Privacy Policy

This Privacy Policy describes how Relevante.IA SL ("Relevante.IA", "we", or "the Platform") collects, uses, stores, and protects the personal data of users who access and use our AI Readiness and Search Relevance Optimization (SRO) platform, available at relevanteia.com, app.relevanteia.com and its subdomains, as well as through widgets embeddable on third-party websites (the "Free Audit Widget").

This policy applies to all users, both registered and unregistered (Free Audit Widget users), in any country from which they access the service.

Applicable regulatory framework:

• General Data Protection Regulation (EU) 2016/679 (GDPR).
• Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights (LOPDGDD) — Spain.
• New Federal Act on Data Protection (nFADP / nDSG) — Switzerland, in force since September 1, 2023.
• Loi Informatique et Libertés and CNIL regulations — France.
• Bundesdatenschutzgesetz (BDSG) — Germany and Austria.

By registering or using any of our services, you accept the processing of your data under this policy and the regulations applicable in your jurisdiction.

3.1 Data provided directly by registered users

• Registration data: name, email address, encrypted password, preferred language (Spanish/English/French/German).
• Business data: trade name, website URL, industry/niche (one of 12 categories), geographic location.
• Billing data: processed directly by Stripe, Inc. Relevante.IA does not store complete credit card data or banking information.
• Communications: messages sent through contact or support forms. Chat history with the integrated AI assistant: messages sent to the Platform's chatbot for queries about business analysis.
• Integration credentials: WordPress application passwords and Google Search Console OAuth tokens, stored with AES-256-GCM encryption.

3.2 Data provided by unregistered users (Free Audit Widget)

• Website URL to analyze.
• IP address (for usage control: maximum 1 audit per IP per day).
• Technical browser data (User-Agent, resolution).

Legal basis: express consent of the user when submitting the URL for analysis (art. 6.1.a GDPR).

3.3 Automatically collected data

• Technical data: IP address, browser type, operating system, pages visited, date and time of access.
• Usage data: interactions with the platform, modules used, frequency of use, configuration preferences.
• Cookies and similar technologies: see our Cookie Policy.

3.4 Data obtained from external sources

To provide the SRO analysis service, we collect and process public information related to the user's business:

• Public content from the user's website (up to 50 pages via automated scraping).
• Public brand mentions on the internet and social networks.
• Presence in public directories (including Google Business Profile).
• Backlinks, public social profiles, and sameAs links.
• Public Knowledge Graph data (Google Knowledge Graph, Wikidata).
• Visibility results in AI engines (ChatGPT, Gemini, Perplexity).
• Core Web Vitals metrics (via Google PageSpeed Insights API).
• Google Search Console data (only if the user voluntarily connects their account via OAuth).
• Bing Webmaster Tools data (only if the user connects their account via API key).
• Shopify data (only if the user connects their store via OAuth, pending availability).

This information is obtained from publicly accessible sources (or with express user authorization in the case of Search Console) and is processed exclusively to provide the contracted service.

Our platform uses third-party AI services to perform analysis, generate content, evaluate visibility, and provide recommendations.

5.1 AI providers used

SCCs = Standard Contractual Clauses approved by the European Commission. DPF = Participant in the EU-US Data Privacy Framework. TIA = Transfer Impact Assessment.

5.2 Special note on DeepSeek (transfer to China)

DeepSeek is headquartered in Hangzhou, China. The People's Republic of China does not have an adequacy decision from the European Commission. For this transfer, in addition to Standard Contractual Clauses, we have conducted a Transfer Impact Assessment (TIA) in accordance with EDPB (European Data Protection Board) recommendations analyzing Chinese legislation on data access by public authorities and the complementary technical and organizational measures implemented.

Complementary technical measures:

• Data sent to DeepSeek is limited to public content from the user's website and business name. No personal data from the end user (email, password, payment data) is sent.
• Minimization: prompts are built with the minimum information necessary for analysis.
• Generated results are stored exclusively on our European infrastructure (Supabase EU).
• Users may request at any time that their analyses be processed exclusively with providers headquartered in the USA/EU (Anthropic/Claude) by writing to contacto@relevanteia.com.

5.3 General safeguards

• Data sent to AI providers is limited to what is strictly necessary for the service (minimization principle).
• All providers operate under GDPR-compliant data processing agreements (signed DPAs).
• Your data is not used to train third-party AI models. All providers are configured with training opt-out where their terms allow.
• Generated results are stored on our infrastructure under your control.
• You may request detailed information about the DeepSeek TIA by writing to contacto@relevanteia.com.

