Privacy Policy

Effective date: 28 May 2026

This Privacy Policy explains how Tedy Development s.r.o. collects, uses, stores, shares, and protects personal data when you use AEOlift, including our website, dashboard, audits, reports, notifications, and related services collectively referred to as the “Service”.

The Service is operated by:

In this Privacy Policy, “Company”, “we”, “us”, or “our” means Tedy Development s.r.o.

By using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, you should not use the Service.

1. Scope of This Privacy Policy

This Privacy Policy applies to:

• Visitors of our website
• Users who create an account
• Customers who subscribe to the Service
• People who request an audit
• People who contact us by email, form, chat, or other communication channels
• Business contacts, leads, and prospective customers
• Users who receive reports, alerts, or notifications from the Service

This Privacy Policy does not apply to third-party websites, services, platforms, AI providers, search engines, payment processors, messaging platforms, or other external services that we do not control.

2. Controller and Processor Roles

For the purposes of the General Data Protection Regulation “GDPR”, Tedy Development s.r.o. may act as a data controller or data processor depending on the context.

We act as a data controller for personal data we process for our own purposes, including:

• Account management
• Billing
• Website analytics
• Security
• Support
• Marketing communications
• Legal compliance
• Business administration

We may act as a data processor when we process Customer Data on behalf of a customer to provide audits, reports, recommendations, alerts, and related Service functionality, to the extent such Customer Data contains personal data.

Where required, the parties may enter into a separate Data Processing Agreement.

3. Types of Data We Collect

We may collect the following categories of data.

3.1 Account Data

When you create an account or use the Service, we may collect:

• Name
• Email address
• Company name
• Job title or role
• Login credentials or authentication identifiers
• Account settings
• Subscription status
• Communication preferences

3.2 Customer Business Data

To provide AI visibility monitoring and recommendations, you may submit business-related information, including:

• Company or brand name
• Website URL
• Competitor names
• Competitor websites
• Product or service descriptions
• Keywords, topics, prompts, or search queries
• Target markets or regions
• Industry or category information
• Notes, settings, or preferences added by you
• Content or pages you want us to analyze

You are responsible for ensuring that you have the right to provide this information to the Service.

3.3 Usage Data

When you use the Service, we may automatically collect:

• IP address
• Browser type and version
• Device type
• Operating system
• Referring URLs
• Pages viewed
• Features used
• Time and date of access
• Session duration
• Clicks and interactions
• Dashboard usage
• Error logs
• Performance data
• Approximate location based on IP address

3.4 Billing and Payment Data

If you purchase a subscription, billing is handled by third-party payment processors.

We may receive and store limited billing information, such as:

• Billing name
• Billing email
• Billing address
• VAT or tax information
• Subscription plan
• Payment status
• Invoice history
• Last four digits of payment card, if provided by the payment processor
• Transaction identifiers

We do not store full credit card numbers or full payment card details on our own servers.

3.5 Communication Data

If you contact us, we may collect:

• Your name
• Email address
• Company name
• Message content
• Support requests
• Feedback
• Survey responses
• Call notes
• Chat messages
• Attachments you send to us

We may use this information to respond to you, provide support, improve the Service, and maintain records of our communications.

3.6 Notification Data

If you enable notifications, we may process information necessary to deliver them.

For email notifications, this may include:

• Email address
• Notification preferences
• Delivery status
• Message metadata

For Telegram notifications, this may include:

• Telegram chat ID
• Telegram username, if available
• Notification settings
• Delivery status
• Message metadata

Telegram is a third-party service. Your use of Telegram is subject to Telegram’s own terms and privacy policy.

3.7 Cookies and Similar Technologies

As of the effective date, the marketing website (aeolift.io) sets no cookies and uses no analytics tracking, and the dashboard (dashboard.aeolift.io) uses only essential browser local storage to keep you signed in. No consent banner is shown because no non-essential storage is in use.

