Privacy Policy

This policy explains what data TopSlot collects, why we collect it, what we do with it, and what we will never do with it. We wrote it to be readable, not lawyer-proof. If something here is unclear, email us and we will clarify in plain English.

TopSlot ("we", "us", "our") is the registered legal entity that operates the topslot.ai platform — an AI Visibility Intelligence platform tracking how brands appear across ChatGPT, Gemini, Claude, and Perplexity. By using the service you agree to this policy.

We collect only what we need to run the product:

• Account info: your email address, name, and password (hashed) when you create an account. Optional: company name.
• Brand info: brand names, websites, descriptions, and competitor details you submit for audits.
• Audit results: the outputs generated by AI models during your brand visibility audits — scores, mentions, citations, sentiment. This is your product data.
• Payment info: billing details are processed securely through Razorpay. We do not store your full credit card number on our servers — only a customer ID, plan, and billing status.
• Usage logs: pages you visit in the app, features you use, timestamps. Used for product improvement only.

We use your data to:

• Provide and maintain the TopSlot service
• Run AI visibility audits and tracking on your behalf
• Show you the dashboard, reports, and recommendations based on your tracking data
• Process payments and manage subscriptions
• Send service-related notifications and email alerts (transactional only, never marketing unless you opt in)
• Improve the product by looking at aggregate, anonymized usage patterns

We use essential cookies to manage authentication sessions and remember your preferences. We do not use third-party advertising or tracking cookies.

As long as you have an active account, we keep your tracking data so you can see trends over time. If you delete your account, we remove your personal info and account data within 30 days. Anonymized and aggregated data may be retained for analytics purposes, but never tied back to you.

You can export all your data at any time from your account settings. You can delete your account at any time without contacting support — it is a button in settings.

TopSlot is built on third-party infrastructure. Each has its own privacy policy governing how they handle data:

• Supabase — database hosting and user authentication. Data stored encrypted at rest.
• Razorpay — payment processing and subscription management. PCI-DSS compliant.
• OpenRouter — routing queries to AI models (ChatGPT, Claude, Gemini, Perplexity) for brand audits. We do not send your personal info, only brand-related prompts.
• Vercel — application hosting.
• Resend — transactional email delivery.
• Google APIs — Search Console and Analytics integrations, opted into per brand. See the dedicated section below for the full disclosure required by Google's API Services User Data Policy.

We only share with them what is strictly necessary to deliver the service.

When you connect a brand to Google Search Console or Google Analytics 4 from Pixel & Health → Analytics, TopSlot uses your Google account's OAuth grant to read a narrow slice of your data. This section is the disclosure required by Google's API Services User Data Policy for sensitive scopes.

What we request

• Search Console — read-only scope https://www.googleapis.com/auth/webmasters.readonly. We list the verified sites you own and pull the top queries + top pages for each site you connect to a brand.
• Google Analytics 4 — read-only scope https://www.googleapis.com/auth/analytics.readonly. We list the GA4 properties you have access to and pull aggregate session, user, and conversion metrics for each property you connect to a brand.

Both scopes are read-only. TopSlot cannot create, modify, or delete anything in your Google Analytics or Search Console accounts.

How we use it

Data fetched from Google is used solely to populate the AI Visibility dashboard for the brand you connected: query performance, page performance, AI-vs-traditional traffic comparisons, deployment verification. We do not use this data to train AI models, build aggregate analytics across customers, or for any purpose outside the single user-facing features that produced the OAuth request.

Limited Use

Specifically:

• We do not sell or transfer Google user data to third parties for advertising purposes.
• We do not use Google user data to serve advertisements.
• We do not allow humans to read your Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (e.g., investigating abuse), to comply with applicable law, or for an internal operation where the data has been aggregated and anonymized.

Storage and retention

OAuth tokens (access + refresh) are stored encrypted at rest in our Supabase database, scoped to your workspace via row-level security so no other customer can read them. The fetched analytics data is also stored on a per-brand basis and is deleted when you disconnect the integration or delete the brand. Disconnecting can be done anytime from Pixel & Health → Analytics → Disconnect, or by revoking access at myaccount.google.com/permissions.

Regardless of where you live, you have the right to:

• Access the personal data we hold about you (available anytime from account settings)
• Request correction of inaccurate data
• Delete your account and all personal data
• Export your data in a machine-readable format
• Withdraw consent for non-essential data processing at any time
• Opt out of any non-transactional email

For GDPR-covered residents: TopSlot is the data controller. Our legal basis for processing is contract performance (running the service you paid for) and legitimate interest (improving the product through aggregate analysis). For CCPA-covered residents: TopSlot does not sell your data. You may exercise the rights above by contacting us.

We implement industry-standard security measures including encryption in transit (TLS), encrypted storage, and role-based access controls to protect your data.

We collect certain technical information when you visit our website, including your IP address, browser type, device type, and approximate geographic location (country and city). This data helps us improve our service and understand our audience. We do not sell this data to third parties. If you provide your email address (for example, when generating a scorecard), we may associate it with your visit data to provide a better experience.

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification.