Privacy Policy

Gofylo Technologies Private Limited ("Gofylo", "we", "us", or "our")

[Effective date: 29 May 2026]

1. Introduction & Scope

This Privacy Policy explains how Gofylo Technologies Private Limited, an India-incorporated private limited company, collects, uses, discloses, stores, and protects personal data when you visit our marketing site at https://gofylo.io, use our application at https://app.gofylo.io, interact with our API at https://api.gofylo.io, or otherwise use the Gofylo service (collectively, the "Service").

Gofylo is an autonomous SEO/GEO (generative-engine-optimization) content engine. It generates and auto-publishes SEO articles, tracks AI-search visibility across engines such as ChatGPT, Gemini, and Perplexity, and connects to a customer's content management system (CMS) (for example WordPress or Webflow) and to Google Search Console.

This Policy applies to:

  • Customers and account users of the Gofylo application;
  • Visitors to our marketing website; and
  • Users of our free, public tools, such as the AI Search Grader and the waitlist.

Gofylo is a business-to-business (B2B) product sold to businesses and professionals worldwide. Because our customers are global (across 150+ countries), this Policy includes specific provisions for the European Union and United Kingdom (GDPR/UK GDPR), for California (CCPA/CPRA), and for India (Digital Personal Data Protection Act, 2023).

2. Who We Are & How to Contact Us

Gofylo Technologies Private Limited is the data controller for personal data processed through the Service (and, where we process customer-uploaded content on a customer's behalf, we may act as a data processor — see Section 6).

  • Entity: Gofylo Technologies Private Limited
  • Registered office: [Registered office: City, State, India]
  • Privacy / data protection / support contact: support@gofylo.io

We use a single contact address — support@gofylo.io — for all privacy, data-protection, and general support inquiries. You may contact us at this address to exercise any of your rights described in this Policy.

3. What Data We Collect

We collect the following categories of data.

3.1 Account & Identity Data

  • Email address (used as your unique account identifier), name, and a securely hashed password (we store only a bcrypt hash — we never store your password in plaintext).

3.2 Google Account Data (via Google Sign-In and Google integrations)

Gofylo offers two distinct Google integrations, each a live feature using its own scopes:

(a) Google Sign-In (authentication). When you choose "Sign in with Google", we request the openid, email, and profile scopes. We receive your Google account email address, name, and profile picture, and use them to create or sign in to your Gofylo account. We do not receive your Google password.

(b) Google Search Console (optional, read-only data sync). When you connect Google Search Console, we request the openid, email, and https://www.googleapis.com/auth/webmasters.readonly scopes. We retrieve and store your search-analytics data — including per-query/per-day search queries, clicks, impressions, click-through rate (CTR), average position, and page URLs — together with the connected site URL and the connected Google account email.

See Section 8 for full detail on Google data and our Limited Use commitments.

3.3 Business Profile & Strategy Inputs

To personalize the content we generate, we collect business information you provide at onboarding and in settings, including: company name, company URL, company description, knowledge base, value proposition, industry, target audience, brand/tone of voice, products and services, your ideal-customer-profile (ICP) description and structured ICP attributes (role, company size, pain points, decision drivers), and your competitor list (competitor domains).

3.4 Site, Content & Usage Data

  • Publishing targets: your site URL, sitemap URL, blog URL, and top article URLs, used for crawling public pages, internal linking, and publishing. To analyze your site and validate links and sources, Gofylo makes outbound requests to public web pages — including your own homepage, sitemap, and discovered pages, as well as third-party source URLs and link targets we check on your behalf. Such requests carry URL data and are governed by the receiving sites' own terms.
  • Generated content: article titles, bodies, content blocks, schema markup, custom instructions, content plans, and keyword clusters that Gofylo produces for you.
  • Keyword & research data: keyword strings, search volume, difficulty, CPC, and SERP results used for content planning.
  • Usage data: information about how you interact with the Service, generated as you use it.

