Privacy Policy

At FlipAEO, accessible from https://flipaeo.com, we are committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, how we process user data, and your rights under applicable privacy laws, including the General Data Protection Regulation (GDPR). By using our services, you agree to the practices described in this Privacy Policy.

1. Information We Collect

We collect and process the following types of personal data:

1.1 Personal Information (Provided by You)

• Email Address (for account creation and communication).
• Brand Information (company name, website URL, brand voice preferences for content generation).
• Competitor URLs (for competitive analysis and content strategy).
• Payment Information (processed securely via third-party payment providers).

1.2 Data Obtained via Third-Party Integrations

• Google Search Console Data — When you connect your Google Search Console account, we access and store aggregated search performance metrics including search queries, page URLs, click counts, impression counts, average position, and click-through rates. This data is retrieved via the Google Search Console API and stored in our database to power the ROI Action Board analytics features.
• Google OAuth Tokens — We securely store your OAuth 2.0 refresh token, encrypted at rest using AES-256-GCM authenticated encryption, to maintain authorized access to your Google Search Console data for automated background synchronization (see Section 6.3).

1.3 Automatically Collected Data

• Device Information (browser type, operating system, and device details).
• IP Address & Location Data (to ensure service functionality and security).
• Usage Data (features used, session duration, and interactions).
• Cookies & Tracking Technologies (see Section 7).

2. How We Use Your Information

We process your data for the following purposes:

• ✅ Content Generation: To analyze your brand, competitors, and create strategic content.
• ✅ SEO Performance Analysis: To process your Google Search Console data and generate actionable insights including keyword cannibalization detection, content decay monitoring, CTR interventions, striking distance opportunities, emerging trend identification, and Answer Engine Optimization (AEO) alignment.
• ✅ Automated Data Synchronization: To periodically refresh your search performance data via background processing to ensure your analytics dashboard reflects current performance metrics without requiring manual intervention.
• ✅ Account Management: To enable login, profile settings, and service customization.
• ✅ Payment Processing: To process subscription payments securely.
• ✅ Customer Support: To address inquiries and technical issues.
• ✅ Service Improvement: To improve our AI models and user experience.
• ✅ Security & Fraud Prevention: To prevent misuse, unauthorized access, or data breaches.

We do not sell or misuse your data.

3. Data Storage & Retention

• 📌 Account Data: Stored in Supabase until account deletion.
• 📌 Brand Profiles: Retained to improve content consistency across articles.
• 📌 Generated Articles: Retained for 30 days after creation for access and revisions.
• 📌 Google Search Console Data: Cached in our database for up to 60 days of rolling historical data. This cache is automatically refreshed every 30 days via background synchronization. Upon account deletion or disconnection of your Google Search Console, all cached search data is permanently deleted.
• 📌 OAuth Tokens: Your Google OAuth refresh tokens are encrypted at rest using AES-256-GCM authenticated encryption before being stored in our database. Plaintext tokens are never written to persistent storage. Tokens are immediately revoked and permanently deleted upon account deletion or when you disconnect the integration.
• 📌 Payment Data: Not stored by us; processed by secure third-party payment providers.
• 📌 Logs & Analytics: Retained for performance monitoring but anonymized after 30 days.

If you request deletion of your account, we will permanently erase all stored personal data, including any cached Google Search Console data and associated OAuth tokens.

4. Your Rights (GDPR & Global Compliance)

If you are an EU/EEA resident, you have additional GDPR rights:

• 🔹 Right to Access: Request a copy of your personal data.
• 🔹 Right to Rectification: Correct inaccurate or incomplete data.
• 🔹 Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data.
• 🔹 Right to Restrict Processing: Limit how we use your data.
• 🔹 Right to Data Portability: Request your data in a structured format.
• 🔹 Right to Object: Stop processing for marketing purposes.
• 🔹 Right to Withdraw Consent: If data processing is based on consent, you can withdraw it at any time.

📩 To exercise your rights, contact us at: support@flipaeo.com. We will respond within 14 days as per GDPR guidelines.

5. Data Sharing & Third-Party Services

We do not sell your personal data. However, we may share data with:

• AI Content Generation: AI providers for content creation and research.
• Cloud Storage: Supabase for secure data storage.
• Payment Processors: DodoPayments (for secure subscription processing).
• CMS Platforms: WordPress, Webflow, Shopify (for content publishing, at your request).
• Analytics & Performance Monitoring: To improve user experience.
• Legal & Compliance Reasons: If required by law or court order.

Each provider follows industry-standard security measures and GDPR compliance policies.

6. Google Services Integration

FlipAEO integrates with the following Google services to provide our core functionality:

6.1 Google Authentication (OAuth 2.0)

We use Google Sign-In to allow you to authenticate securely with your Google account. When you sign in with Google, we receive:

• Your email address (for account creation and communication)
• Your name (for personalization)
• Your profile picture (optional, for display purposes)

We do not receive or store your Google password. Google authentication is handled securely through Google's OAuth 2.0 protocol.

6.2 Google Search Console Integration

When you connect your Google Search Console account to FlipAEO, you explicitly grant us permission to access your search performance data through the Google Search Console API (SearchAnalytics endpoint). This integration is essential to power our ROI Action Board and requires the following OAuth scope: https://www.googleapis.com/auth/webmasters.readonly (read-only access).

