Privacy Policy
Effective date: July 8, 2026
BestDid Technology, LLC (“BestDid”, “we”, “us”) operates Geotally. This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have.
1. Data we collect
- Account credentials. When you sign up directly, we collect your email address and a password (stored hashed, never in plain text). If you bought through getbdshield.com, we also receive a license key and customer email, sent to the Service when you sign in. Used to authenticate you and validate your subscription and tier limits.
- Brand, prompt, and competitor data you enter. Stored to drive your scheduled runs and reports.
- AI engine responses. The raw text and citations returned by the engines you select for the prompts you author are cached and stored as historical snapshots.
- Audit log. Login attempts, runs triggered, reports generated, and email opens/clicks (for digests). Retained for security and abuse detection.
- Session cookie. A single signed cookie (
bdgt_session) keeps you logged in. No third-party tracking cookies are set.
2. Sub-processors
We share the minimum data necessary with the following sub-processors to operate the Service. Each is bound by a written data-processing agreement. International transfers are protected by the European Commission's 2021 Standard Contractual Clauses (Module 2) and, for UK data, the UK ICO's International Data Transfer Addendum.
Infrastructure
- Railway, Inc. (United States). Application and PostgreSQL hosting. All operational data.
- Vercel, Inc. (United States). Web and edge hosting. HTTP request metadata and static assets.
- Cloudflare, Inc. (United States). R2 object storage for generated PDF reports.
- Resend, Inc. (United States). Transactional and digest email delivery. Recipient email and email content.
- Sentry (Functional Software, Inc.).Server-side error tracking. We configure Sentry's
sendDefaultPiito false and make best efforts to avoid logging the customer email or license key into error messages.
AI engine query path
When you run a tracked prompt, we send the prompt text you authored, and only the prompt text, never your license key, email, or account identifier, to the following providers:
- OpenAI, L.L.C. (ChatGPT, GPT-4o). Prompt text via direct API.
- Anthropic, PBC (Claude). Prompt text via direct API.
- Google LLC (Gemini). Prompt text via direct API.
- Perplexity AI, Inc. (Sonar). Prompt text via direct API.
- SerpApi LLC. Prompt text plus geographic targeting (country and language) via direct API. Used to (a) retrieve Google AI Overview content for which there is no public Google API, and (b) retrieve Bing organic search results for the Copilot-emulation pathway described below.
Copilot emulation
Microsoft does not publish a public API for Copilot. To emulate the Copilot engine we (i) retrieve Bing organic search results for your prompt via SerpAPI and (ii) synthesize a Copilot-style answer from those results using OpenAI GPT-4o. We do not transmit your prompt or any data to Microsoft. If you do not wish your prompt to be processed through this pathway, exclude Copilot from your engine selection.
Reseller and licensing
- BestDid Technology, LLC (operating getbdshield.com, United States). Subscription billing and license validation. License key and email.
We will notify you by email at least 14 days before adding any sub-processor that materially expands the categories of data processed. You may object; if we cannot accommodate your objection, you may terminate the subscription for a pro-rated refund of unused fees.
3. How we use your data and our lawful basis
Under EU and UK data-protection law we must tell you the lawful basis for each processing purpose.
- Authenticate you, enforce tier limits, run prompt sweeps, deliver dashboard and reports. Contractual necessity (GDPR Art 6(1)(b)).
- Send transactional emails (password reset, billing, deletion confirmations). Contractual necessity (GDPR Art 6(1)(b)).
- Send weekly digest emails.Consent given at signup, withdrawable any time via the unsubscribe link or in Account › Preferences (GDPR Art 6(1)(a)).
- Detect abuse, prevent fraud, protect the Service. Legitimate interests in operating a secure service, balanced against your privacy interests (GDPR Art 6(1)(f)).
- Retain an audit log for security investigations. Legitimate interests (GDPR Art 6(1)(f)).
- Respond to support requests. Contractual necessity (GDPR Art 6(1)(b)).
We do not sell, rent, or trade your personal data. We do not use your brand or prompt content to train AI models, and the AI providers we use (see §2) confirm in their commercial-tier terms that customer-submitted prompts are not used to train their models.
3a. AI-assisted processing disclosure
The Service uses third-party large language models to retrieve and summarise answers to the prompts you author. The Service does not make automated decisions producing legal or similarly significant effects concerning you within the meaning of GDPR Art 22. The brand- and competitor-comparison scores the Service generates are decision-support information for your marketing analysis; you remain in control of any business decision made with them.
4. Data retention
- Account record (email, license key linkage, password hash if set): life of subscription plus 30 days post-cancellation, then purged unless deletion was requested sooner.
- Brand, prompt, competitor, run, snapshot, report data: life of subscription. You may delete any brand at any time, which removes its prompts, runs, snapshots, and reports immediately from primary storage and within 35 days from encrypted backups.
- Audit log (login attempts, runs triggered, reports generated): 12 months, then automatically purged.
- Email delivery logs (Resend): 90 days.
- Error logs (Sentry): 90 days.
- Encrypted database backups (Railway): 35-day rolling window.
When you delete a brand or request account deletion, the data is removed immediately from our primary database. Encrypted backups roll off on a 35-day cycle; we do not selectively edit backups, so the deleted records will be fully gone from backups within 35 days.
5. Cookies
The app uses exactly one first-party cookie, bdgt_session, which is signed and HTTP-only and is used solely to keep you logged in. On the marketing site we also use consent-gated Google Analytics, set only after you accept it in our cookie banner (off by default; withdrawable any time). We do not set advertising or cross-site ad-tracking cookies. For details, see our Cookie Notice.
6. Your rights (GDPR, CCPA, UK GDPR)
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct or update inaccurate data.
- Delete your data (subject to limited legal retention obligations such as tax and accounting records).
- Export your data in a portable, machine-readable format (JSON or CSV).
- Restrict or object to processing based on legitimate interests.
- Withdraw consent (for digest emails) at any time via the unsubscribe link or in Account › Preferences.
- Lodge a complaint with your local data-protection authority.
How to exercise these rights. You can delete individual brands (with all their data) any time from the dashboard. For account-wide actions, full account deletion, full data export, or access requests, email privacy@geotally.ai with your license key. We acknowledge within 5 business days, complete deletion within 7 business days where technically feasible, and in any event respond fully within the 30-day window required by GDPR Art 12(3). If the request is complex we may extend that window by up to 2 additional months and will tell you why.
6a. Notice for California residents
Categories of personal information we collect: identifiers (name, email, license key), commercial information (subscription tier), internet/network activity (login timestamps, IP address held transiently for security only), inferences (brand-mention scores). Purposes: providing the Service as described in §3. We do not sell or share personal information for cross-context behavioral advertising. To exercise your CCPA/CPRA rights, including the right to know, right to delete, right to correct, and right to limit sensitive personal information, email privacy@geotally.ai.
7. Security
All traffic to the Service is encrypted in transit (TLS 1.2+). Account passwords, where set, are stored only as salted one-way hashes; we cannot read them. You can also authenticate with your license key, which is validated against a separate license server. Database backups are encrypted at rest. Access to production systems is restricted to BestDid staff via multi-factor authentication.
8. Children
The Service is intended for businesses and adults. We do not knowingly collect data from anyone under 16. If you believe a minor has provided us with data, contact us and we will delete it.
9. International transfers
Our infrastructure is hosted in the United States. When personal data leaves the European Economic Area or the United Kingdom we rely on:
- The European Commission's 2021 Standard Contractual Clauses (Module 2, controller-to-processor) with our US-based sub-processors, supplemented by transfer impact assessments where required by EDPB Recommendation 01/2020; and
- The UK ICO's International Data Transfer Addendum for transfers originating in the UK.
A copy of the SCCs and Addendum is annexed to our Data Processing Agreement. Where the relevant sub-processor maintains valid Data Privacy Framework certification (for example, Cloudflare, Vercel, and Sentry), we additionally rely on the EU–US, UK Extension, and Swiss–US Data Privacy Framework.
10. Changes to this policy
Material changes to this Privacy Policy will be announced via email and posted here with a new effective date.
11. Contact
Questions about this Privacy Policy or your data: contact privacy@geotally.ai.