3.5 CMS Credentials (sensitive secrets)

When you connect a CMS to enable auto-publishing, we store the credentials you supply for your chosen platform, which may include: WordPress username and application password; Webflow API token and site/collection IDs; Notion token and database ID; Ghost admin API key; Shopify access token and store/blog identifiers; Wix API key and site ID; Framer API key and collection ID; or a generic webhook URL and secret.

These are long-lived secrets that grant write access to your website. We store them solely to publish generated content to the CMS you choose, at your direction. You can disconnect a CMS at any time.

3.6 Google Search Console Data

When you connect Google Search Console (read-only), we store the OAuth tokens for that connection and we retrieve and persist your search-analytics data — including per-query/per-day search queries, clicks, impressions, click-through rate (CTR), average position, and page URLs, along with the connected site URL and the connected Google account email. We use this to detect underperforming pages, surface "striking distance" opportunities, and power your dashboards. Disconnecting Search Console revokes and deletes the stored OAuth tokens but does not automatically purge previously retrieved analytics data; to request its deletion, contact support@gofylo.io. See Section 8.

3.7 Billing & Subscription Metadata

We store billing-related metadata only, such as your Dodo customer ID, Dodo subscription ID, plan tier, subscription status, founder-slot flag, and trial/billing-period dates. We also keep a log of billing webhook events (event ID, event type, organization ID) for idempotency and audit.

We do not store your card number, PAN, CVV, expiry, billing address, tax IDs, or invoices — those are handled by Dodo Payments as Merchant of Record (see Section 9).

3.8 Invitations

If you invite teammates to your organization, we process the invitee's email, an invitation token, and the inviter's email.

3.9 Backlink Exchange (customer-to-customer network)

Gofylo offers an optional Backlink Exchange network that lets participating customers exchange links with one another. Participation is opt-in. When you opt in:

  • You register your site domain and niche tags with the network.
  • Your registered domain and niche are made discoverable to other Gofylo customers in the network so the system can match potential link-exchange partners.
  • When you (or another participant) create a link-exchange request, we store the request details — including the target domain, the article URL/ID involved, and any free-text message you write — and we email a notification of the request to the counterparty (another Gofylo customer) so they can review and respond.

This feature involves disclosure of your data (domain, niche, article URL, and message) to other Gofylo customers in the network — not to a sub-processor. You can decline to participate, and you control what you submit. See Sections 4 and 6.

3.10 Public Tools (collected outside the authenticated app)

  • AI Search Grader: anyone may submit a domain and an optional email. We generate per-engine visibility scores and a publicly shareable report (identified by a share token). Any email you provide is used solely to deliver the report you requested.
  • Waitlist: we collect an email and an optional referral source, used to operate the waitlist and to notify you about availability. Any lifecycle/product email we send to a waitlist address is sent on the basis of our legitimate interests in the service relationship and includes a one-click unsubscribe; you may also opt out via support@gofylo.io.

4. How We Use Your Data

We use personal data to:

  • Provide the Service — create and authenticate your account, build your organization/workspace, and operate the application.
  • Generate and auto-publish content — use your business profile, ICP, and inputs to produce SEO/GEO articles and, where you enable it, publish them to your connected CMS.
  • Track AI-search visibility — query third-party AI/search engines using your domain and company description to score your visibility.
  • Power SEO analytics — process your Google Search Console data in-house to detect underperformers and opportunities and to populate dashboards.
  • Operate the Backlink Exchange (if you opt in) — match your site with other participating customers, surface potential link partners, store and route link-exchange requests, and email request notifications to the counterparty customer (see Section 3.9).
  • Manage billing and entitlements — gate features/quotas and process subscription state via Dodo (Merchant of Record).
  • Communicate with you — send transactional emails (publish notices, digests, alerts, invitations) and, on the basis of our legitimate interests in the service relationship, lifecycle/product emails. We do not maintain a marketing-consent checkbox in the product; every lifecycle/product email includes a one-click unsubscribe, and you may opt out at any time via support@gofylo.io.
  • Maintain, secure, and improve the Service — including diagnostics, abuse prevention, and product improvement.
  • Comply with law and enforce our Terms.

We do not use your business profile, ICP, or other Inputs to train or improve generalized AI/ML models. We do not use Google Search Console data to train or improve generalized AI/ML models, and we do not forward Google Search Console data to our AI sub-processors (see Sections 6 and 8). Our SEO analytics over Google Search Console data — including detection of underperforming pages and "striking distance" opportunities — are computed in-house and surfaced on your dashboard; we do not pass your Google Search Console data into AI generation prompts.

5. Legal Bases for Processing (GDPR / UK GDPR)

Where the EU GDPR or UK GDPR applies, we rely on the following legal bases:

Purpose Legal basis
Creating and operating your account; providing the Service you signed up for; generating and publishing content you request Performance of a contract (Art. 6(1)(b))
Connecting Google Search Console and processing the resulting data; connecting your CMS; participating in the Backlink Exchange Performance of a contract, and your consent for the Google OAuth authorization (Art. 6(1)(a)/(b))
Billing, fraud prevention, securing and improving the Service, transactional communications Legitimate interests (Art. 6(1)(f)) in running and protecting our business, balanced against your rights
Lifecycle/product emails related to the service relationship; waitlist availability notices Legitimate interests (Art. 6(1)(f)) in the service relationship, with a one-click unsubscribe in every email and opt-out via support@gofylo.io
Retaining records and responding to legal claims Legal obligation (Art. 6(1)(c)) and legitimate interests

You may withdraw consent at any time (for example, by disconnecting Google Search Console or leaving the Backlink Exchange), and you may object to lifecycle/product email at any time using the one-click unsubscribe in every such email or by contacting support@gofylo.io; withdrawal or objection does not affect processing carried out beforehand.

6. Sub-Processors & Third Parties

We share data with the following third-party service providers ("sub-processors") strictly to provide the Service. Each receives only the data necessary for its function. We do not sell your personal data.

Provider Data it receives Purpose
Dodo Payments (Merchant of Record) Your name and email at checkout; organization/plan metadata; card details are entered on Dodo's hosted checkout and never reach Gofylo Checkout, billing, invoicing, taxes, card processing, customer portal
Anthropic (Claude API) Article topics and your business profile, ICP, value proposition, audience, and brand voice; article text for improvement Article generation, AI replies, visibility scoring, keyword curation
OpenAI The same profile/prompt content as above; image-generation prompts Fallback article generation, AI cover-image generation, ChatGPT-visibility scoring
Perplexity Your domain and company name/description in visibility prompts AI-search visibility scoring
Google Gemini (Generative Language API) Your domain and company name/description in visibility prompts AI-search visibility scoring
DataForSEO Keyword strings, competitor domains, and location/language codes (no personal data) Search volume, difficulty, SERP, and competitor ranked-keyword data
OpenPageRank Domain names only Domain-authority ratings
Resend Recipient email and name, article titles/URLs, digest metrics, Backlink Exchange request notifications Transactional email (publish notices, digests, alerts, invitations, backlink-request notifications)
Loops Email plus subscription-status/plan-tier contact properties and event names Lifecycle/product email (with one-click unsubscribe)
Cloudflare R2 Generated article cover images (no personal data) Image hosting/CDN
Railway All application data at rest and in transit Backend application hosting and database
Vercel Frontend application traffic Frontend hosting
Google (Search Console API; OAuth / OpenID userinfo endpoint) OAuth token and site URL (Search Console data flows inbound to Gofylo); the Google access token from your Sign-In or Search Console authorization Retrieve your search-analytics (queries, clicks, impressions, position); read your Google account email, name, and profile picture (Sign-In) or the connected account's email (Search Console) for authentication and display in Settings — inbound Google data, not a transfer to an external third party. See Section 8

Customer-directed CMS destinations. When you enable auto-publishing, Gofylo sends generated article content and cover images to your chosen CMS (WordPress, Webflow, Ghost, Shopify, Notion, Wix, Framer, or a generic webhook) using the credentials you supplied. These are destinations you control and direct; your use of each platform is governed by that platform's own terms and privacy policy.

