Legal

Privacy Policy

Last updated June 2026

GoBlinkly provides a fully managed Answer Engine Optimization (AEO) and SEO service for business clients. Protecting the information our clients entrust to us is fundamental to how we operate. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights available to you.

We comply with applicable privacy laws, including Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union's General Data Protection Regulation (GDPR), and applicable U.S. state privacy laws including the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA).

Privacy Officer (Person in Charge of the Protection of Personal Information):
Email: privacy@goblinkly.com

1. Scope of This Policy

This policy applies to:

  • Clients — businesses and professional entities that engage GoBlinkly for our managed AEO and SEO services, and their authorized representatives. We do not offer our services to individual consumers.
  • Prospective clients — individuals who book a discovery call, request a competitor visibility audit, or otherwise contact us about our services.
  • Website visitors — individuals who browse goblinkly.com.

References to "you" in this policy refer to the individuals in these categories.

2. Information We Collect

We collect only the information necessary to deliver, improve, and market our services.

2.1 Account and Contact Information

  • Full name, business email address, and role of authorized representatives
  • Company or brand name and website URL(s)
  • Records of our communications with you (emails, meeting notes, strategy call summaries)

2.2 Prospective Client Information

When you book a discovery call or request a free competitor visibility audit, we collect your name, business email address, company name, and the information you choose to share about your business and goals. Call scheduling is handled by a third-party booking provider, which processes your booking details under its own privacy policy.

2.3 Brand and Business Materials

To deliver the service, clients provide materials such as brand guidelines, target audience descriptions, product and service documentation, positioning information, and access to website content. These materials are used solely to perform the engagement.

2.4 Platform Access and OAuth Tokens

To optimize and publish to your website and to access your analytics platforms (such as Google Analytics 4 and Google Search Console), we use secure authorization methods, including OAuth 2.0 where supported. We do not ask for, collect, or store your account passwords where an OAuth flow is available. Instead:

  • We obtain and securely store OAuth access and refresh tokens that you grant through the relevant platform's authorization screen
  • Tokens are stored encrypted and are used solely to perform the work you have authorized
  • Where a platform requires credential-based access that you choose to provide, those credentials are stored encrypted in a dedicated secrets management system and access is restricted to personnel who need it to perform the engagement

2.5 Analytics and Performance Data

When you connect your analytics accounts, we import and store performance data (such as page views, traffic sources, impressions, keyword data, and click-through rates) to measure results and inform strategy.

We also collect AI citation data: we run buyer-intent queries against AI answer engines (such as ChatGPT, Claude, Perplexity, and Gemini) and record whether and how your brand and your competitors are cited. This data generally relates to companies and brands rather than individuals, and is used to populate your citation dashboard and guide the engagement.

2.6 Google User Data — Specific Disclosure

GoBlinkly integrates with Google services (Google Analytics 4 and Google Search Console) via OAuth 2.0. The following applies specifically to data obtained through Google APIs:

  • What we access: Website performance data from your GA4 property (page views, sessions, traffic sources, engagement metrics) and search performance data from your GSC account (queries, impressions, click-through rates, indexing data).
  • How we access it: Only after you explicitly authorize GoBlinkly through Google's OAuth consent screen. We request only the minimum scopes necessary.
  • How we use it: Solely to measure and report performance for your engagement and to inform your AEO and SEO strategy. We do not use Google user data for any other purpose.
  • How we store it: Imported Google data is stored encrypted in our database. OAuth access and refresh tokens are stored separately with additional encryption.
  • Sharing: We do not sell, share, transfer, or disclose your Google user data to any third party, except as required by law.
  • Retention and revocation: Google-sourced data is retained while your engagement is active. You may revoke GoBlinkly's access at any time via your Google Account settings at myaccount.google.com. Upon revocation or account closure, this data is deleted within 60 days.

GoBlinkly's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2.7 Payment Information

Payments are processed by Stripe, Inc., a third-party payment processor. We do not collect, store, or process your full credit card numbers or banking details. Stripe processes payment information in accordance with its own privacy policy, available at https://stripe.com/privacy. We receive and store only transaction confirmation records, invoices, and billing metadata (such as subscription status, payment date, and amount).

2.8 Website Visitor Data

When you visit goblinkly.com, we and our analytics providers collect standard usage information through cookies and similar technologies, including pages viewed, referral source, approximate location (city level), device and browser type, and interactions with the site. We use Google Analytics and related analytics tools for this purpose. You can control cookies through your browser settings; the site remains usable with non-essential cookies disabled.

3. How We Collect Information

  • Directly from you, when you book a call, sign up, communicate with us, or provide materials and access
  • Through authorized connections to your platforms (CMS, GA4, GSC and similar), once you grant access
  • From AI answer engines and public web sources, when we research your category and track citations
  • From Stripe, upon payment transactions
  • Automatically, through cookies and analytics when you visit our website

4. How We Use Your Information

  • To deliver the engagement: research, content production, website optimization, publishing, off-site authority building, and citation tracking
  • To create and manage your account and report results to you
  • To process payments and manage your subscription through Stripe
  • To communicate with you about your engagement, updates, and support
  • To respond to inquiries and provide requested audits to prospective clients
  • To improve, secure, and optimize our services and website
  • To comply with legal obligations and enforce our Terms and Conditions
  • To detect and prevent fraud, unauthorized access, or security incidents

We do not use your confidential business materials to provide services to other clients, and we do not sell your personal information.

