Sseeno.ai
Legal

Privacy Policy

Controller: CARDIGITAL FZCO · Dubai, United Arab Emirates · Contact: hi@seeno.ai

Privacy Policy - Seeno.ai

1. Introduction and Scope

This Privacy Policy explains how Seeno.ai processes personal data when you visit https://seeno.ai, create an account, or use the Seeno.ai platform. Seeno.ai is a SaaS product that monitors how a brand appears across generative AI answer engines such as ChatGPT, Perplexity, Claude, Google AI Overviews, and Gemini, through automated prompt-based audits and ongoing scans.

The policy covers personal data processed through the Seeno.ai website, the authenticated dashboard, billing flows, and any supporting communications (transactional email, support email). It does not cover third-party sites that you reach through links from Seeno.ai or the independent privacy practices of the AI engines that Seeno.ai queries on your behalf.

This Privacy Policy is provided to inform you about our data processing practices. Your rights under applicable data protection law apply regardless of whether you formally acknowledge this notice.

2. Who We Are

Seeno.ai is operated by CARDIGITAL FZCO, a free-zone company registered in Dubai, United Arab Emirates.

  • Legal name: CARDIGITAL FZCO
  • License: DSO-FZCO License #15150
  • D-U-N-S: 571162253
  • Registered address: Dubai Silicon Oasis, DSO-IFZA, Dubai, United Arab Emirates
  • Contact for privacy matters: hi@seeno.ai

For the personal data processed through Seeno.ai, CARDIGITAL FZCO acts as the data controller. The operator processes personal data in accordance with applicable UAE data protection law, including Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the UAE PDPL), as applicable. Where individuals in the EEA or the UK use the service, CARDIGITAL FZCO acts as controller under the General Data Protection Regulation (GDPR) and UK GDPR respectively, and applies the principles and transfer safeguards described later in this policy.

3. What Data We Collect

We collect the data we need to provide the service, bill it, improve it, keep it secure, and communicate with you.

  • Account data: email address, hashed password, full name, optional avatar image, and OAuth provider identifiers if you sign in with Google.
  • Workspace data: the brand domain you monitor, the prompts you track, the AI engine responses captured during audits, the competitor brand set you configure, and your scan schedules.
  • Usage data: login timestamps, feature interactions inside the dashboard, and your current subscription tier (Free, Growth at $149 per month, Pro at $299 per month, or Scale at $699 per month).
  • Payment data: billing contact details and card metadata (such as last-4 and expiry) are collected and processed directly by Stripe. Seeno.ai itself stores only a Stripe customer ID and invoice metadata (amount, currency, status, invoice number).
  • Technical data: IP address, user agent, and request logs, retained for up to 30 days for security, abuse prevention, and debugging.

We do not intentionally collect special-category data (health, religion, political views, biometric identifiers). Please do not upload such data into workspaces or prompts.

4. How We Use Your Data

We use personal data for the following specific purposes:

  • Authentication and account management: creating your account, signing you in, and recovering access.
  • Service delivery: running prompt audits, querying AI engines, storing and displaying engine responses in your workspace, and scheduling ongoing scans. To provide this service, your prompts and related workspace content are transmitted to the third-party model and retrieval providers listed in Section 6 under their respective contractual terms, solely to return results to your workspace.
  • Billing: managing subscriptions, processing payments through Stripe, issuing invoices, and handling refunds or dunning.
  • Security and abuse prevention: detecting unauthorised access, rate-limiting, investigating suspicious activity, and preserving request logs for forensic review.
  • Product improvement: aggregated, de-identified analysis of how features are used so we can prioritise what to build next. We do not sell personal data, and Seeno.ai does not use customer workspace content to train its own AI models. Third-party model providers process that content under their own processor or service terms to deliver engine responses back to you.
  • Communications: transactional email (receipts, security alerts, service notices) and, only if you opt in, product updates. You can unsubscribe from marketing email at any time.
  • Legal compliance: meeting our obligations under UAE law, responding to lawful requests, and keeping the commercial records the law requires us to keep.

5. Legal Bases for Processing

Under the UAE PDPL, and under GDPR and UK GDPR where they apply, we rely on the following legal bases:

  • Performance of a contract: most processing is necessary to provide the Seeno.ai service to you under our Terms of Service, including account creation, running audits, storing workspace data, and billing.
  • Consent: for optional processing such as marketing emails or adding an avatar image. You can withdraw consent at any time without affecting the core service.
  • Legitimate interest: for security logging, abuse prevention, aggregated product analytics, and protecting our systems and users. We balance these interests against your rights and only use this basis where the impact on you is limited.
  • Legal obligation: for tax, accounting, and regulatory record-keeping, including invoice retention.

6. Sharing and Subprocessors

We share personal data only with vetted subprocessors that help us deliver the service. Each subprocessor is engaged subject to written contractual terms governing privacy, security, and permitted processing. Some providers (for example, payment and infrastructure vendors) may also process limited data as independent controllers for narrow purposes such as fraud prevention, security, or legal compliance under their own terms.

  • OpenAI (United States) - ChatGPT and GPT-5.x engine calls, response parsing for your audits.
  • Anthropic (United States) - Claude 4.x engine calls for your audits.
  • Google (United States / EU) - Gemini engine calls and Google AI Overviews retrieval (via Serper).
  • Serper (United States) - Google AI Overviews and SERP retrieval performed on our behalf.
  • Perplexity (United States) - Perplexity engine calls for your audits.
  • OpenRouter (United States) - multi-model routing layer for engine calls.
  • Stripe, Inc. (United States) - payment processing for all web subscriptions, including collection of billing contact details and card data.
  • Supabase (European Union, eu-central-1) - Postgres database, authentication, object storage, and Edge Functions.
  • Vercel (United States) - web hosting for the Seeno.ai front end.
  • Cloudflare (United States) - CDN and R2 object storage for static assets.
  • Sentry (United States) - error monitoring, configured to exclude personally identifiable information from events.

Beyond these subprocessors, we disclose personal data only when required by law, to enforce our Terms of Service, or to protect the rights, safety, or property of Seeno.ai, its users, or the public.

7. International Transfers

Our primary data store is Supabase in the EU region (eu-central-1). Several of the subprocessors listed in Section 6 are located in the United States or operate across multiple regions. In practical terms, engine calls and related processing by OpenAI, Anthropic, Perplexity, Serper, and OpenRouter, as well as hosting, CDN, error monitoring, and payment activity performed by Vercel, Cloudflare, Sentry, and Stripe, typically involve transfers of personal data to the United States. Gemini calls and Google AI Overviews retrieval via Google may be routed to US or EU infrastructure depending on the provider's configuration.

For those transfers, we rely on the following safeguards, as applicable:

  • For EEA and UK data subjects, we rely on the European Commission's Standard Contractual Clauses (SCCs), and the UK International Data Transfer Addendum where appropriate, together with each subprocessor's Article 28 GDPR processing terms.
  • For data subjects in the UAE and other jurisdictions, we seek to align cross-border transfers with Article 22 of the UAE PDPL, relying on recipients in jurisdictions recognised as providing adequate protection or, where that is not the case, on appropriate contractual safeguards with the relevant subprocessor.
  • We do not transfer personal data to a subprocessor without a written contractual data-processing or service framework in place.

We do not claim any registration, certification, or representative status that we do not actually hold. If you want a current list of subprocessors and the specific transfer mechanism used for any of them, email hi@seeno.ai.

8. Retention Periods

We keep personal data only for as long as we need it:

  • Account data: kept while your account is active. Deleted within 30 days after you close the account, except where we are legally required to retain specific items.
  • Workspace data (prompts, engine responses, competitors, schedules): kept while your account is active. Workspace rows are wiped within 30 days of account deletion.
  • Usage data: kept while the account is active, then aggregated or deleted.
  • Payment and invoice records: kept for up to 7 years in line with UAE commercial record-keeping norms.
  • Technical logs (IP, user agent, request logs): retained for up to 30 days for security and debugging, then deleted or fully anonymised.
  • Support correspondence: retained as necessary to resolve your inquiries, maintain service quality, and meet any applicable legal or contractual obligations.

9. Security Measures

We apply reasonable technical and organisational measures appropriate to the nature of the service:

  • All traffic to https://seeno.ai and to our APIs is served over TLS.
  • Data at rest inside Supabase is encrypted using the platform's managed encryption.
  • Database access uses row-level security policies so that each workspace can only read its own rows.
  • Server-side operations use scoped service keys with least-privilege permissions; production secrets are not shared with client code.
  • Payment card data is handled directly by Stripe; Seeno.ai never sees or stores full card numbers, CVCs, or expiry details.
  • Error monitoring via Sentry is configured to strip personally identifiable information from event payloads.
  • Access to production systems is limited to authorised engineering staff and is logged.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to create a risk to your rights, we will notify you and the competent authority in line with the UAE PDPL, and, where applicable, the GDPR/UK GDPR notification rules.

10. Your Rights

Subject to the UAE PDPL, and to GDPR/UK GDPR where it applies to you, you have the following rights over your personal data:

  • Access - request a copy of the personal data we hold about you.
  • Correction - ask us to fix data that is inaccurate or incomplete.
  • Deletion - ask us to delete your data, subject to legal retention obligations.
  • Portability - receive an export of the data you have provided in a commonly used, machine-readable format.
  • Objection and restriction - object to processing based on legitimate interest, or ask us to restrict processing in specific situations.
  • Withdraw consent - withdraw any consent you have given for optional processing, without affecting earlier lawful processing.
  • Lodge a complaint - with the UAE Data Office under the PDPL, or, for EEA/UK residents, with your local supervisory authority.

Access, correction, export, and deletion of your personal data are available directly in the dashboard (profile, workspace settings, account deletion). Other requests, including objection, restriction, and withdrawal of consent for processing that cannot be toggled in-product, can be submitted to hi@seeno.ai. We will respond within the time required by applicable law and may need to verify your identity before acting on a request.

11. Cookies and Similar Technologies

Seeno.ai is designed to use only cookies and similar technologies that are strictly necessary to run the service. In practice, this can include:

  • Authentication and session cookies and tokens set by Supabase Auth and by our own application.
  • Security, load-balancing, and bot-mitigation cookies set by our hosting and CDN providers (Vercel and Cloudflare).
  • Payment and fraud-prevention cookies set by Stripe when you interact with billing flows.
  • Limited diagnostic identifiers used by Sentry for error monitoring, configured to exclude personally identifiable information.

We do not operate cross-site advertising trackers, and we do not sell audience data to ad networks. You can block or delete cookies in your browser, but blocking strictly necessary cookies will prevent you from signing in or completing payment.

12. Children's Data

Seeno.ai is a business tool. The service is not offered to individuals under the age of 16, and it is intended for business users acting for a company, firm, or sole proprietorship. Seeno does not knowingly collect personal data from children under 16. If we learn that an account has been created by, or contains personal data of, a child under 16, we will delete the account and purge the associated data promptly.

13. Changes to This Policy

Material changes are notified via email to the primary account email and an in-app banner at least 14 days before they take effect. Non-material corrections (typos, clarifications, updated subprocessor entries) may take effect immediately. The effective date at the bottom of this policy is updated with every change. Your continued use after the notice period means you accept the revised policy; if you do not, you may delete your account before the changes take effect.

14. Contact and Data Requests

For any question, privacy request, or complaint, write to hi@seeno.ai from the email on file. Include enough detail for us to identify the account and the specific request. We aim to respond within 30 days. Our controller of record is CARDIGITAL FZCO, DSO-FZCO License #15150, Dubai Silicon Oasis, DSO-IFZA, Dubai, United Arab Emirates.

15. Effective Date

This Privacy Policy is effective as of 2026-04-24.