Privacy Policy - Qwairy

Last updated: 14 April 2026

1. Introduction

Qwairy SAS, a French simplified joint-stock company (Société par actions simplifiée) registered under SIREN 944 639 012, with its registered office at 1 Rue de Stockholm, 75008 Paris, France ("Qwairy," "we," "us"), is committed to protecting your privacy.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Generative Engine Optimization (GEO) platform (the "Service"), including data obtained through third-party integrations such as Google Analytics and Google Search Console (see Section 13, Google User Data).

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. This policy complies with the EU General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés), the Google API Services User Data Policy, and the Google APIs Terms of Service.

2. Data Controller

Qwairy SAS

1 Rue de Stockholm, 75008 Paris, France

EU VAT: FR 65 944 639 012

Privacy contact: team@qwairy.co

3. Data We Collect

3.1 Account Information

When you create an account, we collect:

Email address
Name (if provided)
Profile picture (if using OAuth login)
Company name and website URL (if provided)

3.2 Usage Data

We automatically collect information about how you interact with our Service, including:

Pages visited and features used
Timestamps and session duration
Browser type and device information
IP address

3.3 Brand and Content Data

To provide our GEO optimization services, we collect:

Brand names and descriptions you configure
Keywords and topics you monitor
Competitor information you add
AI-generated content and analysis results

3.4 Data from Third-Party Integrations

When you choose to connect third-party accounts (Google Analytics, Google Search Console, and similar integrations), we collect the data described in Section 13. These connections are always optional and may be revoked at any time.

4. How We Use Your Data

We use your personal data to:

Provide, maintain, and improve our Service
Process transactions and send related information
Send administrative notifications and updates
Respond to your requests and support inquiries
Analyze usage patterns to improve user experience
Detect and prevent fraud or security issues

We do not use your personal data, your Google user data, or content processed on your behalf to train our own artificial-intelligence or machine-learning models.

5. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you requested and to bill you.
Consent (Art. 6(1)(a) GDPR): For optional features such as marketing communications, non-essential cookies, and third-party integrations (e.g., Google Analytics, Google Search Console).
Legitimate interests (Art. 6(1)(f) GDPR): For analytics, security, fraud prevention, and service improvement, where not overridden by your rights.
Legal obligations (Art. 6(1)(c) GDPR): When required by applicable law (accounting, tax, responses to authorities).

6. Sub-processors and Third-Party Sharing

We rely on the following categories of processors (sub-processors), solely for the purpose of operating the Service. Where a processor offers a data-processing agreement (DPA) addressing the requirements of Article 28 of the GDPR, we rely on it. We are progressively formalising DPAs with all sub-processors and will provide evidence of any specific DPA on reasonable request. Transfers outside the European Economic Area are addressed in Section 7.

Cloud hosting & compute: Vercel Inc. (USA)
Database: Neon (EU / USA region)
Background jobs & queues: Trigger.dev (EU / USA)
Cache & rate limiting: Upstash (AWS, EU / USA)
Real-time messaging: Pusher (UK / USA)
AI providers (prompt execution & generation): OpenAI (USA), Anthropic (USA), Google (USA, via Gemini API and Google AI Studio), Perplexity (USA), xAI (USA), Mistral AI (France), Microsoft (USA, via Copilot). Prompts and brand-related inputs you configure are transmitted to these providers to execute monitoring queries.
Payment processing: Stripe (USA / Ireland)
Transactional & marketing email: Resend (USA), Loops (USA)
Error monitoring: Sentry (USA)
Product analytics: Google Analytics (USA), Mouseflow (Denmark)
Customer support: Crisp (France)

We do not sell your personal data to third parties. We do not use your data, your Google user data, or content processed on your behalf to train artificial-intelligence or machine-learning models.

An up-to-date list of sub-processors is available upon request at team@qwairy.co. We will inform you in advance of any intended change concerning the addition or replacement of a sub-processor, giving you the opportunity to object.

7. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA). When we transfer personal data to these countries, we rely on one of the following safeguards as required by Articles 44 to 49 of the GDPR:

Adequacy decisions adopted by the European Commission (e.g., United Kingdom, Israel, and transfers covered by the EU-U.S. Data Privacy Framework where the recipient is certified).
Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), complemented where necessary by supplementary technical and organizational measures following the guidance of the European Data Protection Board (EDPB).
Your explicit consent, where applicable, for transfers not covered by the above mechanisms.

You may request a copy of the relevant transfer safeguards by contacting us at team@qwairy.co.

8. Data Retention and Security

8.1 Retention

We retain your personal data only for as long as necessary to provide the Service and to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by law (e.g., accounting, tax, or legal-defence obligations).

Typical retention periods:

Account and workspace data: for the duration of your subscription, plus up to ninety (90) days after account deletion to allow recovery.
Billing and invoices: ten (10) years, as required by French commercial and tax law.
Server and security logs: up to twelve (12) months.
Third-party integration data (e.g., Google Analytics, Google Search Console): for as long as the integration remains connected; deleted when you disconnect the integration.

8.2 Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

Encryption in transit (TLS 1.2 or higher) and at rest where supported by our infrastructure
Role-based access controls and least-privilege principles for internal access
Isolated environments and separation of customer data
Continuous monitoring, logging, and alerting via Sentry
Regular review of sub-processors' security posture

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours and, where required, inform affected users without undue delay, in accordance with Articles 33 and 34 of the GDPR.

9. Your Rights

Under the GDPR and applicable data-protection laws, you have the right to:

Access: Request a copy of your personal data.
Rectification: Correct inaccurate or incomplete data.
Erasure: Request deletion of your personal data.
Restriction: Request limitation of processing.
Portability: Receive your data in a structured, commonly used, machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdraw consent: Withdraw consent at any time for consent-based processing, without affecting the lawfulness of prior processing.
Post-mortem directives: Define directives regarding the fate of your personal data after death (Article 85 of the French Data Protection Act).

To exercise these rights, contact us at team@qwairy.co. We will respond within one (1) month, extendable by two (2) additional months for complex requests, in accordance with Article 12(3) of the GDPR.

You also have the right to lodge a complaint with the French Data Protection Authority (CNIL) or with the supervisory authority of your habitual residence.

10. Cookies and Similar Technologies

Cookies are small text files placed on your device when you visit a website. Non-essential cookies are set only after you have given your consent through our cookie banner; you may change your preferences at any time via the banner or your browser settings.

10.1 Categories of cookies we use

Category	Purpose	Provider	Retention	Consent
Strictly necessary	Secure login, session management, CSRF protection, cookie consent state	Qwairy (first-party)	Session or up to 12 months	Not required (essential)
Analytics	Measure audience, page-view and session metrics	Google Analytics, Mouseflow	Up to 13 months	Required
Functionality	Customer-support chat, preferences	Crisp	Up to 12 months	Required

10.2 Managing your preferences

You can withdraw your consent to non-essential cookies at any time via our cookie banner or by clearing cookies in your browser settings. Blocking strictly necessary cookies may impair core functionality (login, checkout, etc.).

11. Children's Privacy

Our Service is intended for professional use and is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children under this age without verifiable parental consent. If we become aware that we have collected personal data from a child in breach of this rule, we will take prompt steps to delete such information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated Policy on this page and updating the "Last updated" date. For significant changes, we will also notify you by email before the changes take effect.

13. Annex: Google User Data (Google Analytics & Google Search Console)

This section specifically addresses how Qwairy handles data obtained through Google APIs, namely Google Analytics and Google Search Console, in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

13.1 Data Accessed

Google Analytics. When you connect your Google Analytics account to Qwairy, we request read-only access (analytics.readonly scope) to the following types of data:

Analytics properties: List of Google Analytics 4 properties and accounts you have access to
Traffic metrics: Sessions, average session duration, bounce rate, pages per session, and new users
Traffic sources: Session source and medium data, specifically filtered to identify AI-related referral traffic from platforms like ChatGPT, Claude, Perplexity, Gemini, and others
Landing pages: URLs of pages receiving traffic from AI platforms, along with engagement metrics

Google Search Console. When you connect your Google Search Console account to Qwairy, we request read-only access (webmasters.readonly scope) to the following types of data:

Verified sites: List of sites (domains or URL prefixes) you have verified and can access in Search Console
Search performance: Search queries, clicks, impressions, click-through rate (CTR) and average position for Web, Image, Video, and News search
Pages & devices: URLs receiving impressions and clicks, with breakdowns by country, device, and search appearance
Sitemaps (read-only): Sitemap submissions and their processing status, used to reconcile indexation with AI visibility

13.2 Data Usage

Qwairy uses your Google Analytics and Google Search Console data exclusively to:

Display your traffic, indexation, and search-performance metrics within the Qwairy dashboard
Identify and track AI-related traffic sources, queries, and patterns
Correlate your website traffic and search performance with AI visibility metrics
Generate insights and recommendations to improve your GEO strategy
Measure the impact of AI optimization on your website traffic and organic search performance

Limited Use compliance. Qwairy's use and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We do NOT use your Google user data for:

Advertising or marketing purposes
Selling or renting to third parties
Training artificial-intelligence or machine-learning models, whether our own or those of third parties
Any purpose unrelated to providing our GEO optimization Service

13.3 Data Sharing

Qwairy does NOT share your Google user data with any third parties. Your Google Analytics and Google Search Console data is:

Only accessible to you and team members you explicitly invite to your Qwairy workspace
Never sold, rented, or transferred to advertisers or data brokers
Never shared with other Qwairy customers or used for cross-customer analytics
Only processed by our infrastructure sub-processors (see Section 6) as necessary to operate the Service

13.4 Data Storage and Protection

Your Google user data is protected using the technical and organizational measures described in Section 8.2, including encryption in transit (TLS) and access controls restricting data access to authorized personnel only.

13.5 Data Retention and Deletion

Retention: Data obtained through Google Analytics and Google Search Console is retained only for as long as the corresponding integration remains connected to your account.

Deletion: You can delete your Google user data at any time by:

Disconnecting the Google Analytics and/or Google Search Console integration in your Qwairy workspace settings
Requesting account deletion by emailing team@qwairy.co
Revoking Qwairy's access through your Google Account permissions

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Qwairy SAS

1 Rue de Stockholm, 75008 Paris, France

Email: team@qwairy.co