How do “runs” actually work?

A run sends each of your prompts to all 6 engines, from each country you target, and captures the full answer. Starter runs weekly. Growth and Agency run daily. Every run is timestamped and stored, so you can compare any two points in time.

What counts as a “mention”?

A mention is any time your brand is named in an engine's answer to one of your prompts, whether it's recommended, listed, or referenced in passing. We also separately track citations (when the engine links to one of your pages as a source), because being cited is stronger than being named.

Can I track different countries?

Yes. AI answers vary by region, so you can run the same prompts from the markets you sell in and compare share of voice country by country. Starter tracks 1 market per brand; Growth tracks up to 3 and Agency up to 10.

How often is my data refreshed?

It depends on your tier. Starter refreshes weekly. Growth and Agency refresh daily, so you catch swings in how engines answer much faster. You can also trigger a manual run anytime from the dashboard.

Do you support white-label reports?

On Agency, every PDF carries your logo and colors instead of ours, ready to send straight to a client. Growth includes standard branded PDF exports.

What's your refund policy?

Every plan comes with a 14-day money-back guarantee. If it's not for you, email us within two weeks for a full refund, no questions asked.

Data Processing Agreement

Effective date: June 15, 2026

This DPA applies to any customer (“Controller”) whose use of the Service involves the processing of personal data on their behalf by BestDid Technology, LLC (“Processor”). It is incorporated by reference into the Terms of Service. By accepting those Terms and using BD GEO Tracker to process personal data of any third party (for example, where you enter your own employees or contacts into a brand, or where a prompt incidentally references an identifiable individual), you accept this DPA. The Standard Contractual Clauses annexed at Annex D apply for any transfer of personal data out of the EEA or UK.

1. Definitions

Terms used and not defined here have the meaning given in the GDPR (Reg. (EU) 2016/679) and UK GDPR.

2. Subject matter, duration, nature, purpose

Subject matter. Processing of personal data necessary to provide the BD GEO Tracker Service to the Controller.
Duration. The term of the subscription, plus the retention window described in the Privacy Policy.
Nature and purpose. Storage, organization, retrieval, transmission to AI sub-processors, and deletion of personal data submitted by Controller through the Service.
Categories of data subjects.Controller's authorized users; any natural person identified in Controller -submitted prompts or competitor names.
Categories of personal data. Account identifiers, business contact information, prompt content, output snapshots. The Service is not designed for and should not be used to process special-category data under GDPR Art 9.

3. Documented instructions (Art 28(3)(a))

Processor processes personal data only on Controller's documented instructions. These Terms, the Service configuration in Controller's account, and Controller's lawful written instructions constitute those documented instructions. Processor will notify Controller if it believes an instruction infringes the GDPR or UK GDPR.

4. Confidentiality (Art 28(3)(b))

Processor ensures that personnel authorized to process the personal data are bound by confidentiality (whether by statute, contract, or professional obligation).

5. Security (Art 28(3)(c) and Art 32)

Processor implements appropriate technical and organizational measures including:

Encryption of personal data in transit (TLS 1.2+) and of database backups at rest.
Multi-factor authentication for administrative access.
Logical separation of customer data by account.
Vulnerability monitoring, error tracking, and incident-response procedures.
Sub-processor due diligence.

Detailed security measures are described in Annex B.

6. Sub-processors (Art 28(2) and (4))

Controller grants general authorization for Processor to engage the sub-processors listed in the Privacy Policy and Annex A. Processor will provide at least 14 days' prior notice of any new or replacement sub-processor by email. Controller may object during that period; if Processor cannot accommodate the objection, Controller may terminate the affected portion of the Service for a pro-rated refund of unused subscription fees.

7. Data-subject requests (Art 28(3)(e))

Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as possible, in responding to data-subject access, rectification, deletion, restriction, portability, and objection requests. Controller is responsible for receiving and responding to such requests as the controller of record.

8. Assistance with Articles 32–36 (Art 28(3)(f))

Processor will assist Controller in ensuring compliance with security obligations, breach notification, data-protection impact assessments, and prior consultation. Processor will notify Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal-data breach affecting Controller's data, including the information required by Art 33(3) to the extent then known.

9. Deletion or return on termination (Art 28(3)(g))

Upon termination of the subscription, Processor will delete all personal data within 35 days, unless EU or applicable law requires longer retention. Controller may export its data at any time during the subscription via CSV export in the dashboard and may request a final export within 30 days of termination.

10. Audits (Art 28(3)(h))

Processor will make available to Controller all information necessary to demonstrate compliance with Art 28, including independent third-party security assessments where available, and will allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, subject to commercially reasonable confidentiality and scheduling. Audit costs are borne by Controller, and audits are limited to once every 12 months absent reasonable cause.

11. International transfers

The Standard Contractual Clauses (Module 2, EU SCCs 2021) annexed at Annex D apply to any transfer of personal data from the EEA to a country without an adequacy decision. The UK ICO International Data Transfer Addendum (Annex D-1) applies to transfers from the UK.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service.

13. Governing law

This DPA is governed by the law specified in the Terms of Service, except that the SCCs and IDTA are governed by their own terms.

Annex A. Privacy Policy reference

See the Privacy Policy §2 for the customer-facing summary of categories of data, retention windows, and data subject rights (current as of the effective date of this DPA).

Annex B. Technical and organizational measures (TOMs)

The measures below describe BD GEO Tracker's production security posture as of the effective date. Measures are reviewed annually and updated as the platform evolves.

B.1 Encryption in transit

All traffic to BD GEO Tracker is served over HTTPS using TLS 1.2 or higher. HSTS is enabled across all production hostnames. Internal traffic between the application layer and the Postgres database traverses encrypted private networking inside the hosting provider.

B.2 Encryption at rest

Customer data is stored in a managed Postgres instance on Railway with encrypted volumes. Generated report PDFs are stored in Cloudflare R2 with server-side encryption enabled.

B.3 Access control and authentication

Per-account session authentication with a 7-day session expiry.
Passwords stored as bcrypt hashes with a work factor of 12.
Multi-tenant isolation enforced at every API endpoint by scoping all database queries to the authenticated account. Postgres row-level security is not relied upon; isolation and IDOR defenses are enforced at the application layer and verified by tests.
Administrative access to production infrastructure is limited to named operators and requires multi-factor authentication on the underlying hosting and cloud accounts.

B.4 Network and application security

The marketing site and app run behind the Vercel edge network. Standard security response headers are set on application responses, including a Content Security Policy, X-Frame-Options set to DENY, a Referrer-Policy of strict-origin-when-cross-origin, and a Permissions-Policy restricting browser features that the Service does not use.

B.5 Data minimization

BD GEO Tracker persists only the data needed to operate the Service: customer-supplied prompts, brand names being tracked, the account email used to log in, and the responses returned by AI engines for those prompts. The Service does not request or store special-category data, payment card numbers (handled by the upstream checkout provider), or end-user behavioral profiles.

B.6 Backup and recovery

The Postgres database is configured for point-in-time recovery via Railway's managed backup. Recovery procedures are documented and exercised on a periodic basis.

B.7 Audit logging

Administrative actions and significant account events emit structured JSON server logs retained by the hosting provider. Application errors and unhandled exceptions are sent to Sentry for triage.

B.8 Vendor security

Sub-processors are vetted before onboarding. The current list of sub-processors and the categories of data each one receives is in Annex C.

B.9 Vulnerability management

Application dependencies are scanned for known vulnerabilities using Socket.dev and npm audit on every change. Reported vulnerabilities are triaged by severity and patched on a rolling basis.

Annex C. Sub-processors

Customer will be notified at least 30 days before any new sub-processor is added. Customer may object to a new sub-processor by written notice to privacy@bdgeotracker.com, in which case BD will work in good faith to find an alternative.

Sub-processor	Purpose	Data processed	Location
OpenAI	LLM queries (ChatGPT engine; competitor and prompt research helpers)	Customer-supplied prompts; brand names	US
Anthropic	LLM queries (Claude engine)	Customer-supplied prompts; brand names	US
Google AI	LLM queries (Gemini engine; Google AI Overviews via SerpAPI)	Customer-supplied prompts; brand names	US
Perplexity	LLM queries (Perplexity engine)	Customer-supplied prompts; brand names	US
SerpAPI	Bing search emulation for the Microsoft Copilot engine; Google AI Overviews fetch	Customer-supplied prompts	US
Resend	Transactional email (digests, password reset, account notifications)	Account email; email body	US (us-east-1)
Vercel	App and marketing site hosting	Standard HTTPS request logs	US (pdx1)
Railway	Postgres database and worker process	Account data, brand data, prompts, scan results	US (us-west2)
Cloudflare R2	Report PDF storage	Generated reports	Global edge
Sentry	Error monitoring	Stack traces, request metadata	US

Note on Microsoft Copilot: BD GEO Tracker does not integrate directly with Microsoft Copilot. Copilot-style answers are emulated by combining a Bing search via SerpAPI with an answer generated by OpenAI GPT-4o, so results are representative of Copilot output rather than fetched from the Microsoft Copilot product itself.

Annex D. Standard Contractual Clauses (Module 2)

The Commission Implementing Decision (EU) 2021/914 Module 2 (controller-to-processor) text applies to in-scope transfers, with Annexes I.A (parties), I.B (description of transfer), I.C (supervisory authority), II (technical and organizational measures), and III (list of sub-processors) populated on request. Email privacy@bdgeotracker.com for the populated SCC package.

Annex D-1. UK IDTA / Addendum

The UK ICO Addendum to the EU SCCs applies for transfers originating in the United Kingdom, with Tables 1–4 populated on request.

How to countersign

If you require a countersigned PDF of this DPA on your standard paper, email privacy@bdgeotracker.com with your company name, registered address, and the email of your signatory. We will return a countersigned PDF within 5 business days.