If we later introduce cookies, local storage, pixels, or similar technologies for analytics, marketing, or product measurement, we may use them to:

• Keep you logged in
• Remember preferences
• Secure the Service
• Analyze website usage
• Improve performance
• Understand conversion and product usage
• Prevent abuse and fraud

Some cookies and storage mechanisms are necessary for the Service to function. Others, such as analytics or marketing cookies, will only be used where permitted by applicable law and, where required, after obtaining your consent.

You can control cookies and site storage through your browser settings. Blocking some categories may affect the functionality of the Service. This Privacy Policy will be updated and a consent mechanism introduced if and when we add non-essential tracking technologies.

4. How We Use Data

We use collected data for the following purposes:

• To provide, operate, and maintain the Service
• To create and manage user accounts
• To process subscriptions and payments
• To generate AI visibility audits
• To track brand and competitor visibility
• To produce reports, dashboards, alerts, and recommendations
• To personalize the Service
• To communicate with you
• To provide customer support
• To improve features, reliability, and user experience
• To monitor performance and fix errors
• To prevent fraud, abuse, misuse, and security incidents
• To comply with legal, tax, accounting, and regulatory obligations
• To enforce our Terms of Service
• To develop and test new features
• To analyze aggregated usage trends

We do not sell your personal data.

5. AI, Search, and Third-Party Data Processing

AEOlift may use third-party AI providers, search APIs, indexing services, data providers, hosting providers, analytics tools, and infrastructure services to deliver the Service.

Depending on the features used, Customer Business Data may be sent to third-party systems in order to:

• Run visibility checks
• Query AI systems
• Analyze search results
• Generate summaries or recommendations
• Compare brand and competitor mentions
• Retrieve publicly available information
• Process website or content analysis

This may include prompts, brand names, website URLs, competitor names, keywords, public page content, and related business information.

Where commercially available and appropriate, we prefer API providers and settings that limit the use of submitted Customer Data for training public foundation models. However, third-party providers process data according to their own terms, privacy policies, API policies, and retention rules.

You should not submit sensitive personal data, confidential personal data, health data, financial data, government identifiers, children’s data, passwords, secrets, API keys, or other highly sensitive information unless we have explicitly agreed in writing that such processing is supported.

6. Legal Bases for Processing Under GDPR

Where GDPR applies, we rely on the following legal bases.

6.1 Performance of a Contract

We process data when necessary to:

• Provide the Service
• Manage accounts
• Process subscriptions
• Generate reports
• Deliver alerts
• Provide customer support
• Maintain contractual records

6.2 Legitimate Interests

We may process data for legitimate business interests, including:

• Improving the Service
• Preventing fraud and abuse
• Securing the Service
• Understanding product usage
• Communicating with business customers
• Developing new features
• Maintaining business records
• Defending against legal claims

We only rely on legitimate interests where they are not overridden by your rights and freedoms.

6.3 Consent

We may rely on consent for certain activities, such as:

• Optional marketing emails
• Non-essential cookies
• Certain analytics or tracking technologies
• Public use of testimonials, logos, or case studies

You may withdraw consent at any time where consent is the legal basis.

6.4 Legal Obligation

We may process data when necessary to comply with legal, tax, accounting, regulatory, or law enforcement obligations.

7. Data Sharing

We may share data with the following categories of recipients.

7.1 Service Providers

We may share data with trusted service providers who help us operate the Service, such as:

• Hosting providers
• Database providers
• Cloud infrastructure providers
• Email delivery providers
• Payment processors
• Analytics providers
• Error monitoring providers
• Customer support tools
• AI API providers
• Search API providers
• Security tools
• Notification services

These providers are allowed to process data only as necessary to provide services to us and must protect the data according to applicable law and contractual obligations.

7.2 Payment Processors

Payments are processed by third-party payment processors, such as Stripe or another payment provider.

Your payment information is subject to the privacy policies and terms of those processors.

We receive limited billing and transaction metadata but do not store full card numbers.

7.3 AI and Search Providers

To provide visibility audits and recommendations, we may share relevant Customer Business Data with AI, search, and data providers.

These providers may process data according to their own terms, privacy policies, API policies, retention rules, and technical infrastructure.

7.4 Legal and Compliance Disclosures

We may disclose data if required to do so by law or if we believe in good faith that disclosure is necessary to:

• Comply with legal obligations
• Respond to lawful requests by public authorities
• Protect our rights, property, or safety
• Protect users or third parties
• Investigate fraud, abuse, or security incidents
• Enforce our Terms of Service
• Defend against legal claims

7.5 Business Transfers

If Tedy Development s.r.o. is involved in a merger, acquisition, financing, restructuring, sale of assets, bankruptcy, or similar business transaction, data may be transferred as part of that transaction.

We will take reasonable steps to ensure that the recipient handles the data consistently with this Privacy Policy.

8. Subprocessors and Infrastructure Providers

We may use third-party subprocessors and infrastructure providers to deliver the Service.

A current list of our main subprocessors is published at aeolift.io/subprocessors and is updated whenever the production stack changes. Customers may also request the current list by email at info@tedydev.com.

Provider categories include:

• Hosting and infrastructure
• Database hosting
• Authentication
• Email delivery
• Payment processing
• AI model APIs
• Search and citation APIs
• Analytics (when introduced)
• Error monitoring (when introduced)
• Messaging and notifications
• Security services

The exact provider list may change as the Service evolves; material changes are reflected on the subprocessor list page.

9. International Data Transfers

We are based in the Czech Republic, but our service providers may process data in other countries, including countries outside the European Economic Area “EEA”.

Where personal data is transferred outside the EEA, we take appropriate safeguards where required by law, such as:

• European Commission Standard Contractual Clauses
• Data Processing Agreements
• Adequacy decisions
• Other legally recognized transfer mechanisms

However, you acknowledge that third-party AI providers, cloud providers, search providers, and infrastructure services may operate globally.

10. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods may depend on:

• Account status
• Subscription status
• Legal obligations
• Tax and accounting requirements
• Security needs
• Dispute resolution
• Fraud prevention
• Backup and disaster recovery requirements

Typical retention examples:

• Account data: retained while your account is active and for a reasonable period after closure
• Billing records: retained as required by Czech tax and accounting law
• Support messages: retained as needed for customer service, business records, and dispute resolution
• Logs: retained for a limited period for security, debugging, and abuse prevention
• Backups: may persist for a limited time before deletion cycles complete
• Marketing contacts: retained until unsubscribe, deletion request, or inactivity-based cleanup

The exact retention period may vary depending on legal, technical, and operational requirements.

When data is no longer needed, we will delete, anonymize, or aggregate it where reasonably possible.

11. Data Security

We use reasonable technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.

These measures include:

• Role-based access controls and authentication via Supabase Auth (asymmetric JWT)
• Encryption in transit on all public endpoints (TLS / HTTPS) and on connections to our database and third-party APIs
• Strict Content Security Policy, HSTS, and frame-ancestors protections on both the marketing site and dashboard
• Server-side allowlists and Server-Side Request Forgery (SSRF) guards on outbound fetches against customer-supplied domains
• Application-level tenant isolation enforced at the API layer (per-row access checks; non-access returns 404, not 403, to avoid leaking record existence)
• Logging and monitoring with limited retention
• Encrypted backups
• Principle of least privilege for internal access
• Regular security updates and dependency maintenance

However, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

You are responsible for keeping your account credentials secure and for controlling access to your devices, email account, and authentication methods.

12. Personal Data Breaches

If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, in line with Article 33 GDPR.

Where the breach is likely to result in a high risk to your rights and freedoms, we will also inform affected users without undue delay, in line with Article 34 GDPR.

13. Your Rights Under GDPR

If GDPR applies to you, you may have the following rights:

• Right to access your personal data
• Right to correct inaccurate data
• Right to delete personal data
• Right to restrict processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

To exercise your rights, contact us at:

info@tedydev.com

We may need to verify your identity before responding to your request.