6.2.1 Data We Access

Through the Google Search Console API, we retrieve the following aggregated, non-personally-identifiable search metrics for your verified web properties:

• Search Queries — The keywords users searched for that triggered your pages.
• Page URLs — The specific pages on your site that appeared in search results.
• Clicks — The number of times users clicked through to your site.
• Impressions — The number of times your pages appeared in search results.
• Average Position — Your average ranking position for each query.
• Click-Through Rate (CTR) — The ratio of clicks to impressions.

We do not access personal data about your website visitors, crawl errors, security issues, sitemaps, or any data outside the SearchAnalytics scope.

6.2.2 How We Store This Data

Your search performance data is cached in our secure Supabase database (encrypted at rest and in transit). We store up to 60 days of rolling historical search data per connected property. This cached data is used exclusively to compute the SEO insights displayed on your ROI Action Board, including keyword cannibalization detection, content decay monitoring, CTR interventions, striking distance analysis, emerging trend identification, and Answer Engine Optimization (AEO) alignment.

6.2.3 Automated Background Synchronization

To ensure your analytics remain current without requiring manual action, FlipAEO employs an automated background synchronization process. This process runs on a 30-day cycle and operates as follows:

• Every 30 days, our system automatically uses your stored OAuth refresh token to obtain a temporary access token from Google.
• Using this temporary token, we fetch the latest 60 days of search performance data from the Google Search Console API.
• The fetched data is upserted (inserted or updated) into your cached dataset, and the synchronization timestamp is recorded.
• The temporary access token is discarded immediately after use and is never stored.

This process is fully automated and does not require your intervention. You may disconnect your Google Search Console at any time from your account settings, which will immediately halt all background synchronization and delete your cached search data.

6.2.4 Token Security & Encryption

All Google OAuth tokens (both access tokens and refresh tokens) are encrypted at rest using AES-256-GCM (Galois/Counter Mode) authenticated encryption before being written to our database. This is the same encryption standard recommended by NIST (National Institute of Standards and Technology) and used by financial institutions worldwide. Key highlights of our token security architecture:

• 256-bit Encryption Keys: Tokens are encrypted with a cryptographically random 256-bit key that is stored separately from the database, never in source code.
• Unique Initialization Vectors: Each encryption operation generates a cryptographically random 128-bit IV, ensuring that even identical tokens produce completely different ciphertexts.
• Authenticated Encryption: GCM mode includes a 128-bit authentication tag that detects any unauthorized tampering with the encrypted data.
• Zero Plaintext Storage: Plaintext tokens are never persisted to disk or database. They exist in memory only for the duration of an API request.
• Ephemeral Access Tokens: Access tokens generated from the refresh token are valid for approximately 1 hour and are discarded from memory after each synchronization cycle — they are never stored in the database.

We never use your tokens to access any other Google services, modify your Search Console settings, or perform any write operations on your Google account.

6.3 Google API Services User Data Policy Compliance

FlipAEO's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We limit our use of Google user data to providing and improving the features described in this Privacy Policy.
• We do not transfer Google user data to third parties except as necessary to provide our service, comply with applicable laws, or as part of a merger or acquisition with adequate data protection commitments.
• We do not use Google user data for serving advertisements.
• We do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security purposes or to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymized.

7. Data Security Measures

FlipAEO implements industry-leading security measures that align with OWASP, SOC 2, and GDPR Article 32 requirements for the protection of personal data:

• 🔒 Encryption in Transit: All data transmitted between your browser and our servers is protected using TLS 1.2+ encryption.
• 🔒 Encryption at Rest: Sensitive credentials (including OAuth tokens) are encrypted at rest using AES-256-GCM authenticated encryption with unique per-record initialization vectors, the same standard used by banks and government agencies.
• 🔒 Key Management: Encryption keys are stored in environment-level secrets, isolated from the application database, and are never committed to source code repositories.
• 🔒 Access Control: Database access follows the principle of least privilege. Row Level Security (RLS) policies ensure users can only access their own data.
• 🔒 Tamper Detection: GCM authentication tags provide cryptographic proof that stored data has not been altered or corrupted.
• 🔒 Regular Security Audits: We perform routine security reviews to prevent unauthorized data access and to identify potential vulnerabilities.

However, no system is 100% secure, and we encourage users to take necessary precautions.

8. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to improve your experience on FlipAEO.

8.1 What Cookies Do We Use?

• 🔐 Authentication Cookies: Used by Supabase to keep you logged in after signing in via email or Google login.
• 🍪 Necessary Cookies: Required for basic website functionality and security.
• 📊 Analytics Cookies: Help us analyze site usage and improve performance.

8.2 Managing Cookies

You can control or disable cookies through your browser settings. However, disabling authentication cookies may log you out or limit certain features. For any questions regarding our use of cookies, contact us at support@flipaeo.com.

9. Children's Privacy

We do not knowingly collect or process data from users under 18 years old. If we discover such data, we will delete it immediately.

10. International Data Transfers

Since we operate globally, your data may be transferred to servers outside your country (including the US & EU). We ensure these transfers comply with GDPR, SCCs (Standard Contractual Clauses), and other international laws for secure handling.

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect legal, technical, or business changes. Any updates will be posted here with an effective date. Continued use of FlipAEO signifies your acceptance of the changes.

12. Contact Information

For any questions or privacy-related concerns, contact us:
📧 Email: support@flipaeo.com
🌍 Website: https://flipaeo.com