domain name
PerplexityEngine queriesBuyer-style prompts + your brand/domain name
VercelWebsite hosting & analyticsStandard web logs, no account data
SupabaseDatabase (EU region)Contact details, audit artifacts, scan results
StripePaymentsBilling details you enter at checkout
Cal.comCall schedulingName, email, chosen slot

Retention

Scan results are cached for 7 days, then eligible for deletion. Audit artifacts are kept while you are a client and for 12 months after delivery, so day-30 and later re-runs can be compared against the original, then deleted on request or on schedule.

Engine responses used in public research (like the leaderboard) are kept as anonymized aggregates.

Your rights (GDPR)

You can request access to, correction of, or deletion of your personal data at any time. Requests are honored within the statutory 30 days, usually much faster. To exercise any of these rights, use the contact route on the privacy page or raise it on any call with us.

What this page is not

We do not currently hold formal certifications such as SOC 2 or ISO 27001 and do not claim them. This page describes our actual practices; when a certification is completed, it will be linked here with the audit report, not a badge.

Last reviewed: July 2026. See also the privacy policy and data handling in the docs.