Privacy Policy

1. Introduction and Scope

This Privacy Policy describes how UnderAI PTE. LTD., a company incorporated in Singapore with its registered office at 7 Holland Village Way, One Holland Village, Singapore 275748 ("UnderAI", "we," "our," and/or "us") collects, uses, and discloses personal information from individuals ("you" or "your") who use our website (underai.com) and our Generative Engine Optimization (GEO) tracking and analytics platform (collectively, our "Services").

By using our Services, you signify that you have read, understood, and agree to our practices as described in this Policy and our Terms of Service.

2. Definitions

We adopt the terminology used by the GDPR:

• Data Subject: Any identified or identifiable natural person whose personal data is processed.
• Controller: UnderAI, which determines the purposes and means of processing for our registered users.
• Processing: Any operation performed on personal data, such as collection, storage, or analysis.
• Processor: Entities that process data on behalf of the controller (e.g., cloud providers).

3. Personal Information We Collect

3.1 Information You Provide Directly

• Account Registration: When registering or signing in using email OTP, we collect your email address and verification records needed to operate your account.
• Service & Brand Data: We collect brand names, keywords, competitive URLs, and search queries you input for analysis.
• Communications: Information provided via team@underai.com, including message contents and attachments.

3.2 Information Collected Automatically

• Log & Device Data: IP address, browser type/version, operating system, and time zone settings.
• Usage Information: Interactions with our dashboard and specific GEO reports generated.
• Cookies and tracking: The public marketing website currently does not intentionally set analytics, marketing, payment, or login session cookies. If we introduce optional cookies or similar technologies later, we will update this notice and request consent where required.

4. How We Use Your Information

1. Service Provision: To operate our GEO platform. We perform rigorous data cleaning, desensitization, and algorithmic correction on raw data observed from AI environments.
2. Product Improvement: To analyze usage trends and optimize our AI analysis algorithms.
3. Communication: To send technical notices, updates, security alerts, and support messages.
4. Legal & Compliance: To prevent fraud, enforce our Terms of Service, and comply with applicable laws.
5. Legal Bases for Processing (EEA/UK Users)
   • Consent: For specific processing such as optional analytics, marketing cookies, or similar technologies if introduced in a later release.
   • Contractual Necessity: To provide the GEO services you requested.
   • Legal Obligation: For tax or financial reporting.
   • Legitimate Interests: For platform security and business development.

5. Singapore PDPA Compliance

In Singapore, we collect, use and disclose personal data in accordance with the Personal Data Protection Act 2012 (PDPA), including based on deemed consent, contractual necessity, legitimate interests, or where required or authorized by law.

6. Google API Services User Data Policy Compliance

6.1 Limited Use Disclosure

UnderAI's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

• We only use Google data to provide or improve prominent user-facing features.
• We do not use Google data for advertising or sell it to third parties.

6.2 Data Retention

Google user data is retained only as long as necessary to provide services. You may request deletion at team@underai.com.

7. Third-Party Services and Data Sharing

7.1 Infrastructure & Hosting: Amazon Web Services (AWS)

• Location: US East (N. Virginia).
• Security: Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
• Compliance: Certified under the EU-US Data Privacy Framework.

7.2 AI Service Providers (OpenAI, Anthropic, Gemini)

• Data Protection: We do not transmit personal identifiers (names, emails) to these models.
• Opt-out: We have configured API integrations to opt-out of data use for model training.

7.3 Payment Processing: Stripe, Inc.

• Compliance: Stripe is PCI DSS Level 1 certified. We do not store your full payment card details.

7.4 Legal Requirements

We may disclose personal information where required by law or subpoena to protect our rights, prevent wrongdoing, or ensure public safety.

8. Independence and Third-Party Disclaimer

UnderAI is an independent analytics platform. We are not affiliated with, endorsed by, or partnered with OpenAI, Google, Anthropic, or any other third-party LLM providers mentioned in our reports.

9. Your Data Protection Rights

9.1 GDPR Rights (EEA/UK)

• Access & Portability: Request copies of your data in a machine-readable format.
• Rectification: Request correction of inaccurate information.
• Erasure ("Right to be Forgotten"): Request deletion of your account and associated data.
• Withdraw Consent: You may withdraw consent at any time.
• Restriction: You may request restriction of processing under applicable law.
• Objection: You may object to processing based on legitimate interests.
• Complaint: You have the right to lodge a complaint with a supervisory authority in your habitual residence, workplace, or place of alleged infringement.

9.2 California Privacy Rights (CCPA) as amended by the California Privacy Rights Act (CPRA)

California residents have the right to know, access, correct, delete, and opt-out of the sale or sharing of personal information, and limit the use of sensitive personal information (if applicable) (note: we do not sell data or share personal information as defined under California law).

10. Data Retention and Security

10.1 Data Retention

• Account Data: Retained while active; deleted within 30 days of closure request.
• GEO Analysis Data: Retained for 12 months for historical tracking.
• Payment Records: Retained for 7 years for tax purposes.
• Log Files: Retained for 90 days.

10.2 Data Security

We implement encryption (TLS 1.3/AES-256), access controls, regular security audits, and documented incident response procedures.

11. International Data Transfers

Our Services are hosted in the United States (AWS US-East). For EEA/UK users, we utilize Standard Contractual Clauses (SCCs) and conduct transfer impact assessments, together with supplementary technical and organizational safeguards, to ensure an adequate level of protection.

12. Children's Privacy

UnderAI does not knowingly collect information from anyone under the age of 18. If we learn we have collected such data, we will delete it immediately.

13. Cookies and Tracking Technologies

The public marketing website currently does not intentionally set analytics, marketing, payment, or login session cookies.

• No Google Analytics, advertising pixels, remarketing tags, payment cookies, or account login session cookies are active on the public marketing website today.
• Lead form submissions are sent only when you choose to submit the form.
• If we introduce optional analytics, marketing, payment, or similar technologies later, we will update this notice and request consent where required by applicable law before loading non-essential cookies.

14. Changes to This Privacy Policy

We may update this policy periodically. We will notify you by posting the new policy, updating the "Last Updated" date, or sending an email for material changes.

15. Contact Information

16. Supervisory Authority

If you are in the EEA and believe we are violating GDPR, you have the right to lodge a complaint with your local supervisory authority. Where required under Article 27 of the GDPR, we may designate a representative in the European Economic Area or the United Kingdom.