Introduction

Onsomble Limited ("Onsomble," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Agent Engine Optimisation (AEO) platform (the "Service"). The Service analyses how AI assistants such as ChatGPT, Claude, Gemini, and Perplexity represent businesses, measures visibility benchmarks, and provides recommendations to improve AI discoverability.

Onsomble Limited is a company registered in New Zealand (Company Number: 9423254, NZBN: 94-29053611901). For full company details, see our Imprint page. By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

Information We Collect

Account Information

When you create an account, we collect:

Email address (required)
Full name (optional)
Profile picture or avatar (optional)
Account preferences and settings

AEO Scan Inputs

When you use the Service to run AEO scans, you provide information that we send to third-party AI services on your behalf:

Business name and website URL
Competitor business names and URLs
Industry or category context
Custom queries or prompts related to your business

Information Collected Indirectly

We also collect information from sources other than you directly. Where practicable, we take reasonable steps to ensure you are aware of this collection:

AI model responses: When we run AEO scans, third-party AI services return responses that may contain information about your business and the competitor businesses you have specified. These responses are generated by the AI service, not verified by Onsomble, and may include references to third-party businesses or individuals.
IP-based location data: We derive your approximate geographic location (country, region, city, and time zone) from your IP address using a self-hosted geolocation service. This information is used to ensure scan queries are regionally relevant to your business. Location data is refreshed periodically and stored in your account profile.
Analytics data: We collect behavioural and usage data through analytics services, including page views, feature usage, and device information.

Usage Data

We automatically collect information about how you use the Service:

AEO scan history and results
Activity logs (actions taken within the platform)
Credit consumption and transaction history
Feature usage patterns

Technical Data

We collect technical information including:

IP address
Browser type and version
Device information and operating system
Time zone
Error logs and diagnostic information

How We Use Your Information

We use the information we collect for the following purposes, each connected to a specific function of the Service:

AEO Scanning and Analysis

Submit queries to third-party AI services using the business names, URLs, and competitor information you provide
Collect and analyse AI service responses to measure citation frequency, share of voice, sentiment, and accuracy
Benchmark your business visibility against specified competitors
Generate recommendations to improve your AI discoverability
Track scan results over time to measure changes in visibility

Account Management

Create and manage your account
Process credit transactions and billing
Send service-related notifications
Provide customer support

Service Improvement

Analyse aggregated, de-identified usage patterns to improve the Service
Use your approximate location to ensure scan queries are regionally relevant
Monitor service performance and diagnose technical issues

Security and Compliance

Detect and prevent fraud or abuse
Enforce our Terms of Service
Comply with applicable laws and regulations
Protect the rights and safety of our users

AEO Scanning and AI Processing

The core of our Service involves querying third-party AI services and analysing their responses. Understanding how your data flows through these systems is important.

How AEO Scanning Works

When you run an AEO scan, the Service submits queries to publicly accessible third-party AI services (such as ChatGPT, Claude, Gemini, Perplexity, and others) and captures the responses returned. During a scan, we send:

Your business name and website URL
Competitor business names and URLs you have specified
Industry-relevant queries designed to measure visibility

The responses returned by these AI services are then analysed to produce your scan results, including citation frequency, share of voice, sentiment, and accuracy metrics.

Scan Results and Accuracy

Scan results reflect what third-party AI services say about a business at a specific point in time. They are not verified facts. AI-generated responses may be incomplete, inaccurate, or change between scans. Onsomble does not warrant that scan results will meet your expectations or that AI service responses are correct. You should not treat scan results as definitive business intelligence.

Competitor and Third-Party Business Data

When you specify competitors for benchmarking, AI service responses may contain information about those businesses. This information is generated by the AI service, not sourced or verified by Onsomble. We store these responses as part of your scan results to enable competitive benchmarking and historical trend tracking.

AI Model Training

We do not use your data to train AI models. Your scan inputs and results are processed solely to deliver the Service to you. Data sent to third-party AI services during scans is subject to each provider's own data usage policies. We use API access with each provider, which typically excludes the use of queries and responses for model training. See the Third-Party Service Providers section for details on each provider.

Additional AI Processing

Embeddings: Content may be converted into mathematical representations (embeddings) to enable semantic analysis and retrieval within the Service.
Semantic reranking: Search results and scan data may be reranked using AI services to improve relevance.
Web enrichment: Publicly available web content related to your business may be collected to enrich scan context.

Data Storage and Security

Where We Store Your Data

Your account data and scan results are stored on servers hosted by Supabase in the AWS ap-southeast-2 region (Sydney, Australia). This infrastructure is shared with other Supabase customers but your data is logically isolated through row-level security policies.

Security Measures

We implement appropriate technical and organisational measures including:

Encryption of data in transit (TLS 1.2+)
Encryption of data at rest (AES-256)
Row-level security ensuring each account can only access its own data
Authentication via secure, industry-standard protocols
Regular security assessments
Activity logging and monitoring

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

Your Rights and Choices

You have the following rights regarding your personal information, regardless of where you are located:

Access and Portability

You may request a copy of the personal information we hold about you, including your account data, scan history, and usage records. We will respond to verified requests within 20 working days (or sooner where required by the laws of your jurisdiction).

Correction

You may request that we correct any inaccurate or incomplete personal information we hold about you.

Deletion

You may request deletion of your account and associated personal data. When you delete your account, we will delete or anonymise your personal information within 30 days, except where we are required to retain it by law. Please note that AEO scan results are retained as part of the Service's aggregated analytical data and are not deleted upon account closure. Scan results may contain AI-generated responses about your business and competitors that were produced by third-party AI services during the normal operation of the Service.

Objection and Restriction

You may object to or request restriction of our processing of your personal information in certain circumstances, including where we process your information for direct marketing or where you believe the processing is unnecessary.

Withdraw Consent

Where we rely on your consent to process personal information, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. You will not receive a different level of service or pricing for making a privacy request.

Automated Decision-Making

The Service uses automated processing to analyse AI service responses and generate visibility scores, sentiment ratings, and recommendations. These outputs are informational tools to assist your decision-making — they do not make decisions about you or your eligibility for any service. If you have questions about how automated analysis produces a particular result, contact us at [email protected].

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]. We may need to verify your identity before processing your request.

Complaints

If you are not satisfied with our response to a privacy request, you have the right to lodge a complaint with the relevant privacy regulator in your jurisdiction. For users in New Zealand, this is the Office of the Privacy Commissioner. For users in Australia, this is the Office of the Australian Information Commissioner.

Data Retention

We retain your information for as long as your account is active or as needed to provide the Service:

Account data: Retained until you delete your account
AEO scan results: Retained for the duration of your account to enable historical trend tracking and competitive benchmarking. Aggregated, de-identified scan data may be retained after account deletion.
Usage and activity logs: Retained for up to 2 years for analytics and troubleshooting
AI pipeline traces: Retained for up to 90 days for service monitoring and debugging
Analytics data:Retained in accordance with each analytics provider's retention policies
Location data: Refreshed every 7 days while your account is active, deleted upon account deletion
Billing records: Retained as required by applicable law (typically 7 years for financial records)

When you delete your account, we will delete or anonymise your personal information within 30 days, except where we are required to retain it by law or as described above for aggregated scan data. Data that has been sent to third-party services (such as analytics or error tracking providers) may persist in those systems in accordance with their own retention policies.

Data Breach Notification

In the event of a data breach that is likely to cause serious harm to affected individuals, we will notify the relevant privacy regulator and affected individuals as soon as practicable.

What Constitutes Serious Harm

We assess whether a breach is likely to cause serious harm by considering factors including: the sensitivity of the information involved (such as financial data, identity documents, or health information), whether the information is protected by security measures such as encryption, the nature of the harm that could result (including financial loss, identity theft, reputational damage, or physical harm), who has obtained or could obtain the information, and whether the information could be used for fraudulent or harmful purposes.

Our Notification Process

Where a notifiable breach occurs, we will:

Notify the relevant privacy regulator as soon as practicable (within 72 hours of becoming aware of the breach where feasible)
Notify affected individuals directly, including a description of the breach, the type of information involved, and steps they can take to protect themselves
Take reasonable steps to contain the breach and mitigate any resulting harm

If you believe your information has been compromised, contact us immediately at [email protected].

Children's Privacy

The Service is designed for business professionals and is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will take steps to delete that information.

Cross-Border Data Transfers

Onsomble is based in New Zealand. Your data is primarily stored in Australia (AWS ap-southeast-2, Sydney). In the course of delivering the Service, your information may also be transferred to and processed in the following countries:

United States: OpenAI, Anthropic, Perplexity, Browserbase, Tavily, Vercel, Railway, Resend, PostHog, Sentry, Linear, Cohere, Cloudflare
United States and other regions: Google (Gemini, Google Analytics), Spider

Where your personal information is transferred outside your country of residence, we take reasonable steps to ensure the receiving organisation is subject to comparable privacy protections or appropriate safeguards, including contractual data processing agreements with our service providers.

By using our Service, you acknowledge and consent to the transfer of your information to countries that may have different data protection laws than your country of residence. If you do not consent to these transfers, you should not use the Service.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

Posting the new Privacy Policy on this page
Updating the "Last updated" date
Sending an email notification for material changes (if you have an account)

We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise your data subject rights, please contact us:

Privacy enquiries: [email protected]
Business: Onsomble Limited, New Zealand
Company details: Imprint

Privacy Policy