ninelab — Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

When you register for an account, subscribe to a plan, or contact us, we may collect:

Name and email address
Company name and job title
Billing and payment information (processed by our payment provider; we do not store card numbers)
Communications you send to us, including support requests and feedback

1.2 Information We Collect Automatically

When you use the Services, we automatically collect:

Log data: IP address, browser type, pages visited, time and date of access, referring URLs
Device information: operating system, device type, screen resolution
Usage data: features used, queries submitted, API call volumes, error logs
Cookies and similar technologies (see Section 7)

1.3 Data You Connect to the Services

When you connect third-party platforms (Google Search Console, Google Ads, Microsoft Advertising, Meta Ads), we access and process data from those accounts as authorized by you, including:

Website performance data: keyword rankings, crawl data, traffic metrics
Advertising campaign data: bids, budgets, impressions, conversions
Search query data used for keyword clustering and bid optimization

We access only the data necessary to provide the Services and only with your explicit authorization through the applicable OAuth or API connection.

1.4 AI Platform Probe Data

The GEO Tool sends automated queries to AI platforms (ChatGPT, Perplexity, Google AI, Gemini, Claude) on your behalf. We collect and store the AI-generated responses to those queries for the purpose of tracking brand citations. These responses may incidentally contain publicly available information about third parties.

2. How We Use Your Information

We use the information we collect to:

Create and manage your account
Provide, maintain, and improve the Services
Process payments and send billing-related communications
Send transactional emails (account activity, alerts, audit results)
Train and improve our machine learning models (using aggregated, anonymized data — never individual user data without consent)
Detect fraud, abuse, and security incidents
Comply with legal obligations
Respond to support requests and communicate with you about your account
Send product updates, marketing communications, and promotional offers (you may opt out at any time)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

Contract performance: to provide the Services you have subscribed to
Legitimate interests: to improve our Services, ensure security, and prevent fraud
Consent: for marketing communications and optional analytics (you may withdraw consent at any time)
Legal obligation: to comply with applicable laws and regulations

We do not sell your personal information. We may share your information with:

4.1 Service Providers

We engage trusted third-party vendors to support our operations, including:

Cloud infrastructure providers (e.g., AWS) — for hosting and data storage
Payment processors (e.g., Stripe) — for billing
Email service providers — for transactional and marketing emails
Analytics providers — for product usage analytics (with data minimization applied)

These providers are contractually obligated to use your data only for the purposes we specify and to implement appropriate security measures.

4.2 Business Transfers

If ninelab is involved in a merger, acquisition, or sale of all or substantially all of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice in the Services before your data becomes subject to a different privacy policy.

4.3 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of ninelab, our users, or the public.

4.4 Aggregated and Anonymized Data

We may share aggregated, anonymized data (from which individual identities cannot be reasonably determined) for research, benchmarking, or product improvement purposes.

5. Data Retention

We retain your personal information for as long as your account is active or as necessary to provide the Services. Specifically:

Account data: retained for the duration of your account plus 30 days after deletion
Billing records: retained for 7 years to comply with financial regulations
Usage logs and API call data: retained for 12 months, then aggregated or deleted
AI probe response data (GEO Tool): retained for 24 months from collection
Marketing communications preferences: retained until you opt out or request deletion

You may request deletion of your personal data at any time (see Section 8 — Your Rights).

6. Data Security

We implement industry-standard technical and organizational measures to protect your personal information, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Access controls: role-based access; employees access only what is necessary for their role
API key authentication with HMAC-SHA256 signing for webhook endpoints
Regular security audits and penetration testing
SOC 2 Type II certification (in progress)

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your rights and freedoms, we will notify you and applicable authorities as required by law.

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

Strictly necessary cookies: Required for the Services to function (session management, authentication). Cannot be disabled.
Analytics cookies: Help us understand how users interact with the Services (e.g., which features are used most). We use anonymized data only.
Preference cookies: Remember your settings such as language and display preferences.
Marketing cookies: Used only with your consent to deliver relevant promotional content.

7.2 Your Cookie Choices

You can manage cookie preferences through our Cookie Consent banner when you first visit the platform, or through your browser settings. Note that disabling strictly necessary cookies will affect your ability to use the Services.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete data
Deletion: Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
Portability: Request your data in a structured, machine-readable format
Objection: Object to processing based on legitimate interests or for direct marketing
Restriction: Request that we restrict processing of your data in certain circumstances
Withdrawal of consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, email us at hello@ninelab.io. We will respond within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

If you are in the EEA or UK and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.

9. International Data Transfers

ninelab is operated from [Your Country]. If you are accessing the Services from outside [Your Country], your information may be transferred to and processed in countries with different data protection laws. Where we transfer personal data from the EEA or UK to third countries, we use appropriate safeguards including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions, where applicable
Binding Corporate Rules, where applicable

10. Children's Privacy

The Services are not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at hello@ninelab.io and we will promptly delete it.

11. Third-Party Links and Services

The Services may contain links to third-party websites or integrate with third-party platforms. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you connect or link to.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent in-product notice at least 14 days before they take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

All previous versions of this Privacy Policy are archived and available upon request.

13. Contact Us

For privacy-related inquiries, to exercise your rights, or to report a concern:

ControllerJanine Iborra Estepa (trading as ninelab)

OfficerJanine Iborra Estepa

Emailhello@ninelab.io

Postal[Company Address]

Websiteopen.ninelab.io/privacy

We aim to respond to all privacy inquiries within 5 business days.