Privacy Policy

1. Introduction

Vizoryo Ltd. is committed to protecting the privacy of individuals whose personal data we process. This Privacy Policy explains how we collect, use, share, and protect personal data in connection with our platform and services.

Vizoryo acts as a data controller under the EU General Data Protection Regulation (GDPR) for personal data collected through the Service.

This Policy applies to website visitors, registered users, business representatives who manage business profiles, and individuals whose data appears in publicly available business information we aggregate. In this Policy, "business profile" means the structured business listing we maintain (presented in the product interface as an "AI Identity"), whether claimed by a representative or auto-discovered from public sources.

2. Data We Collect

Data You Provide Directly

Account Data

Email address, name, password (hashed) for account creation and authentication.

Payment Data

Billing address, payment method (processed by Paddle) for subscriptions.

Profile Edits

Business name, services, contact information, hours for profile management.

Communications

Support requests, feedback, and correspondence.

AI Assistant Chat

Messages you exchange with our on-site AI assistant are stored so we can review conversation quality, understand common questions, and improve the Service. Please avoid sharing sensitive personal information in chat.

Data Collected Automatically

Usage Data

Pages viewed, features used, audit history for service improvement.

Device Data

Browser type, operating system, device identifiers for security and compatibility.

Log Data

IP address, access timestamps, referral URLs for security and fraud prevention.

Cookies

Session cookies and analytics cookies for functionality and analytics.

Data from Public Sources

Vizoryo collects publicly available business information from geographic datasets, business directories, review platforms, social media, and business websites. This data is collected under the legitimate interest basis (GDPR Art. 6(1)(f)).

3. Legal Basis for Processing

We process personal data based on the following legal grounds: performance of contract (account and subscription services), legitimate interest (business profiles, scoring, analytics, security), consent (marketing emails, analytics cookies), and legal obligations (compliance requirements).

For processing based on legitimate interest (GDPR Art. 6(1)(f)), Vizoryo has conducted a balancing assessment: (a) Purpose: enabling AI systems to accurately discover and represent businesses is a lawful and beneficial purpose; (b) Necessity: indexing publicly available business data is necessary to operate the Service — no less intrusive alternative achieves the same result; (c) Impact: the data processed is limited to business-related information already made public by the business itself, minimizing impact on individual privacy; (d) Reasonable expectations: businesses publishing information on public websites, directories, and social media should reasonably expect that information to be indexed by data services. This assessment is documented and available to supervisory authorities upon request.

4. How We Use Personal Data

5. Data Sharing

Vizoryo does not sell personal data. We share data only with:

Supabase (database hosting and authentication).

Paddle (payment processing).

Resend Inc. (email delivery).

Google LLC (AI services via Gemini API — anonymized inputs, website URLs and on-page content only).

DataForSEO (business contact discovery — business name, domain, category).

Sentry (error monitoring — may include truncated request context; no deliberate PII is logged).

Vercel Inc. (frontend hosting and edge functions — processes web request data including IP addresses for routing).

Render (backend hosting — processes server-side request data).

PostHog Inc. — product analytics (user_id, tier, autocaptured events). Data is processed on PostHog's US instance at us.i.posthog.com; transfers of EU/UK personal data are covered by EU Standard Contractual Clauses.

Google LLC (Analytics 4) — page views and events. Only loaded after you grant analytics consent.

Google LLC (Fonts) — font CDN; Google logs your IP address when serving font files.

OpenAI, L.L.C. — AI Mentions monitoring (business name, category, location).

Anthropic, PBC — AI Mentions monitoring (business name, category, location).

Instantly.ai (Bizon Apps Pte. Ltd.) — outbound email delivery for claim invitations (recipient email address, business name). Recipients can unsubscribe via the one-click List-Unsubscribe header included in every message.

Outscraper (Outscraper LLC) — business contact discovery (business name, domain).

HYP (Hyp / קבוצת היפ) — For customers who pay in Israeli Shekel, payment is processed by HYP, an Israeli payment provider acting as a data holder (מחזיק) on our behalf. We share with HYP the billing and payment details needed to charge your card, manage your recurring subscription, and issue a tax invoice (חשבונית מס). You have the right to access the personal data we hold about you and to request its correction, in accordance with the Protection of Privacy Law, 5741-1981 (including Amendment 13). To exercise these rights, contact privacy@vizoryo.com.

Each processor listed above is bound by data-processing terms — either a wet-ink-signed Data Processing Agreement or the processor's vendor-standard DPA in force via service activation. The executed status of each is shown on our Sub-Processors page. Where processors are based outside the EU/EEA, transfers are covered by the EU-US Data Privacy Framework, Standard Contractual Clauses, or Israel's adequacy decision.

For the complete list of sub-processors including DPA status and data categories, see our

Sub-Processors page

Published business profiles in the Index are accessible to the public, including AI systems and search engines. Published profiles do not include user account data.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

Right to Access — request a copy of your personal data.

Right to Rectification — request correction of inaccurate data.

Right to Erasure — request deletion of your data.

Right to Portability — receive your data in a portable format.

Right to Restriction — request limitation of processing.

Right to Object — object to processing based on legitimate interest.

Right to Withdraw Consent — withdraw consent for marketing communications at any time.

Right to Lodge a Complaint — if you believe your personal data has been processed unlawfully, you have the right to lodge a complaint with a data protection supervisory authority. For EU/EEA residents, contact your local supervisory authority (list available at edpb.europa.eu). For Israeli residents, contact the Privacy Protection Authority (PPA) at the Israeli Ministry of Justice.

