Privacy Policy

Last updated: 13 May 2026

aimentionsyou is an audit service that measures how often ChatGPT, Claude, Perplexity, and Gemini cite your brand. This page describes what we store when you order an audit, what we don't, and how to delete it.

1. The short version

• We run the audit ourselves on our own infrastructure. We never touch your site, your accounts, or your devices.
• To deliver the report we store the minimum needed: your email (from Stripe), the brand details you submit at checkout, and the resulting report files.
• We do not sell, share, or use your data for anything other than running the service.
• Identifying data is deleted 90 days after delivery. You can request immediate deletion at any time.

2. Data we store when you order

When you purchase an audit or add-on we store the following in our database (Supabase, EU/Frankfurt):

• email — provided to Stripe at checkout, passed to us for report delivery
• brand_name, brand_domain, brand_category, business_description — what you submit in the order form so we know what to audit
• competitor_names — optional, only if you choose to provide them
• stripe_session_id — issued by Stripe to link the order to the payment
• result_json, result_pdf_url, result_html_url — the audit output we generate and host so you can download it
• created_at, completed_at — timestamps for delivery tracking and tax records

We do not collect IP addresses, cookies, browser fingerprints, or telemetry beyond what Stripe and Vercel collect for fraud and security purposes (see § 3).

2a. Legal bases for processing

• Art. 6(1)(b) GDPR (performance of a contract) — for processing your order data and delivering the audit.
• Art. 6(1)(c) GDPR (legal obligation) — for retaining invoice records pursuant to § 147 AO and § 257 HGB (German tax and commercial law).
• Art. 6(1)(f) GDPR (legitimate interest) — for short-term server logs to defend against abuse and ensure IT security.
• Art. 49(1)(a) GDPR — where you have expressly consented to a transfer of personal data to third countries.

3. Subprocessors

We use the following services to run the product. Each has its own privacy policy and data-protection terms:

• Stripe (USA / Ireland) — payment processing. We never see your card details. policy
• Supabase (EU, Frankfurt) — database for audit records and hosted report files. policy
• Vercel (USA) — hosts this landing page and the serverless functions that handle checkout and fulfillment. policy
• Resend (USA) — sends the transactional email containing your audit report. policy

All four subprocessors offer standard contractual clauses (SCCs) for EU/EEA personal-data transfers where applicable. If we add a new subprocessor we will update this section and email active retainer customers in advance.

4. Cookies & tracking

We do not set tracking cookies and do not use third-party analytics on this site. The only client-side storage we use is localStorage to remember your language preference (DE/EN) so you are not redirected on every visit. That preference never leaves your device.

5. How the audit is performed

We run the audit ourselves using Playwright against our own authenticated accounts on ChatGPT, Claude, Perplexity, and Gemini. We never log into your accounts and we never access your website. The prompts we send are generic buyer-intent questions for your category — they do not contain personally identifying information about you. The raw model responses are processed into the report and then deleted within 90 days; only the final report files and aggregate metrics are retained beyond that.

6. Your rights (GDPR)

If you are in the EU, EEA, or UK, you have the right to:

• Access the personal data we hold about you (Art. 15 GDPR)
• Correct anything inaccurate (Art. 16 GDPR)
• Delete your order and the associated personal data (Art. 17 GDPR)
• Restrict processing (Art. 18 GDPR)
• Export your data in a portable format (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR — see separate notice below)
• Withdraw a previously granted consent with effect for the future (Art. 7(3) GDPR)
• Lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise any of these rights, email hello@marcomori.net. We respond within 30 days. Invoice records that we are legally required to retain (see § 7) are kept for the statutory period regardless.

6a. Right to object (Art. 21 GDPR)

If we process your personal data on the basis of Art. 6(1)(e) or (f) GDPR, you have the right at any time, on grounds relating to your particular situation, to object to the processing of your personal data; this also applies to profiling based on these provisions. The legal basis on which a processing operation is based can be found in this privacy policy. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims (objection under Art. 21(1) GDPR). Where your personal data are processed for direct marketing purposes, you have the right to object at any time to such processing; following the objection your data will no longer be used for such purposes (Art. 21(2) GDPR).

6b. Supervisory authority

In the event of breaches of the GDPR you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. The supervisory authority competent for the controller (whose seat is in Lindau / Bavaria) is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach, Germany
Phone: +49 981 180093-0
Email: poststelle@lda.bayern.de
Web: www.lda.bayern.de

6c. Data protection officer

We are not required under Art. 37 GDPR or § 38 BDSG to appoint a data protection officer. For any data-protection question, please contact us directly at hello@marcomori.net.

7. Data retention

Identifying audit data (brand details, competitor names, raw model responses) is retained for 90 days after the report is delivered, then deleted or anonymised. We keep aggregated, non-identifying metrics for our own self-audit transparency page indefinitely. Invoice records (email, billing dates, amounts) are retained for 10 years to comply with German tax law (§ 147 AO). Stripe, Vercel, Supabase, and Resend keep their own logs per their own policies (typically 12–24 months for fraud and security purposes).

8. International transfers

Primary audit data is stored in the EU (Supabase Frankfurt). Stripe, Vercel, and Resend may process limited personal data (email, payment metadata, transactional content) in the United States. For such transfers we rely on the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR and, where the respective US provider is certified, on the EU-U.S. Data Privacy Framework adequacy decision pursuant to Art. 45 GDPR.

Notice on third-country transfers: Please note that the United States and other third countries do not provide a level of data protection comparable to that of the EU. US providers may be obliged to disclose personal data to security authorities without you being able to take effective legal action against this. We therefore cannot rule out that US authorities (e.g. intelligence services) process, evaluate, and permanently store your data located on US servers for surveillance purposes. We have no influence on these processing activities.

9. Children

aimentionsyou is a B2B service not directed at anyone under 16. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.

10. Changes

If we change this policy we update the date at the top. Material changes are emailed to active retainer customers 30 days before they take effect.

11. Contact

Questions? hello@marcomori.net. For postal address and legal operator, see the imprint.