6.1 Complete list of recipients

Below is the list of all third parties that may access personal data or business data in the context of providing the service:

6.2 International transfers

Most of our providers are located in the United States. For these transfers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and, when the provider participates in the EU-US Data Privacy Framework (DPF), on the Commission's adequacy decision of July 10, 2023.

For the transfer to China (DeepSeek), we apply SCCs together with a Transfer Impact Assessment (TIA) and complementary technical measures detailed in Section 5.2.

For users in Switzerland: transfers are carried out under the nFADP and the Standard Contractual Clauses recognized by the FDPIC (Federal Data Protection and Information Commissioner).

We do not sell, rent, or share your personal data with third parties for marketing purposes without your express consent.

After the indicated periods, data will be deleted or irreversibly anonymized.

Under GDPR (and nFADP for users in Switzerland), you may exercise the following rights:

8.1 How to exercise your rights

Send your request to contacto@relevanteia.com indicating: your full name, email address associated with the account, the right you wish to exercise, and a copy of an identification document (National ID/Passport or other official document). We will respond within a maximum period of 30 days (extendable to 60 days in complex cases, with prior notification).

8.2 Data protection authorities

If you believe that the processing of your data violates applicable regulations, you may file a complaint with:

• Spain: Spanish Data Protection Agency (AEPD) — www.aepd.es
• France: Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr
• Germany: Federal Commissioner for Data Protection (BfDI) — www.bfdi.bund.de, or the corresponding Land authority
• Austria: Datenschutzbehörde (DSB) — www.dsb.gv.at
• Switzerland: Federal Data Protection and Information Commissioner (EDÖB/FDPIC) — www.edoeb.admin.ch

Our platform generates analyses, scores, rankings, alerts, and recommendations in an automated manner through artificial intelligence. Specifically:

• Combined SRO score (M1 × 0.4 + M2 × 0.6) that evaluates the semantic readiness of your website.
• AI visibility rankings (percentage of appearance in ChatGPT, Gemini, Perplexity).
• Automatic pattern detection (visibility drops, technical degradation, content aging, entity inconsistency) after accumulating 3 or more weekly snapshots.
• Automated action plan with phase classification and impact estimation.
• Automatic SRO validation of generated content.

Nature of decisions:

These scores and recommendations are advisory and intended solely to assist the user in improving their digital presence. They do not produce binding legal effects on the user. The final decision to implement any recommendation always rests with the user.

Right to human intervention:

Under Article 22 GDPR, you have the right to request human intervention in any automated analysis, express your point of view, and contest the result. To do so, contact contacto@relevanteia.com.

We implement the following technical and organizational measures to protect your data:

• Encryption in transit (HTTPS/TLS) for all communications.
• Password encryption using secure algorithms (bcrypt via Supabase Auth).
• AES-256-GCM encryption for sensitive integration credentials (WordPress, Google Search Console, Bing).
• JWT (JSON Web Token) authentication with verification on every request.
• Role-based access control (user/administrator) with Row Level Security (RLS) in the database.
• Rate limiting: 100 requests/minute per user; 1 free audit/IP/day.
• HTTP security headers (Helmet): Content-Security-Policy, X-Frame-Options, etc.
• CORS protection with whitelist of authorized origins.
• Internal token for secure server-worker communication (x-internal-worker-token).
• Error monitoring and logging.
• Periodic database backups.
• Restricted data access by authorized personnel (principle of least privilege).

13.1 Switzerland

For users residing in Switzerland, data processing is also governed by the new Federal Act on Data Protection (nFADP/nDSG) in force since September 1, 2023. In case of conflict between GDPR and nFADP, the more protective provision applies. The controller will designate a representative in Switzerland pursuant to Article 14 nFADP when required.

13.2 France

For users residing in France, this policy is interpreted in accordance with Law No. 78-17 of January 6, 1978 on information technology, files, and freedoms, as amended. The CNIL is the competent authority for complaints. Contractual documents will be available in French in accordance with the Loi Toubon.

13.3 Germany and Austria

For users residing in Germany or Austria, this policy is interpreted in accordance with the BDSG (Bundesdatenschutzgesetz) supplementing the GDPR. The competent data protection authorities are the BfDI (federal level) or the corresponding Land authority in Germany, and the DSB (Datenschutzbehörde) in Austria. The Impressum under TMG/DDG is available at relevanteia.com/legal/impressum.

For any inquiries related to this Privacy Policy or the processing of your personal data:

• Email: contacto@relevanteia.com
• Barcelona, Spain

This document has been drafted in accordance with the General Data Protection Regulation (EU) 2016/679, Organic Law 3/2018 (LOPDGDD), the Swiss new Federal Act on Data Protection (nFADP/nDSG), the French Loi Informatique et Libertés, and the German Bundesdatenschutzgesetz (BDSG).