Legal
Last updated: 24 April 2026 — UK GDPR & Data Protection Act 2018
This notice explains how Geoptiq processes personal data of individuals located in the United Kingdom, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications Regulations 2003 (PECR).
It supplements our full Privacy Policy. Where the two differ, the Privacy Policy describes our overall practices; this notice provides the disclosures required under Articles 13 and 14 UK GDPR for UK data subjects.
Data Controller
Geoptiq Teknoloji A.Ş.
Levent, Istanbul / Türkiye
[email protected]
UK Representative (Art. 27 UK GDPR)
Because the controller is established outside the UK, a UK representative will be appointed where required by Art. 27 UK GDPR. Until one is designated, UK data subjects may contact the controller directly at [email protected] and we will respond within statutory timeframes.
Data Protection Officer (Art. 37 UK GDPR)
Geoptiq is not required to appoint a DPO under Art. 37(1) UK GDPR. Privacy matters are handled by our privacy team at [email protected].
Account data: first name, last name, email, company, hashed password.
Service-usage data: analyses created, tracked keywords, reports, visibility scores, project settings.
Technical data: IP address, user-agent, device and browser type, access timestamps, session identifiers.
Billing data: plan, invoices and payment status. Card details are processed directly by Stripe and never stored on our servers.
Communications data: support requests, emails and in-product messages.
Marketing data: email preferences, cookie and product-analytics signals (only where you have consented).
We do not knowingly collect special category data (Art. 9 UK GDPR) or criminal-offence data (Art. 10).
Performance of a contract — Art. 6(1)(b): creating and managing your account, providing the service, running analyses, handling payments and invoices, and providing customer support.
Legitimate interests — Art. 6(1)(f): securing the service, preventing fraud and abuse, debugging, aggregate product analytics, improving features, enforcing our terms, and direct B2B marketing to existing customers (the “soft opt-in” under reg. 22(3) PECR). You may object at any time (see §8).
Legal obligation — Art. 6(1)(c): accounting, tax and invoicing records, and responding to lawful requests from public authorities.
Consent — Art. 6(1)(a) & reg. 6 PECR: non-essential cookies, product analytics (Microsoft Clarity) and marketing emails to prospects. You can withdraw consent at any time without affecting prior lawful processing.
We share personal data only with service providers acting as processors under a written agreement (Art. 28 UK GDPR). Our current sub-processors are:
- Google Cloud Platform — hosting, databases, storage (UK / EU / US)
- Google Vertex AI — LLM infrastructure (EU)
- Firebase Authentication — identity & session management (US)
- Stripe — payment processing (Ireland / US)
- OpenAI — LLM API for analyses (US)
- Mailgun / Gmail SMTP — transactional email (US)
- Microsoft Clarity — product analytics, consent-based (US)
- Cloudflare — CDN and DDoS protection (global)
We may also disclose personal data to UK or foreign authorities where legally compelled, and to acquirers or successors in the event of a merger or acquisition. An up-to-date list of sub-processors is maintained on this page.
Because the controller is established in Türkiye and some sub-processors are located outside the UK, your personal data may be transferred out of the UK. We rely on one or more of the following safeguards under Articles 44–49 UK GDPR:
- UK adequacy regulations, where the destination country has been recognised as providing an adequate level of protection (e.g. the EEA and countries listed by the Secretary of State);
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
- The UK Extension to the EU-US Data Privacy Framework (the “UK Data Bridge”) for certified US recipients;
- Supplementary technical and organisational measures (encryption in transit and at rest, access controls, data minimisation).
A copy of the applicable safeguards is available on request from [email protected].
We retain personal data only for as long as necessary for the purposes described above:
- Account data: for the life of the account, plus 30 days after a deletion request.
- Billing and tax records: 6 years (UK HMRC record-keeping requirements).
- User-generated content (analyses, reports): until you delete it or close your account.
- Server and access logs: 90 days.
- Inactive trial accounts: auto-deleted after 12 months of inactivity.
- Marketing consent: until you opt out.
After the applicable period, data is deleted or irreversibly anonymised.
Subject to the conditions in the UK GDPR, you have the right to:
- Access the personal data we hold about you (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erase your data, the “right to be forgotten” (Art. 17);
- Restrict processing in certain cases (Art. 18);
- Data portability in a structured, machine-readable format (Art. 20);
- Object to processing based on legitimate interests or direct marketing (Art. 21);
- Not be subject to decisions based solely on automated processing with legal or similarly significant effects (Art. 22);
- Withdraw consent at any time, without affecting prior lawful processing (Art. 7(3)).
To make a request, email [email protected]. We respond free of charge within one calendar month (extendable by up to two further months for complex or numerous requests; we will tell you if that applies). We may ask for information to verify your identity.
Geoptiq does not carry out solely automated decisions producing legal effects or similarly significantly affecting you (Art. 22 UK GDPR). Analysis outputs are informational and intended to be reviewed by a human.
We collect personal data directly from you (when you sign up, use the service or contact us) and automatically through your use of the service (technical and service-usage data). We do not purchase personal data from data brokers.
In line with PECR, we group cookies into four categories:
- Strictly necessary: session and security. No consent required (reg. 6(4) PECR).
- Functional: language preference, UI settings.
- Analytics: product usage (Microsoft Clarity). Consent-based and off by default in the UK.
- Marketing: not used.
You can change your cookie preferences at any time through the cookie banner or your browser settings.
In line with Articles 33 and 34 UK GDPR, we notify the Information Commissioner’s Office (ICO) of personal-data breaches within 72 hours of becoming aware of them where required, and inform affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
Geoptiq is a B2B service not directed at children. We do not knowingly collect personal data from anyone under 13 in the UK (the UK GDPR digital-consent age). If you believe a child has provided us with personal data, please contact [email protected] so we can delete it.
If you are concerned about our handling of your personal data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (Art. 77 UK GDPR):
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk/make-a-complaint
We would appreciate the opportunity to address your concerns directly before you approach the ICO — please contact us first at [email protected].
We may update this notice to reflect changes in law or our practices. Material changes will be announced by email or in-product notice at least 14 days before they take effect. The “Last updated” date at the top always reflects the latest revision.
For any question about this notice or your personal data, write to [email protected].