# Privacy Policy

Last updated: 1 May 2026

Effective: 1 May 2026

This Privacy Policy explains how Searchable, Inc. ("Searchable", "we", "us", "our") collects, uses, shares, and protects personal data in connection with our subscription platform, our advisory and consulting services, and our website. We sell to businesses worldwide, and this Policy is designed to meet the requirements of the EU General Data Protection Regulation ("EU GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), other U.S. state privacy laws now in force, and equivalent laws in other regions where we do business.

## 1. Who we are

Searchable, Inc. is a corporation organised under the laws of the State of Delaware, U.S.A. We provide an AI search and answer-engine optimisation ("AEO") platform that helps businesses understand and improve how they appear across AI-powered search and generative answer engines, and we deliver related advisory and consulting services.

Searchable, Inc. is the controller (or, where applicable, the "business" under U.S. state privacy laws) for personal data described in this Policy, except where we act as a processor (or "service provider") on behalf of a customer in connection with Customer Content submitted to the platform. In that case, the customer is the controller, and our processing is governed by our Data Processing Addendum ("DPA").

Searchable Limited (registered in England and Wales, Co. Reg. No. 16579753, 10 Queen Street Place, City Of London, United Kingdom, EC4R 1AG) acts as a sub-processor of Searchable, Inc. when its personnel access personal data in the course of delivering the Service or our consulting engagements. We have appointed Prighter Group as our representative in the United Kingdom for the purposes of Article 27 of the UK GDPR; its contact details are set out below.

### How to contact us about privacy

**Searchable, Inc. (controller)**

Address: 131 Continental Drive, Suite 305, Newark, DE 19713, U.S.A.

Email: [privacy@searchable.com](mailto:privacy@searchable.com)

**Prighter Group (UK Article 27 representative)**

Prighter Group, with its local partners, acts as our representative in the United Kingdom for the purposes of Article 27 of the UK GDPR.

To exercise your data subject rights or to contact us through our representative, please visit:
[https://app.prighter.com/portal/12793767836](https://app.prighter.com/portal/12793767836)

**EU Article 27 representative**

Prighter Group, with its local partners, acts as our representative in the European Union for the purposes of Article 27 of the EU GDPR. Our EU representative is located in Ireland. To exercise your data subject rights or to contact us through our representative, please visit:
[https://app.prighter.com/portal/12793767836](https://app.prighter.com/portal/12793767836).

To exercise your rights, please email [privacy@searchable.com](mailto:privacy@searchable.com) with the subject **DATA PROTECTION REQUEST**. We will respond within the time required by applicable law (and in any event within 30 days, or 45 days for requests under the CCPA, with one extension of up to 45 days where reasonably necessary).

## 2. Scope of this Policy

This Policy applies to personal data we process in connection with:

- our subscription platform and related applications (the "Service");
- our advisory, consulting, and managed services delivered under a Statement of Work or Consulting Services Agreement;
- our websites, including searchable.com and any subdomains; and
- our marketing, sales, and event activities.

The Service is offered exclusively to businesses and not to consumers. We do not knowingly market to or collect personal data from individuals under the age of 18. This Policy does not cover third-party websites, services, or AI platforms we link to or interoperate with; their privacy practices are governed by their own policies.

## 3. Information we collect and why

We collect personal data directly from you when you create an account, contract with us, contact us, attend our events, or engage us for consulting work; automatically when you use our Service or website; and from third parties such as analytics providers, payment processors, the AI platforms we query on your behalf, and publicly available sources.

### 3.1 Subscription customer and account data

When you or your organisation creates an account with the Service, we collect your name, work email address, company name, job title, role, country, and authentication identifiers. We use this to create and manage accounts, authenticate Users, deliver the Service, communicate about your subscription, and meet our obligations under the Subscription Terms.

Legal basis: performance of a contract (UK/EU GDPR Art. 6(1)(b)); legitimate interests in administering customer accounts (Art. 6(1)(f)).

### 3.2 Billing and financial records

To process payments and maintain financial records we collect billing name, billing address, work email, VAT/tax identifier where applicable, and limited payment-card metadata (e.g., card brand and last four digits, expiry). Full payment-card data is collected and stored by our payment processor (Stripe); we do not store full card numbers.

Legal basis: performance of a contract (Art. 6(1)(b)); compliance with legal obligations including tax, accounting, and audit law (Art. 6(1)(c)).

### 3.3 Platform usage data

We collect information about how you use the Service - features accessed, actions taken, queries run, session metadata, IP address, device and browser information, error logs, and performance telemetry. We use this to operate, secure, debug, and improve the Service over time, to detect and prevent abuse, and to generate operational logs and metrics.

Legal basis: legitimate interests (Art. 6(1)(f)) in operating, securing, and improving the Service.

### 3.4 Customer Content and queries

To deliver the Service, we host, transmit, store, and process the data, files, prompts, queries, URLs, and other content you or your Users submit ("Customer Content"). Customer Content may contain personal data that you control. We process Customer Content on your documented instructions as your processor under our DPA, including for the operational uses described in Section 9.2 of the Subscription Terms.

Legal basis: on behalf of the customer (controller) under contract; we act as processor under the DPA.

### 3.5 AI visibility tracking data

We generate and run synthetic queries against AI platforms on your behalf and return the results to you. This data is about your brand's presence in AI search and answer-engine outputs and does not contain personal data about you or your end users.

Legal basis: performance of a contract (Art. 6(1)(b)).

### 3.6 Connected third-party data

If you connect third-party tools to your account (for example, Google Search Console or analytics platforms) we may access data from those tools solely to improve the Service we provide to you. We do not retain this data beyond what is needed to complete the task - it is used in-flight and discarded.

Legal basis: performance of a contract (Art. 6(1)(b)).

### 3.7 Third-party competitive intelligence data

This section fulfils our transparency obligations under Article 14 UK/EU GDPR.

To provide competitive benchmarking features we process publicly available web content and AI platform outputs. This content may incidentally include names or other identifiers of individuals who appear in public-facing content (such as published authors or company representatives). We do not seek to collect personal data about individuals and apply minimisation controls to limit it. This data is sourced from publicly available internet content and is not collected directly from individuals.

Legal basis: legitimate interests (Art. 6(1)(f)). We have documented a Legitimate Interests Assessment confirming that our analytics purpose is proportionate given the public nature of the data and our retention controls.

You have the right to object to this processing at any time. Email [privacy@searchable.com](mailto:privacy@searchable.com) and we will add you to our exclusion list.

### 3.8 Aggregated and de-identified data

We collect, generate, derive, and use aggregated and de-identified data - data that has been aggregated and de-identified such that it does not identify you, your organisation, or any individual - for any lawful purpose, including industry benchmarks, analytics, research, model evaluation, product development, and incorporation into the Service. As between us and you, aggregated data is owned by Searchable. We commit to maintain de-identification, will not attempt to re-identify the data, and will contractually prohibit recipients from doing so. Aggregated data is not "personal data" once de-identified, but we describe it here for transparency.

### 3.9 AI/ML model training

"Model Training" means including raw Customer Content in datasets used to train, fine-tune, or otherwise develop the parameters or weights of an AI or machine-learning model. Operational uses (Section 9.2 of the Subscription Terms), aggregated data (Section 9.4), and anonymous benchmarking and quality-assurance review of Service outputs are not Model Training. During a Free Trial, Customer Content may be used for Model Training; you may opt out at any time during the Trial Period through the account interface or by emailing [privacy@searchable.com](mailto:privacy@searchable.com). On all paid Plans (whether self-serve or under an executed Order Form), Customer Content may be used for Model Training; you may opt out at any time, on a forward-looking basis, by toggling the Model Training opt-out in account settings or by emailing [privacy@searchable.com](mailto:privacy@searchable.com) with the subject line "MODEL TRAINING OPT-OUT". Opt-out takes effect within thirty (30) days, applies to future training only, and does not affect any Model Training already performed. Order Form Customers may negotiate alternative Model Training terms in their Order Form.

Legal basis: performance of a contract (Art. 6(1)(b)) - the Model Training licence is granted under the Subscription Terms - with a contractual right to opt out at any time.

### 3.10 Advisory and consulting client data

When we deliver advisory and consulting work under a Statement of Work or Consulting Services Agreement, we collect:

- client stakeholder contact details (name, work email, role, telephone);
- brand assets, executive communications, content, and analytics data shared with us for review (which may include personal data of executives or authors);
- notes, recordings, and transcripts of meetings and workshops where the client has consented to recording; and
- deliverables and working files prepared during the engagement.

We use this data to deliver the engagement, document our work, manage the client relationship, and improve our methodologies in aggregated form.

Legal basis: performance of a contract (Art. 6(1)(b)); legitimate interests in delivering and documenting professional services (Art. 6(1)(f)); consent for meeting recordings.

### 3.11 Marketing communications

We may send you product updates, educational content, event invitations, and news about Searchable. For business contacts in the U.S. and U.K., we typically rely on legitimate interests; where consent is required (for example, in certain EU/EEA jurisdictions, or for SMS/text messages under U.S. law), we will ask for it. You can unsubscribe from marketing emails at any time via the unsubscribe link in any email we send, or by emailing us. Unsubscribed contacts are not re-contacted unless they explicitly opt back in.

Legal basis: legitimate interests (Art. 6(1)(f)); consent (Art. 6(1)(a)) where required. CAN-SPAM Act and TCPA in the U.S.

### 3.12 Website analytics and product monitoring

We use analytics tools on our website and platform to understand usage patterns and improve the product. On the website, these tools are subject to your cookie preferences, which you can manage via our cookie banner or our Cookie Policy.

Legal basis: consent (Art. 6(1)(a)) for non-essential cookies; legitimate interests for product analytics on the authenticated platform.

### 3.13 Sales and prospect data

We process business-contact data of prospective customers obtained from publicly available sources (for example, LinkedIn, company websites), at events, or through opt-in forms. We use this data to qualify prospects and reach out about our Service. You can opt out at any time by replying to any email or contacting us at [privacy@searchable.com](mailto:privacy@searchable.com).

Legal basis: legitimate interests (Art. 6(1)(f)) in B2B marketing; consent where required.

## 4. Sensitive personal data

We do not knowingly collect, use, or disclose "sensitive personal information" as defined under the CCPA (or "special categories of personal data" under the UK/EU GDPR) for the purpose of inferring characteristics about you. We do not permit Customers to submit special-category data through Customer Content unless expressly agreed in writing in advance. To the extent we incidentally process any such data, we do so only as strictly necessary to deliver the Service or comply with law.

## 5. How long we keep your data

We retain personal data for as long as we need it for the purposes described above and to meet our legal, accounting, and reporting obligations. After that, we delete or de-identify it. Indicative retention periods:

| Data category | Retention period |
| --- | --- |
| Account and contact data | Duration of contract, plus 90 days |
| Billing and financial records | Seven (7) years (U.S. tax / IRS) or longer where required by other applicable law |
| Platform usage data | Pseudonymised within 30 days; aggregates retained up to 12 months |
| AI visibility and crawl data | Up to 90 days, then deleted or anonymised |
| Connected third-party data | Not retained - discarded after use |
| Competitive intelligence content | 90 days maximum for any personal identifiers |
| Marketing records | Duration of consent or relationship, plus 6 years |
| Consulting engagement files | Duration of engagement, plus 6 years (statute of limitations) |
| Meeting recordings | Up to 12 months unless agreed otherwise |
| Cookies | Per the durations set out in our Cookie Policy |

## 6. Who we share your data with

We share data only with parties that need it to help us deliver, support, secure, or improve our Service and consulting work, or where required by law. We do not sell your personal data, and we do not share it for cross-context behavioural advertising.

### 6.1 Sub-processors

We engage third-party service providers to help us run the Service - cloud infrastructure, AI/LLM providers, payment processing, customer support, email delivery, product analytics, and security tooling. These providers act as our sub-processors and are bound by written data-protection terms imposing obligations no less protective than those in our DPA. Examples include:

- Amazon Web Services, Inc. (cloud infrastructure - U.S./EU);
- OpenAI, L.L.C. and other LLM providers (model inference - U.S.);
- Stripe, Inc. (payment processing - U.S./EU);
- a customer support / ticketing provider (U.S./EU);
- an email delivery provider (U.S./EU); and
- an analytics / product-telemetry provider (U.S./EU).

A current list of our sub-processors is available on request by emailing [privacy@searchable.com](mailto:privacy@searchable.com). We notify customers of changes to our sub-processor list in accordance with our DPA.

### 6.2 Group companies

We share data within our group of companies on a need-to-know basis. In particular, Searchable Limited (UK) employs members of our team who deliver and support the Service and our consulting engagements; it processes personal data as a sub-processor of Searchable, Inc. under intra-group data-protection terms.

### 6.3 Professional advisors

We share data with our auditors, accountants, lawyers, insurers, and similar professional advisors where reasonably necessary, under duties of confidentiality.

### 6.4 Corporate transactions

If we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, personal data may be transferred to the counterparty, subject to confidentiality obligations and applicable law. We will notify you of any change in controllership.

### 6.5 Legal and regulatory disclosures

We may disclose personal data where required by law, court order, or regulatory request, to enforce our agreements, to protect the rights, property, or safety of Searchable, our customers, or third parties, or to investigate fraud or security incidents.

### 6.6 No sale or sharing

We do not sell personal data, and we do not share personal data for cross-context behavioural advertising, in each case as those terms are defined under the CCPA and analogous U.S. state privacy laws. We have not done so in the preceding twelve months.

## 7. International transfers

As a U.S.-headquartered company with a UK group company and customers worldwide, we transfer personal data internationally. We rely on the following mechanisms:

- **EU/EEA transfers:** the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914), Module 2 (Controller to Processor) or Module 3 (Processor to Processor) as applicable, with the Irish Data Protection Commission as competent supervisory authority (or the customer's lead authority where the customer is established in another EEA Member State), supplemented by the technical, contractual, and organisational measures described in our DPA.
- **UK transfers:** the UK International Data Transfer Addendum issued by the ICO, or the UK Addendum to the EU SCCs.
- **Swiss transfers:** the EU SCCs with the Swiss-specific modifications described in our DPA, with the Swiss Federal Data Protection and Information Commissioner (FDPIC) as the supervisory authority.
- **Adequacy decisions:** where applicable, we rely on adequacy decisions issued by the European Commission, the UK Government, or the Swiss Federal Council.
- **Other regions:** for transfers from other jurisdictions, we use the transfer mechanisms recognised by local law, including standard contractual clauses, model clauses, or your consent where appropriate.

Details of the transfer mechanisms in place for each provider are available on request by emailing [privacy@searchable.com](mailto:privacy@searchable.com).

## 8. How we protect your data

We take security seriously. Our administrative, technical, and physical safeguards include:

- encryption of data at rest (AES-256) and in transit (TLS 1.2+);
- role-based access controls, single sign-on, and multi-factor authentication for personnel;
- a segmented production environment, network firewalls, intrusion detection, and centralised logging and monitoring;
- secure software development lifecycle controls, code review, dependency scanning, and at least annual penetration testing;
- background checks, security training, and written confidentiality obligations for personnel;
- encrypted, regularly tested, geographically distributed backups;
- a documented incident response plan with 24x7 on-call coverage; and
- vendor and sub-processor due diligence prior to engagement and on a periodic basis.

If we become aware of a personal data breach that affects your personal data, we will notify the affected customer without undue delay, and in any event within seventy-two (72) hours, in accordance with our DPA and applicable law. Where required, we will also notify the relevant supervisory authority and affected individuals.

## 9. Your privacy rights

Your rights depend on where you live and the law that applies to you. The categories below summarise the most common rights; we honour all rights granted to you by applicable law.

### 9.1 EU/EEA, UK, and Swiss residents

Under the UK GDPR, EU GDPR, and Swiss FADP you have the right to:

- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data (the "right to be forgotten"), subject to limited exceptions;
- Restrict how we process your data in certain circumstances;
- Portability - receive your data in a structured, machine-readable format;
- Object to processing based on legitimate interests, including our competitive-intelligence processing and direct marketing;
- Withdraw consent at any time where processing is consent-based;
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you (we do not currently make such decisions about Service users).

If you are not satisfied with our response you have the right to complain to your local supervisory authority, including the UK Information Commissioner's Office ([ico.org.uk](https://ico.org.uk); 0303 123 1113), your local EU supervisory authority, or the Swiss FDPIC. We would welcome the opportunity to resolve any concern directly - please contact us first.

### 9.2 California residents (CCPA/CPRA)

Under the California Consumer Privacy Act, as amended by the CPRA, California residents have the right to:

- Know the categories and specific pieces of personal information we have collected, the sources, the business or commercial purposes for which we use it, and the categories of third parties with whom we share it;
- Delete personal information we have collected, subject to limited exceptions;
- Correct inaccurate personal information;
- Opt out of the "sale" or "sharing" of personal information - we do not sell or share personal information, but you may submit such a request and we will honour it;
- Limit the use and disclosure of sensitive personal information - we do not use sensitive personal information for purposes other than those permitted by the CCPA without consent;
- Non-discrimination - we will not deny goods or services, charge different prices, or provide a different level or quality of service because you exercised a right under the CCPA.

Categories of personal information we have collected, sold, shared, or disclosed in the preceding twelve (12) months under the CCPA categories (Cal. Civ. Code Section 1798.140):

| CCPA category | Collected | Sold | Shared (cross-context advertising) | Disclosed for a business purpose |
| --- | --- | --- | --- | --- |
| Identifiers (e.g., name, email, IP) | Yes | No | No | Yes - to sub-processors |
| Customer records (Cal. Civ. Code Section 1798.80(e)) | Yes | No | No | Yes - to sub-processors |
| Commercial information (subscriptions, transactions) | Yes | No | No | Yes - to sub-processors |
| Internet/network activity (usage logs) | Yes | No | No | Yes - to sub-processors |
| Geolocation (general, IP-based) | Yes | No | No | Yes - to sub-processors |
| Professional/employment information | Yes | No | No | Yes - to sub-processors |
| Inferences | Limited | No | No | Yes - to sub-processors |
| Sensitive personal information | No | No | No | No |

Retention is described in Section 5. We retain each category of personal information for the period set out there, or longer where required by law.

To exercise your CCPA rights, email [privacy@searchable.com](mailto:privacy@searchable.com) with the subject **CALIFORNIA PRIVACY REQUEST**. You may use an authorised agent to submit a request on your behalf, in which case we will require written proof of authorisation. We may need to verify your identity before responding.

"Shine the Light" - California Civil Code Section 1798.83 entitles California residents to request information regarding our disclosure of personal information to third parties for direct marketing. We do not disclose personal information to third parties for their own direct marketing.

### 9.3 Other U.S. state residents

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Florida, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Kentucky, and Rhode Island, among others, have rights similar to those of California residents under their state's comprehensive privacy law. These typically include the right to:

- confirm whether we process personal data about you and access that data;
- correct inaccurate personal data;
- delete personal data;
- obtain a portable copy of personal data;
- opt out of targeted advertising, the sale of personal data, and certain profiling that produces legal or similarly significant effects (we do not engage in any of these activities);
- appeal a denial of any of the above rights.

To exercise your rights, email [privacy@searchable.com](mailto:privacy@searchable.com). If we deny your request you may appeal by replying to our response, and if your appeal is denied you may contact your state attorney general.

We honour the Global Privacy Control (GPC) signal as an opt-out of sale and sharing on our website.

### 9.4 Other regions

If you are based in Brazil (LGPD), Canada (PIPEDA and provincial privacy laws), Australia (Privacy Act 1988), or another jurisdiction with a comprehensive privacy law, you may have similar rights. We will honour the rights granted to you by applicable law. Please contact us using the details in Section 1.

### 9.5 How to exercise your rights

Email [privacy@searchable.com](mailto:privacy@searchable.com) with the subject **DATA PROTECTION REQUEST** and tell us which right you would like to exercise. We will respond within the time required by applicable law (and in any event within 30 days, or 45 days for CCPA requests, with one extension of up to 45 days where reasonably necessary). We may need to verify your identity before responding. We will not charge a fee unless your request is manifestly unfounded or excessive. Where Searchable acts as a processor on behalf of a customer (for example, in respect of Customer Content), we will redirect your request to the relevant customer.

## 10. Cookies and similar technologies

We use cookies and similar technologies on our website and platform. You can manage your preferences at any time via our cookie banner or by visiting our [Cookie Policy](/cookies).

| Type | Purpose | Consent required |
| --- | --- | --- |
| Strictly necessary | Core platform functionality and security | No |
| Analytics | Understanding usage patterns | Yes |
| Marketing | Campaign attribution | Yes |

## 11. AI features and disclosures

The Service uses artificial intelligence and large language models, including third-party models hosted by our LLM sub-processors. AI outputs may be inaccurate, incomplete, biased, out of date, or unsuitable for a particular purpose, and may include hallucinated or fabricated content. You are responsible for reviewing and verifying any output before relying on it. We do not use AI to make decisions that produce legal or similarly significant effects on individuals.

Where we use Customer Content with third-party AI providers, those providers act as our sub-processors and are contractually prohibited from using Customer Content to train their general-purpose models. Model Training, where it occurs at all, is governed by Section 3.9.

## 12. Model Context Protocol (MCP) integration

Searchable publishes a Model Context Protocol (MCP) server that lets third-party AI assistants (Claude.ai, Claude Desktop, Cursor, and other MCP-compatible clients) read data from your Searchable workspace on your behalf. If you connect an MCP client, the following applies:

- **Read-only access.** The MCP server exposes read-only tools. It cannot create, modify, or delete data in your workspace.
- **Scope of data.** Connected clients can query the projects you own: project metadata, AI visibility metrics, article content and SEO metadata, and site-audit findings. They cannot access other workspaces or other Users' data.
- **Authentication via OAuth 2.1.** You consent to access on an explicit authorise page that lists the permissions being granted. Your Searchable API key is stored encrypted on our MCP server and is never exposed to the client; the client receives an OAuth access token only.
- **Third-party client responsibility.** Once data is returned to the connected client, its handling is governed by that client's privacy policy (e.g., Anthropic for Claude). Check the client's policy before connecting.
- **Revocation.** You can revoke MCP access at any time from [Settings > Integrations](/settings/integrations) by deleting the API key used for the connection.
- **Logs.** We log MCP request metadata (timestamp, endpoint, HTTP status) for security and debugging. We do not log the contents of tool responses.

Full setup and tool reference: [docs.searchable.com/integrations/mcp](https://docs.searchable.com/integrations/mcp).

## 13. Children

The Service is not directed to children. We do not knowingly collect personal data from children under the age of 18. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.

## 14. Automated decision-making and profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals. Where we use machine-learning models within the Service to rank, classify, or summarise content, the outputs are provided to you for review and do not result in automated decisions about you.

## 15. Changes to this Policy

We will notify you of material changes by email before they take effect, or, where you do not have an account with us, by posting a prominent notice on our website. The Last updated date at the top of this page always reflects the current version. Previous versions are available on request.

## 16. Contact

**Searchable, Inc.**

Address: 131 Continental Drive, Suite 305, Newark, DE 19713, U.S.A.

Email: [privacy@searchable.com](mailto:privacy@searchable.com)

For data protection matters: subject line DATA PROTECTION REQUEST

**UK Article 27 representative — Prighter Group**

Prighter Group (with its local partners) acts as our UK representative for the purposes of Article 27 of the UK GDPR.

To exercise your rights or contact us through our representative, please visit:
[https://app.prighter.com/portal/12793767836](https://app.prighter.com/portal/12793767836)

**EU Article 27 representative**

Prighter Group (with its local partners) — located in Ireland. To exercise your rights or contact us through our representative, please visit: [https://app.prighter.com/portal/12793767836](https://app.prighter.com/portal/12793767836)

