GDPR — Data Processing Information

Last updated: May 4, 2026

1. Data Controller

The data controller is GeoLoop Sp. z o.o., based in Warsaw, Poland. Contact: [email protected]

2. Legal Basis for Processing

We process your personal data based on the following legal grounds under the GDPR:

  • Article 6(1)(a) — Your consent (e.g., for analytics cookies, marketing communications)
  • Article 6(1)(b) — Performance of a contract (providing GeoLoop services, managing your account and subscription)
  • Article 6(1)(c) — Legal obligation (tax records, accounting documentation)
  • Article 6(1)(f) — Legitimate interest (service improvement, security, fraud prevention)

3. Categories of Personal Data

  • Identity data: first name, last name, profile picture (from Google OAuth)
  • Contact data: email address
  • Account data: user preferences, language settings
  • Service data: brand URLs, audit results, JSON-LD configurations, brand facts
  • Billing data: company name, tax ID (NIP/VAT), billing address, payment history (managed by Stripe)
  • Technical data: IP address, browser type, device information, access logs

4. Data Processors and Recipients

Your data may be shared with the following categories of recipients:

  • Hosting and infrastructure: Railway (application hosting), PostgreSQL (database), Redis (cache)
  • AI service providers: OpenRouter (AI model aggregator), which routes to OpenAI, Anthropic, Google — used for GEO audit analysis
  • Payment processing: Stripe Inc. — payment processing and subscription management
  • Email services: Resend — transactional email delivery
  • CDN and edge: Cloudflare — JSON-LD injection workers, DDoS protection

5. International Data Transfers

Some of our data processors are based outside the European Economic Area (EEA), particularly in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or the processor's participation in the EU-U.S. Data Privacy Framework. We ensure that all international transfers provide adequate safeguards as required by the GDPR.

6. Data Retention Periods

  • Account data: until account deletion + 30 days for backup purge
  • Audit results: 3 years from last audit execution
  • Billing and invoice data: 5 years (Polish tax law requirement)
  • Technical logs: 90 days
  • Analytics data: 26 months

7. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15) — obtain a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate data
  • Right to erasure (Art. 17) — request deletion of your data
  • Right to restriction (Art. 18) — limit processing in certain circumstances
  • Right to data portability (Art. 20) — receive your data in a machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)) — at any time, without affecting prior lawful processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Automated Decision-Making

GeoLoop uses AI models to generate GEO audit scores and recommendations. These scores are informational and do not constitute automated decision-making with legal or similarly significant effects in the meaning of Article 22 GDPR. All audit results can be reviewed and contested by the user.

9. Supervisory Authority

You have the right to lodge a complaint with the supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland. Website: uodo.gov.pl

10. Contact

For any questions regarding data protection, contact our Data Protection Officer at [email protected]

RODO — Informacja o przetwarzaniu danych | GeoLoop | GeoLoop