AEO Platform

Data controller

CPG Estudio IA, sole proprietorship by Carlos Peña Garcia, based in Spain. DPO: coyotepalido@gmail.com.

What we collect

Account data: email, name, locale.
Organization data: company name, country, VAT, billing.
Project data: URLs, queries, competitors you configure.
Measurement data: AI responses, citations detected.
Technical logs: IP, user agent, action audit (Art. 12 AI Act).

Legal basis (GDPR Art. 6)

6.1.b Contract performance: provide the Service.
6.1.f Legitimate interest: monitoring, security, abuse prevention.
6.1.a Consent: optional marketing communications.

Subprocessors

We rely on the following providers, all GDPR-compliant:

Supabase (Frankfurt, Germany) — database + auth + storage.
Vercel — hosting.
OpenAI, Anthropic, Perplexity, Google — LLM measurement.
Stripe — payments.
Resend — transactional email.
Sentry — error monitoring (when activated).

Your rights

You can exercise the following GDPR rights at any time from /settings → RGPD or by email to coyotepalido@gmail.com:

Access (Art. 15) — export all your data as JSON.
Rectification (Art. 16).
Erasure / right to be forgotten (Art. 17) — delete account button.
Restriction (Art. 18), Portability (Art. 20), Objection (Art. 21).
Complaint to AEPD (www.aepd.es).

AI Act transparency (Art. 50)

AEO Platform uses generative AI to (a) query third-party AI assistants on your behalf, (b) analyze their responses, and (c) generate recommendations. We log model versions per run for traceability (Art. 11 AI Act). Recommendations are advisory; you remain decision-maker.

Retention

Raw LLM responses: 365 days.
Audit log: 5 years (legal obligation).
Read alerts: 90 days.
Invoices: 10 years (Spanish tax law).