Some rights may be limited by legal obligations, contractual obligations, legitimate business interests, security requirements, or technical feasibility.

Supervisory authority

You also have the right to lodge a complaint with a data protection supervisory authority. As Tedy Development s.r.o. is established in the Czech Republic, our lead supervisory authority is:

If you live or work in another EEA country, you may also lodge a complaint with the supervisory authority in your member state of residence, place of work, or place of the alleged infringement.

14. Marketing Communications

We may send you service-related emails, such as:

• Account notifications
• Billing messages
• Security alerts
• Product updates
• Important changes to the Service
• Changes to legal documents

These are transactional or service-related communications and may not always be optional.

If you opt in or where legally permitted, we may also send marketing emails about product updates, offers, educational content, or related services.

You can unsubscribe from marketing emails using the unsubscribe link or by contacting us.

15. Analytics

As of the effective date, we do not use any third-party analytics tools on the marketing site or the dashboard. Basic server-side request logs are retained for limited periods solely for security, debugging, and abuse prevention.

If we later introduce analytics to understand how visitors and customers use the Service, the data collected may include:

• Page views
• Referrers
• Device and browser information
• Feature usage
• Approximate location
• Conversion events
• Session behavior

We would use this information to improve the website, product, onboarding, performance, and user experience. Any future analytics provider will be added to the subprocessor list, and where required by law we will ask for consent before using non-essential analytics cookies or similar technologies.

16. Children’s Privacy

The Service is not intended for children under 18.

We do not knowingly collect personal data from children.

If you believe that a child has provided us with personal data, contact us and we will take reasonable steps to delete such data.

17. Customer Responsibilities

You are responsible for ensuring that any data you submit to the Service is lawful and that you have all necessary rights, permissions, and legal bases to provide it to us.

You agree not to submit:

• Sensitive personal data
• Special category data
• Health data
• Financial account data
• Government identification numbers
• Children’s data
• Passwords or secret credentials
• API keys
• Confidential third-party personal data
• Data you are not authorized to process

unless we have explicitly agreed in writing that such processing is allowed.

18. Publicly Available Information

The Service may collect, analyze, or reference publicly available information from websites, search results, AI-generated answers, public pages, or other online sources.

Publicly available information may still contain personal data. Where we process such data, we do so only as necessary for the Service and in accordance with applicable law.

We are not responsible for the accuracy, legality, or availability of information published by third parties.

19. Automated Processing

The Service may use automated systems to:

• Analyze brand visibility
• Compare competitors
• Generate scores
• Produce recommendations
• Detect changes
• Trigger alerts
• Summarize search or AI-generated responses

These automated outputs are informational only and should be reviewed by a human before being used for business, legal, financial, or strategic decisions.

The Service does not make legally binding decisions about individuals.

20. Data Processing Agreement

If you use the Service in a way that requires a Data Processing Agreement under GDPR or other applicable data protection laws, please contact us at:

info@tedydev.com

Where legally required and commercially appropriate, we may provide or enter into a Data Processing Agreement.

21. Do Not Track

Some browsers offer “Do Not Track” signals.

Because there is no consistent industry standard for responding to such signals, our website may not respond to “Do Not Track” browser settings.

You can control cookies and tracking technologies through browser settings and, where available, our cookie consent tools.

22. Links to Third-Party Websites

The Service may contain links to third-party websites, services, or platforms.

We are not responsible for the privacy practices, content, security, or policies of third-party websites.

You should review the privacy policies of any third-party services you use.

23. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes, we may notify you by:

• Posting the updated Privacy Policy on our website
• Sending an email
• Displaying a notice in the Service
• Using another reasonable notification method

The updated Privacy Policy will be effective from the date stated at the top of the document.

Your continued use of the Service after the effective date means you accept the updated Privacy Policy.

24. Contact Us

If you have questions, requests, or concerns about this Privacy Policy or our data processing practices, contact us at: