Privacy policy
Linter Pty Ltd (trading as GetRecommended.io) | ABN: 38 118 261 108
Version 1.2 | Effective date: 11 June 2026 | Last reviewed: 14 June 2026
Independence notice
GetRecommended.io is independent and is not affiliated with, endorsed by, sponsored by, or in any way connected to OpenAI (ChatGPT), Google (Gemini, AI Overview, AI Mode), Perplexity, Anthropic (Claude), xAI (Grok), Yelp, Trustpilot or any other platform or AI engine named in our reports. All third-party names and marks are the property of their respective owners and are used solely to identify the services our product analyses.
1. Who we are
GetRecommended.io is operated by Linter Pty Ltd (ABN: 38 118 261 108), trading as GetRecommended.io, a company incorporated in New South Wales, Australia (“we”, “us”, “our”). We provide AI-visibility reports and related services to business customers via our website at getrecommended.io.
Questions about this policy or requests to exercise your privacy rights should be directed to:
Email: privacy@getrecommended.io
We aim to respond to all privacy requests within 30 days.
2. Scope of this policy
This policy applies to:
- visitors to getrecommended.io (“the website”);
- customers who purchase or use our AI Visibility Reports or any other product or service we offer (“the Service”); and
- any person whose personal information we process in connection with the above.
This policy does not apply to third-party websites we link to. Those sites have their own privacy policies and we are not responsible for their practices.
3. Our data posture — what we do and do not collect
Our product is designed around a single foundational rule: we describe businesses, not people.
3.1 Business data — what we collect and retain
When we scan AI engines and third-party sources to produce a report, we collect and store business-level facts only, including:
- business name, website URL, and industry or category;
- city and region (not street address);
- aggregate AI-engine citation counts and citation patterns;
- average star rating and total review count (not individual reviews);
- date of most recent review;
- presence or absence of website features (privacy policy, schema markup, on-site testimonials, etc.);
- social-platform follower counts and page existence; and
- technical performance indicators.
3.2 Personal data — what we strip at ingestion
Before any third-party scan data is stored, rendered or logged, we apply a mandatory personal-data filter. The following categories are stripped and never retained:
- individual names (including staff, practitioners or business-owner names found on competitor pages);
- reviewer names and individual review text;
- business-owner response text;
- email addresses, phone numbers and physical street addresses of individuals;
- profile photographs and any face images; and
- personal social-media handles and personal profile URLs.
Special case: sole traders and personal-brand businesses.Where the scanned business operates under a person’s name (for example, a sole trader), we retain that name solely as the business entity label. We do not attach any personal attributes, biography, photograph or evaluative statement to the individual. We honour removal requests for sole-trader records promptly — see section 9.
3.3 Customer account data — what we collect from you
When you create an account, purchase a report or contact us, we collect:
- your name and email address;
- your business name;
- payment-method information (processed directly by Stripe — we receive a transaction reference only, not your card details);
- your approximate location (country and state, for pricing and legal compliance);
- IP address (retained for 12 months for consent provenance and rate-limiting); and
- communications you send us (support queries, feedback, correction requests).
4. How we collect personal information
We collect personal information through the following means:
- Directly from you: when you create an account, complete the scan request form, make a purchase, subscribe to marketing communications, or contact us.
- Automated website technologies:session cookies and server logs. We use Plausible Analytics for cookieless, aggregated website analytics — no personal data is collected and no cookie is set. See section 11.
- Licensed data sources and APIs: business-level data is collected via official APIs and licensed data feeds where they exist, including Google Places API, SearchAPI, and the commercial APIs of each AI engine we query. No personal data is transmitted in these queries.
- First-party web crawler:we use a headless Chromium browser to crawl the websites of scanned businesses and their competitors — up to 25 pages per site. The crawler respects robots.txt and does not bypass access controls or authentication. It collects page content and technical metadata to assess website quality; personal data encountered during crawling is stripped at ingestion (see section 3.2).
- Third-party platforms: publicly accessible business information from review aggregators and business directories, subject to the data-minimisation and personal-data-stripping rules in section 3.
4.1 Data collected about non-clients (competitor businesses)
Our reports include data about competitor businesses that have not purchased our Service and have not directly interacted with us. We collect this data to provide our customers with a meaningful market comparison. The specific data collected about non-client businesses, and the methods used, are as follows:
| Data collected | Method / provider | What is retained |
|---|---|---|
| AI-engine citation counts and citation patterns | Queries to OpenAI, Anthropic, Google Gemini, xAI and Perplexity APIs; Google AI Overview via SearchAPI | Counts and presence/absence — no verbatim AI output retained |
| Aggregate star rating and total review count | Google Places API; Trustpilot (public review page) | Average rating and count only — no individual reviewer names or review text |
| Website content and technical performance | First-party headless Chromium crawler (up to 25 pages); Google PageSpeed Insights API | Structured metadata — personal data stripped at ingestion |
| Public social-profile follower counts and page existence | SearchAPI (Instagram, Facebook, TikTok, YouTube public data) | Follower counts and page existence only — no post content or individual identifiers |
| Web mentions and directory listings | SearchAPI (Google web search) | Presence/absence of listings; no verbatim content copied |
Legal basis for non-client data collection. We collect business-level data about non-client competitors on the basis of legitimate interests: providing our customers with accurate, publicly available market context is a proportionate purpose, and the personal-data filter (section 3.2) means individual privacy interests are not materially affected. Businesses or sole traders wishing to request removal of their data may do so at privacy@getrecommended.io— see section 9.5.
5. Why and how we use your personal information
We use personal information only for the purposes set out below.
| Purpose | Legal basis | Data used |
|---|---|---|
| Provide the Service — produce and deliver your AI Visibility Report. | Contract performance | Name, email, business name, payment reference. |
| Process payments and maintain financial records. | Contract performance; legal obligation | Name, email, transaction reference, country. |
| Create and manage your account. | Contract performance | Name, email, password hash. |
| Respond to your enquiries and provide customer support. | Contract performance; legitimate interests | Name, email, communications. |
| Send transactional emails (order confirmation, report delivery, account notices). | Contract performance | Name, email. |
| Send marketing communications about our products and services. | Consent (you can withdraw at any time — see section 9) | Name, email. |
| Improve, develop and maintain the Service. This analysis operates on aggregated, de-identified data only; individual usage records are not retained or reviewed for this purpose. | Legitimate interests | Aggregated, de-identified usage data. |
| Produce aggregated, de-identified insights for research and publication. | Legitimate interests (see section 6) | Aggregated scan data — not personal. |
| Manage the affiliate / partner referral program. | Contract performance; legitimate interests | Affiliate name, email, referral attribution. |
| Prevent fraud, abuse and enforce our Terms of Service. | Legitimate interests; legal obligation | IP address, account data. |
| Comply with legal obligations (tax, regulatory, dispute resolution). | Legal obligation | Transaction records, account data. |
| AHPRA-sector caution: we flag AHPRA advertising rules to regulated health clients. | Legitimate interests | Industry category flag only. |
6. Aggregated insights for research and publication
We analyse data from scans to produce aggregated, de-identified insights about how AI search engines recommend businesses. We use these insights to improve our product and to publish research and educational content.
Before anything is used or published it is aggregated and de-identified so it cannot identify you, your business or any individual. We only publish findings drawn from datasets large enough to prevent identification (a minimum of 20 to 30 businesses per published segment, with no cell that isolates one entity).
We do not sell your personal information and we do not share it with other organisations for their own purposes.
7. Who we share personal information with
We do not sell personal information. We share personal information only in the following circumstances.
7.1 Sub-processors
We use the following service providers who process data on our behalf. All sub-processors are bound by contractual data-processing obligations consistent with applicable privacy law.
Core infrastructure
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Name, email, transaction reference | United States |
| Supabase | Database, user authentication, session storage | Account data, report metadata, consent records | Australia |
| Vercel | Website hosting, serverless functions, file/PDF storage (Vercel Blob) | IP address, session data, report PDFs | United States / Global CDN |
| Inngest | Background job orchestration (async report generation, email triggers) | Business/competitor data in-flight during processing | United States |
| Cloudflare | CDN, DDoS protection, DNS | IP address, request metadata | United States / Global |
| Resend | Transactional and marketing email delivery | Name, email address | United States |
| Mux | Video hosting and playback | IP address, playback metadata | United States |
Analytics and growth
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Plausible Analytics | Cookieless, privacy-friendly website analytics. No personal data collected; no cookie set. | Aggregated page-view data only — not personal data | European Union |
| Refgrow | Affiliate and referral program management | Affiliate name, email, and referral attribution data | United States |
Data collection — business-level queries only
The following providers receive business names and search queries as part of the scanning process. No personal data is transmitted. They do not store personal information on our behalf.