5. Legal Basis for Processing (GDPR — EU/EEA and UK Clients)

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases under Article 6 of the GDPR:

  • Performance of a contract (Art. 6(1)(b)): Processing account information, business materials, access tokens, and performance data is necessary to deliver the service you have contracted for.
  • Legitimate interests (Art. 6(1)(f)): Service improvement, security monitoring, and business development, where our interests are not overridden by your rights.
  • Legal obligation (Art. 6(1)(c)): Compliance with applicable Canadian, EU, or U.S. law.
  • Consent (Art. 6(1)(a)): Where we rely on consent (such as marketing emails), you may withdraw it at any time without affecting the lawfulness of prior processing.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

  • Service providers (processors): Stripe (payment processing); Amazon Web Services (cloud hosting, database, and storage, on servers located in Canada); our booking and scheduling provider (call bookings); and email and communication tools used to deliver updates and reports. These providers process data under our instructions and contractual safeguards.
  • Third-party publishers and platforms: As part of off-site authority building and digital PR, we may share your company name, brand information, and approved content with third-party publications and platforms. We do not share personal information of your representatives for this purpose without consent.
  • Legal requirements: We may disclose information if required by law, court order, or governmental authority, or to protect our legal rights.
  • Business transfers: In the event of a merger, acquisition, or sale of substantially all assets, your information may be transferred. We will notify you by email and/or prominent notice on our website before such a transfer takes effect.

7. International Data Transfers

GoBlinkly is based in Montreal, Quebec, Canada. Client data is stored and processed on Amazon Web Services infrastructure physically located in Canada.

Canada is recognized by the European Commission as providing an adequate level of data protection for commercial organizations subject to PIPEDA, an adequacy decision that was reviewed and maintained by the Commission in 2024. Transfers of personal data from the EEA to GoBlinkly therefore do not require additional safeguards such as Standard Contractual Clauses.

Where personal information is communicated outside Quebec, we conduct the assessment required under Quebec's privacy legislation to confirm it will receive adequate protection.

8. Data Retention

We retain information for as long as your engagement is active or as needed to provide the service. Specific retention periods:

  • Account and contact information: Duration of the engagement, plus 1 year after closure to meet legal and contractual obligations.
  • Brand and business materials: Duration of the engagement. Deleted within 90 days of closure, or earlier on request.
  • OAuth tokens and access credentials: For as long as the connection is active. Revoked or expired tokens are deleted promptly.
  • Analytics and citation data: Duration of the engagement, to support historical reporting. Deleted within 90 days of closure.
  • Payment and billing records: 7 years, in accordance with Canadian tax record-keeping requirements.
  • Prospective client information: Up to 2 years from last contact, unless you ask us to delete it sooner.

9. Your Rights

Depending on your location, you have the following rights. To exercise any of them, contact privacy@goblinkly.com. We respond to all requests within 30 days.

9.1 Rights for All Individuals (Quebec Law 25 / PIPEDA)

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your personal information, subject to legal retention obligations.
  • Withdrawal of consent: Withdraw consent at any time where processing is based on consent.
  • Data portability: Request computerized personal information you provided to us in a structured, commonly used technological format.
  • Complaint: You may lodge a complaint with the Commission d'accès à l'information du Québec (CAI) or the Office of the Privacy Commissioner of Canada (OPC).

9.2 Additional Rights for EU/EEA and UK Clients (GDPR)

  • Restriction of processing in certain circumstances
  • Data portability under Article 20 GDPR
  • Objection to processing based on legitimate interests
  • Complaint to your local data protection authority (a list of EU DPAs is available at https://edpb.europa.eu)

9.3 Additional Rights for California Residents (CCPA/CPRA)

  • Right to know the categories and specific pieces of personal information collected, the sources, the business purposes, and the categories of third parties with whom it is shared
  • Right to delete, subject to exceptions
  • Right to correct inaccurate personal information
  • Right to non-discrimination for exercising your rights

We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

10. Security

We implement technical and organizational measures appropriate to the sensitivity of the information we hold, including:

  • Encryption of data in transit using TLS
  • Encryption of sensitive data at rest, including OAuth access and refresh tokens
  • Role-based access controls limiting access to client data on a need-to-know basis
  • Secure storage of credentials and secrets in a dedicated secrets management system
  • Regular security reviews and vulnerability assessments

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Breach notification: In the event of a confidentiality incident involving personal information that presents a risk of serious injury, we will notify the Commission d'accès à l'information du Québec and affected individuals as required by Quebec law, the Office of the Privacy Commissioner of Canada as required by PIPEDA, and, for EU personal data, the competent supervisory authority within 72 hours as required by GDPR. Where an incident affects data connected through a third-party platform integration, we will also notify that platform as required by its developer policies.

11. Children's Privacy

Our services are intended solely for business use by adult representatives of commercial entities. They are not directed to individuals under 18, and we do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected information from a minor, we will delete it promptly.

12. Third-Party Links

Our website and services may link to third-party websites and services (such as Stripe, Google, or our booking provider). We are not responsible for their privacy practices and encourage you to review their policies before providing personal information.

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. For material changes, we will notify clients by email at least 30 days before the change takes effect, and post the updated policy with a revised "Last Updated" date. Continued use of the services after the effective date constitutes acceptance. If you do not agree, you may close your account before the change takes effect.

14. Governing Law

This Privacy Policy is governed by the laws of the Province of Quebec and the federal laws of Canada applicable therein, without regard to conflict-of-law principles. For EU/EEA individuals, the GDPR also applies; for California residents, the CCPA/CPRA also applies.

15. Contact Us

For questions, requests to exercise your rights, or concerns about this policy:

GoBlinkly — Montreal, Quebec, Canada
Privacy Officer: privacy@goblinkly.com
General inquiries: info@goblinkly.com

We aim to respond to all privacy requests within 30 days.