Automated Decision-Making — our AI Visibility Score and business classifications involve automated processing of publicly available business data. These automated outputs are informational only and do not produce legal or similarly significant effects on individuals. You have the right to request human review of any automated assessment, contest the result, and express your point of view by contacting privacy@vizoryo.com.

To exercise your rights, contact privacy@vizoryo.com. We will respond within 30 days.

7. International Data Transfers

Vizoryo is based in Israel, which has received an EU adequacy decision (Commission Decision 2011/61/EU), permitting data transfers from the EU/EEA without additional safeguards. Vizoryo regularly monitors the adequacy status and, if the decision is rescinded or revised, will promptly implement Standard Contractual Clauses (SCCs) or other EU-recognized transfer mechanisms to ensure continued lawful data transfers.

For transfers to other countries, we rely on the EU-US Data Privacy Framework, Standard Contractual Clauses, or other recognized transfer mechanisms.

8. Data Retention

Account data — duration of account + 3 years.

Payment records — 7 years (tax/legal requirements).

Audit results — 2 years from audit date.

Business profile data — until removal requested or business ceases to exist.

Usage logs — 12 months.

9. Data Security

We implement appropriate technical and organizational measures including encryption in transit (TLS 1.2+) and at rest, access controls, regular security assessments, and incident response procedures.

While we strive to protect personal data, no method of transmission over the internet is completely secure. We cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Vizoryo will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay, providing details of the breach, its likely consequences, and the measures taken to address it.

Vizoryo maintains a documented Incident Response Plan defining escalation procedures, notification timelines, and remediation workflows for personal data breaches. This plan is reviewed annually and is available to supervisory authorities upon request.

Embed Widget IP Logging: When a Vizoryo embed widget is loaded on a partner site, we log a one-way salted hash of the visitor's IP address (not the raw IP) together with the referring domain. This is used for abuse prevention and aggregated impression counts. Hashed IPs are deleted after 90 days.

10. Children's Privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal data from children. If discovered, we will delete such data promptly.

If you believe a minor has provided personal data to Vizoryo, contact privacy@vizoryo.com and we will delete the data within 7 days.

11. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated via email. The "Last Updated" date will be revised accordingly.

12. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Your rights include:

Right to Know — request details about the personal information we collect, use, and disclose about you.

Right to Delete — request deletion of personal information we have collected from you.

Right to Opt-Out of Sale/Sharing — We do not sell personal information. We share limited identifiers (cookie IDs, user agent, IP-address-derived region) with Google Analytics and PostHog for first-party analytics purposes only, contingent on your consent. Under California law this disclosure operates as your notice; you may opt out at any time by rejecting analytics cookies or by sending a Global Privacy Control signal, which we honor automatically.

Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights.

To exercise your rights, contact privacy@vizoryo.com. We will verify your identity and respond within 45 days.

13. AI Data Processing

Vizoryo uses third-party AI services to process business website data. When you run an audit, the following data may be sent to AI providers for processing:

For more details about how AI is used in our Service, see our AI Disclaimer page.

14. Information for Data Subjects — Indirect Collection (GDPR Art. 14)

Vizoryo collects business information from publicly available sources including business directories, review platforms, social media, and business websites. If your personal data (such as your name as a business owner or your contact details published on a business website) appears in a profile created from these sources, this section explains your rights.

Data sources include: publicly accessible business websites, geographic datasets (Google Maps, government registries), business directories, social media business pages, and structured data (Schema.org) published by the business.

Vizoryo provides individual notice to identifiable data subjects where feasible, including through claim invitation emails sent to business contact addresses found during data collection. Where providing individual notice would involve disproportionate effort due to the large-scale nature of public data aggregation and the absence of direct contact information, this privacy policy serves as the required transparency notice under GDPR Art. 14(5)(b). Data subjects may exercise their rights at any time regardless of how they were notified.

You have the right to: access your data (Art. 15), request rectification (Art. 16), request erasure (Art. 17), restrict processing (Art. 18), object to processing (Art. 21), and receive your data in a portable format (Art. 20). To exercise any of these rights, contact privacy@vizoryo.com or use our removal request form at vizoryo.com/removal-request.

The legal basis for processing publicly available business data is legitimate interest (Art. 6(1)(f)). Our legitimate interest assessment is detailed in Section 3 of this policy.

Auto-discovered business profiles are initially created in draft status and are not publicly visible. Businesses have the opportunity to claim, edit, or request removal of their profile before it appears in the public index.

Sole Proprietors: Where a business profile relates to a sole proprietor or other natural person doing business under their own name, we treat that profile as personal data. Such individuals receive the full GDPR Article 15–21 rights against the profile itself, including the right to immediate erasure on request, regardless of the legitimate-interest basis we rely on for corporate business data.

15. Data Protection Contact

Vizoryo has assessed that the appointment of a Data Protection Officer (DPO) is not currently required under GDPR Article 37, as our core activities do not consist of large-scale systematic monitoring of individuals or processing of special categories of data. This assessment is formally documented, reviewed semi-annually, and available to supervisory authorities upon request.

For all data protection inquiries, including requests to exercise your rights, complaints, or questions about this policy, contact our Privacy Lead at privacy@vizoryo.com. Supervisory authorities may contact us at the same address.

If you are located in the EU/EEA and wish to contact a supervisory authority directly, a list of EU Data Protection Authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en.

Vizoryo monitors its database obligations under the Israeli Protection of Privacy Law and will register with the Privacy Protection Authority's Database Registrar as required by applicable thresholds.