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| SearchAPI | Google AI Overview, AI Mode, Maps reviews, social profile data | Business name / search query only | United States |
| Google Places API / PageSpeed | Business profile data and technical performance of scanned sites | Business name / query string only | United States |
AI / LLM providers — scan engines. Each provider receives the search query and business name during a scan. Per their published terms, API inputs are not used for model training. We use commercial API agreements with each provider.
| Provider | Engine | Data sent | Location |
|---|---|---|---|
| OpenAI | ChatGPT | Search query, business name | United States |
| Anthropic | Claude (scan engine + report analysis) | Search query, business name | United States |
| Google (Gemini API) | Gemini | Search query, business name | United States |
| xAI | Grok | Search query, business name | United States |
| Perplexity | Perplexity Sonar | Search query, business name | United States |
7.2 Other disclosures
We may also disclose personal information:
- to law enforcement, regulators or courts where we are legally required to do so;
- to professional advisers (lawyers, accountants, auditors) bound by confidentiality obligations;
- to a successor entity if we sell or transfer all or part of our business (we will notify you in advance); or
- with your explicit consent.
8. How long we keep your information
We retain personal information only for as long as necessary for the purposes set out in this policy, or as required by law.
| Data category | Retention period | Notes |
|---|---|---|
| Customer account + report data (personal fields) | Relationship + 2 years after last activity | Resets on each purchase. On dormancy, name, email and regional details are deleted. |
| Transaction and tax records | 7 years from the transaction date | Covers the longest tax obligation across our markets. Retained even if the account is deleted. |
| Consent records (text version, timestamp, IP) | Life of consent + up to 6 years | Retained to evidence compliance within limitation periods. |
| IP addresses | 12 months | Used solely for consent provenance and abuse control. |
| Marketing email and name (after unsubscribe) | Suppression entry only (email hash) | Purpose ends at unsubscribe. Minimal record kept to prevent re-subscription in error. |
| Third-party business data (scan data) | Per platform terms — refreshed, not archived | Google Places and data-vendor caching limits apply. We comply with all TTL requirements. |
| Aggregated, de-identified insights | Indefinite | Not personal data; no retention limit applies. |
9. Your privacy rights
You have the following rights in relation to your personal information. To exercise any right, contact us at privacy@getrecommended.io. We will respond within 30 days.
9.1 Access
You may request a copy of the personal information we hold about you.
9.2 Correction
You may ask us to correct inaccurate or incomplete personal information. If a business appearing in one of our reports contains factually incorrect data, you may also request a correction via the same address.
9.3 Deletion / erasure
You may ask us to delete your personal information. We will do so unless we are required to retain it by law (for example, transaction records for tax purposes) or where retention is necessary to resolve a dispute or enforce our terms.
9.4 Withdrawal of consent
Where we process your personal information based on consent (for example, marketing emails), you may withdraw that consent at any time by clicking the unsubscribe link in any marketing email or by contacting us. Withdrawal does not affect the lawfulness of processing before the withdrawal.
9.5 Removal of business / sole-trader records
If your business name appears in a report and you are a sole trader or personal-brand operator, you may request removal of that record. We will process removal requests promptly.
9.6 Objection and restriction
You may object to or ask us to restrict certain processing, in particular processing based on legitimate interests. We will consider your objection and respond within 30 days.
9.7 Data portability (where applicable)
Where we process your personal information on the basis of consent or contract by automated means, you may request a copy of your data in a structured, commonly used, machine-readable format.
9.8 Complaints
If you are not satisfied with how we handle your personal information, you may lodge a complaint with the relevant regulator:
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- New Zealand: Privacy Commissioner — privacy.org.nz
- United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk
- Canada: Office of the Privacy Commissioner — priv.gc.ca
- United States: Federal Trade Commission (FTC) — ftc.gov, or the relevant state attorney-general
10. How we protect your information
We take reasonable technical and organisational measures to protect personal information from unauthorised access, loss, misuse, disclosure or destruction, including:
- encryption in transit (TLS) and at rest;
- access controls limiting data access to personnel who need it;
- regular review of our security posture; and
- a breach-response plan, including notification procedures for each jurisdiction where we operate.
No system is completely secure. If you believe your data may have been compromised, please contact us immediately at privacy@getrecommended.io.
11. Cookies and tracking technologies
We use cookies and similar technologies only for the following purposes:
| Cookie type | Purpose | Duration |
|---|---|---|
| Strictly necessary | Session management, authentication, security (CSRF tokens). Set by Supabase (auth) and Stripe (payment fraud prevention). | Session / up to 12 months |
| Functional | Remember your preferences (logged-in state, region). | Up to 12 months |
Analytics: cookieless and privacy-friendly. We use Plausible Analytics for website analytics. Plausible does not set any cookies, does not collect personal data, and does not track visitors across sites. All data is aggregated. No cookie consent banner is required for Plausible. If we ever add cookie-based analytics, this policy and our cookie banner will be updated and your consent will be sought first.
You may control cookies through your browser settings. Disabling strictly-necessary cookies may affect your ability to use the Service.
12. AI-generated content
Elements of our reports and website content (including some blog posts) may be generated or assisted by AI tools. Reports are produced by an automated AI workflow with no human review before delivery — you are informed of this at checkout. Blog content is drafted by an AI workflow with editorial review by our team. If your report contains anything that looks incorrect, please contact us at hello@getrecommended.io and we will review it directly.
13. International data transfers
Our sub-processors are primarily located in the United States and the European Union (Plausible). Our primary database (Supabase) is hosted in Australia. When we transfer personal information outside Australia, we take steps to ensure an adequate level of protection is maintained, including contractual data-processing obligations in our agreements with each sub-processor.
14. Jurisdiction-specific notices
The following notices apply in addition to the above, depending on where you are located.
14.1 Australia
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You may request access to, or correction of, your personal information by contacting us at privacy@getrecommended.io. If you are dissatisfied with our response, you may complain to the OAIC at oaic.gov.au.
Health-sector note:If you are a regulated health service provider (for example, a practitioner under AHPRA), please note that AHPRA’s advertising guidelines prohibit certain types of testimonials in advertising for regulated health services. Our report may flag this requirement. Confirm any review-solicitation or testimonial strategy against your professional advertising obligations before acting.
14.2 New Zealand
We handle personal information of New Zealand residents in accordance with the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs), including IPP3A (in force 1 May 2026) on indirect collection notification. If we collect personal information about you indirectly (for example, from a business directory), we will take reasonable steps to make you aware of that collection. You may direct access, correction and complaint requests to us or to the New Zealand Privacy Commissioner at privacy.org.nz.
14.3 Canada
We handle personal information of Canadian residents in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws, including Law 25 for Quebec residents. We collect and use personal information only with your consent or where a recognised legal exception applies. Quebec residents may have additional rights under Law 25, including data portability and the right to be informed of automated decision-making. Direct requests to privacy@getrecommended.io.
14.4 United Kingdom
We handle personal information of UK residents in accordance with UK GDPR (as amended by the Data (Use and Access) Act 2025). Our lawful basis for processing is set out in section 5. Where we process UK-resident personal information on the basis of legitimate interests, we carry out and document a legitimate-interests assessment. You have the rights set out in section 9, and may complain to the ICO at ico.org.uk.
14.5 United States
We handle personal information of US residents in compliance with applicable state privacy laws, including the California Consumer Privacy Act (CCPA) / CPRA, and similar laws in Texas, Oregon and Vermont. California residents have the right to know what personal information we collect, to delete personal information, to opt out of the sale of personal information (note: we do not sell personal information), and to non-discrimination for exercising privacy rights. To submit a request, contact us at privacy@getrecommended.io.
We monitor state-law thresholds for data-broker registration in California, Texas, Oregon and Vermont and will register and update this policy if any threshold is triggered.
15. Changes to this policy
We may update this policy from time to time. When we make material changes, we will post the updated policy on our website with a new effective date and notify registered customers by email at least 14 days before the change takes effect. Your continued use of the Service after that date constitutes acceptance of the updated policy.
16. Version history
| Version | Date | Summary of changes |
|---|---|---|
| 1.0 | 11 June 2026 | Initial published version. Prepared in accordance with the Compliance Controls and Remediation Plan dated 11 June 2026. |
| 1.1 | 11 June 2026 | Pre-publication corrections: entity name updated to Linter Pty Ltd; sub-processor table revised (Upstash, Serper and Apify removed; Cloudflare, Plausible and Refgrow added; Supabase confirmed as Australia-hosted; AI providers and Inngest added for completeness). |
| 1.2 | 14 June 2026 | Gap-fill against the P0/P1/P2 remediation checklist: added section 4.1 covering data collected about non-client competitor businesses (per-data-type table + legitimate-interests basis); added the first-party headless Chromium web-crawler disclosure (section 4); clarified that service-improvement analysis operates on aggregated, de-identified data only (section 5). |
Cookies
For more detail on cookies, see our Cookie Policy.