Legal

Privacy Policy

Last updated: 27 April 2026 · Effective: 27 April 2026

Plain-language summary: EOMA is a marketing intelligence platform. To make your brand AI-native, we collect (1) information you give us, (2) data we generate while running your workspace, and (3) data we collect via cookies. We don't sell your data. You can export, delete, or take it back at any time.

1. Who we are

EOMA ("EOMA," "we," "us," "our") is a marketing intelligence platform that analyses how AI engines (ChatGPT, Perplexity, Gemini, Claude, and others) cite brands, then ships content, schema, and social moves to improve that visibility.

For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and Türkiye's Personal Data Protection Law No. 6698 (KVKK), EOMA is the data controller of personal data you provide on this website and the data processor of personal data you upload into your EOMA workspace.

For California residents, this notice serves as the disclosure required by the California Consumer Privacy Act (CCPA / CPRA).

2. What we collect

2.1 Information you give us

  • Account details: name, email, password hash, company, optional phone (when you book a demo or sign up).
  • Brand profile: your website URL, brand description, target audience, competitors you track.
  • Connected accounts: OAuth tokens for Google (GA4, Search Console, Drive), Meta (Facebook, Instagram), and social platforms (X, LinkedIn, TikTok, YouTube). We never see your password for those services.
  • Billing: handled by Stripe; we receive last-4 digits and country, never the full card number.
  • Support communications: anything you email to info@eoma.ai.

2.2 Data we generate while running your workspace

  • AI-visibility scans: prompts run through ChatGPT, Perplexity, Gemini, Claude, and Google AI Overviews; the responses returned; and our analysis of where your brand appears.
  • Competitor scrapes: public posts, mentions, and metadata from X, Reddit, TikTok, YouTube, LinkedIn, and Instagram, fetched via Apify on your instruction.
  • Generated content: blog drafts, FAQ entries, schema patches, and social posts created by the agent for your approval.
  • Usage logs: agent sessions, tool calls, token counts, costs (for billing and quota).

2.3 Data we collect automatically

  • Device & browser: IP address, user agent, language, time zone, device type.
  • Pages and events: pages visited, CTAs clicked, demo modal opens, time on page (via Google Analytics 4 and Meta Pixel).
  • Cookies: see Cookies & tracking.

3. Why we process it

We use your data to:

  • Provide the EOMA service (analyse visibility, generate content, ship moves you approve).
  • Run your account: authentication, billing, usage limits, security monitoring.
  • Improve the product: aggregate, anonymised analytics on which features get used.
  • Communicate with you: product updates, security notices, replies to your questions.
  • Marketing: contextual advertising on Meta and Google (you can opt out see Your rights).
  • Comply with legal obligations: tax records, audit trails, requests from competent authorities.

We do not sell your personal data, and we do not use the content of your workspace data to train third-party AI models.

Purpose Legal basis (GDPR Art. 6 / KVKK Art. 5)
Providing the service to you Performance of contract
Billing & tax records Legal obligation
Security & abuse prevention Legitimate interests
Product analytics & improvement Legitimate interests
Marketing emails & advertising cookies Consent (you can withdraw at any time)

5. Sub-processors

We use the following sub-processors. Each is bound by a Data Processing Agreement (DPA) and contractually limited to the purpose listed.

Sub-processor Purpose Region
Supabase, Inc. Database, authentication, file storage USA / EU
Vercel Inc. Frontend hosting and edge delivery USA / Global
Railway Corp. Backend application hosting USA
Anthropic, PBC LLM inference (Claude) USA
OpenAI, LLC LLM inference (ChatGPT) USA
Perplexity AI, Inc. LLM inference (Perplexity) USA
Google LLC Gemini inference, Analytics, Ads, Search Console, Calendar USA / EU
DataForSEO LLC SERP & AI-mentions data USA
Apify Technologies s.r.o. Public-web competitor scraping EU (Czechia)
Meta Platforms, Inc. Pixel, ads attribution, Facebook/Instagram OAuth USA / EU
Postiz Social media publishing pipeline EU
Stripe, Inc. Payments & tax USA / EU

An up-to-date list is available on request at info@eoma.ai.

6. Cookies & tracking

We use first-party cookies for authentication and session state. We use third-party tracking pixels for analytics and advertising:

  • Google Analytics 4 (G-8WCC8LYLPQ): page views, conversions, user paths.
  • Google Ads (AW-18070552185): conversion attribution.
  • Meta Pixel (1302112875167740): retargeting, lookalike audiences, conversion attribution.

You can disable advertising cookies via your browser settings, the Google Ads Settings page, or the Meta Off-Facebook Activity tool.

7. Retention

  • Account data: kept while your account is active and 30 days after deletion request, then permanently erased.
  • Workspace data (visibility scans, scraped data, generated content): retained for the lifetime of your subscription; you may export or delete it from your settings at any time.
  • Billing records: kept 10 years per Turkish tax law.
  • Security logs: kept 12 months.

8. International transfers

EOMA is operated from Türkiye. To deliver the service, we transfer personal data to sub-processors in the USA, EU, and UK. For transfers outside Türkiye and the European Economic Area, we rely on Standard Contractual Clauses (SCCs), adequacy decisions where applicable, and explicit user consent for cookies as listed above.

9. Security

We protect your data with:

  • TLS 1.3 in transit.
  • AES-256 at rest (Supabase / Vercel managed encryption).
  • Row-level security on every database table your workspace is isolated from every other workspace.
  • Service-role keys never exposed to the browser.
  • Annual third-party penetration testing.
  • Incident notification within 72 hours of confirmed breach (per GDPR Art. 33 / KVKK Art. 12).

10. Your rights

Depending on where you live, you have some or all of the following rights. To exercise any of them, email info@eoma.ai from the address on your account. We respond within 30 days.

  • Access: get a copy of the personal data we hold about you.
  • Rectification: correct inaccurate data.
  • Deletion ("right to be forgotten"): erase your account and workspace.
  • Portability: receive your data in a machine-readable format.
  • Restriction & objection: limit or object to processing for marketing or analytics.
  • Withdraw consent: for cookies and marketing emails, at any time.
  • Lodge a complaint: with your local supervisory authority. In Türkiye that is the Personal Data Protection Authority (KVKK); in the EU, your national DPA.
  • California residents (CCPA): right to know, right to delete, right to opt out of "sale" or "sharing" (we don't sell, but Meta/Google ad cookies count as "sharing"; opt out via the controls above).

11. Children

EOMA is a B2B product not intended for users under 18. We do not knowingly collect personal data from children. If you believe a minor has given us personal data, contact us and we will delete it.

12. Changes to this policy

When we change this policy materially, we'll email registered users at least 14 days before the change takes effect. The "Last updated" date at the top of this page always reflects the current version.

13. Contact

Questions, requests, or complaints:

  • Email: info@eoma.ai
  • Subject line for data requests: "Privacy request [Access / Deletion / Portability / etc.]"

This document is provided in good faith as a fair description of how EOMA handles personal data. It is not legal advice. If you operate under a regulated regime (HIPAA, financial services, government), please contact us to arrange a custom Data Processing Agreement.