Customer-to-customer disclosure (Backlink Exchange). If you opt in to the Backlink Exchange (Section 3.9), your domain, niche tags, the article URL/ID you submit, and any message you write are disclosed to other Gofylo customers in the network for matching and link-exchange requests, and request notifications are emailed to the counterparty. This is a disclosure to other customers, not a sub-processor relationship.

Outbound validation requests. To analyze sites and validate links and sources, Gofylo also makes outbound HTTP requests to public web pages (including your own site and arbitrary third-party source/target URLs). These requests carry URL data only and are governed by the receiving sites' own terms (see Section 3.4).

Important: Google Search Console data is processed by us in-house and is not forwarded to the AI sub-processors (Anthropic, OpenAI, Perplexity, Gemini). Dodo Payments, as Merchant of Record for billing only, does not receive any Google API data.

We may also disclose data where required to comply with law, to enforce our agreements, to protect the rights, safety, or security of Gofylo or others, or in connection with a merger, acquisition, or sale of assets (with notice where required by law).

7. International Data Transfers

Gofylo is operated from India and uses sub-processors located in various countries, including the United States and the European Union. When we transfer personal data across borders — including from the EU/UK to India, the United States, or elsewhere — we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), or other lawful transfer mechanisms, together with supplementary measures where appropriate.

By using the Service, you understand that your data may be processed in countries that may not provide the same level of data protection as your home jurisdiction; we take steps to ensure it remains protected as described in this Policy. You may contact support@gofylo.io for more information about the transfer mechanisms we use.

8. Google User Data & Limited Use Disclosure

This section describes how Gofylo accesses, uses, stores, and shares data obtained from Google APIs, and applies in addition to the rest of this Policy.

8.1 Google data we access and the scopes we use

  • Google Sign-In — authentication (openid, email, profile): When you sign in with Google, we receive your Google account email address, name, and profile picture, and use them to create or sign in to your Gofylo account. We do not receive your Google password.
  • Google Search Console — read-only data sync (openid, email, https://www.googleapis.com/auth/webmasters.readonly): The webmasters.readonly scope is read-only. We access your verified site list and your Search performance data — including search queries, impressions, clicks, CTR, average position, and associated page URLs — and we read the email address of the connecting Google account to identify and display the connected account in your Settings. Gofylo never modifies your Search Console data; our access is strictly read-only.

8.2 How we use Google data

  • The Google Sign-In openid/email/profile data (email, name, profile picture) is used solely to create or sign in to your Gofylo account and to identify and display your account.
  • The Search Console openid/email data is used solely to identify and display your connected Google account in Settings.
  • Google Search Console data is used solely to provide and improve the prominent, user-facing SEO features of Gofylo — namely surfacing your search-visibility metrics, and detecting underperforming pages and "striking distance" opportunities, computed in-house and surfaced on your dashboard. It is not used for any other purpose, and it is not passed into AI generation prompts or forwarded to our AI sub-processors.

8.3 Storage of Google data

We store the OAuth access and refresh tokens for your Search Console connection, the connected site URL, the connected account email, and the search-analytics data we retrieve, on Gofylo's servers (api.gofylo.io) hosted by our infrastructure sub-processors (see Section 6). Google Search Console data is processed in-house and is not shared with our AI sub-processors. When you disconnect Search Console, we revoke and delete the stored OAuth tokens; the previously retrieved search-analytics data is not automatically purged on disconnect and is deleted upon a request to support@gofylo.io or on account closure (handled manually; see Sections 8.5 and 10).

8.4 Limited Use

Gofylo's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular, consistent with the Limited Use requirements, data obtained from Google APIs (and any data derived from it) is not sold, not used for advertising, not transferred to data brokers, and not used for any credit or eligibility decisions. We do not transfer this data except as necessary to provide or improve the user-facing features described above, for security purposes, to comply with applicable law, or as part of a merger or acquisition with your explicit prior consent. We do not allow humans to read this data except (1) where you affirmatively consent to view specific data, (2) where necessary for security purposes, (3) where necessary to comply with applicable law, or (4) where the data is aggregated and anonymized and used for internal operations in accordance with applicable privacy and other laws. We do not use Google API data to train or improve generalized AI/ML models.

8.5 Revoking access and deleting Google data

You can disconnect Google Search Console from within Gofylo at any time. Disconnecting revokes and deletes the Google OAuth tokens stored by Gofylo, so we can no longer access your Search Console. To fully revoke the grant on Google's side, visit https://myaccount.google.com/permissions.

Disconnecting does not automatically purge the search-analytics data we previously retrieved. To request deletion of previously retrieved Search Console analytics data (or any other Google-derived data), contact support@gofylo.io; such deletion is handled manually by our team (see Section 17).

9. Payments — Dodo Payments (Merchant of Record)

Dodo Payments is the Merchant of Record for all Gofylo purchases. Dodo handles checkout, billing, invoicing, taxes (including VAT/GST/sales tax), and all card processing. Your card details are entered on Dodo's hosted checkout page and are never received or stored by Gofylo.

Gofylo stores only billing metadata (Dodo customer/subscription IDs, plan tier, subscription status, and period dates). Your purchase is also subject to Dodo's own terms and privacy policy, which govern how Dodo processes your payment data.

Our plan is a single subscription at $79/month (30 articles/month) with a 3-day free trial. A limited-availability promotional "founder" rate of $49/month may apply to early customers (reflected by the founder-slot flag described in Section 3.7); current pricing is shown on our pricing page. At signup, a $1 card-verification charge may be placed and is refunded immediately; it is a temporary authorization, not a payment.

10. Data Retention

We retain personal data for as long as your account is active and as needed to provide the Service, and thereafter only as required for legitimate business purposes (such as resolving disputes, enforcing agreements, and complying with legal obligations).

  • Account, business profile, content, and CMS credentials: retained for the life of your account; deleted or anonymized within a reasonable period after account closure, subject to legal retention needs.
  • Google Search Console tokens: the locally stored OAuth tokens are deleted as soon as you disconnect Search Console (so we can no longer access your data) or on account closure.
  • Google Search Console search-analytics data: the previously retrieved analytics data is not automatically purged when you disconnect Search Console; it is deleted on account closure or upon request to support@gofylo.io (handled manually).
  • Backlink Exchange data: your registered domain and niche, and any link-exchange requests and messages, are retained while you participate in the network and for a reasonable period thereafter for record-keeping, then deleted or anonymized.
  • Billing metadata: retained as needed for financial and legal record-keeping.
  • Public-tool data (Grader/waitlist): retained for as long as needed to operate the tool, generate shareable reports, and send service-related lifecycle/availability email, subject to your deletion and opt-out requests.

When you ask us to delete your data, we will do so unless we are required or permitted by law to retain it.

11. Security

We take reasonable security practices appropriate to the data we hold, including encryption of data in transit (HTTPS/TLS), access controls, and use of reputable infrastructure providers. Sensitive secrets such as CMS credentials and OAuth tokens are stored to enable the Service and are protected by access controls and encryption at rest. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a personal-data breach that affects you, we will notify you and the relevant authorities as required by applicable law.

12. Your Rights

12.1 GDPR / UK GDPR (EU/EEA and UK residents)

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase your data ("right to be forgotten");
  • Restrict or object to certain processing (including processing based on legitimate interests, and direct marketing);
  • Data portability — receive your data in a structured, commonly used, machine-readable format;
  • Withdraw consent at any time where processing is based on consent; and
  • Lodge a complaint with a supervisory authority (see Section 16).

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing.

12.2 CCPA / CPRA (California residents)

If you are a California resident, you have the right to:

  • Know / access the categories and specific pieces of personal information we collect, use, and disclose;
  • Delete personal information we hold about you;
  • Correct inaccurate personal information;
  • Opt out of the "sale" or "sharing" of personal information; and
  • Non-discrimination for exercising your rights.

We do not sell your personal data, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. Because we do not sell or share personal information, no "Do Not Sell or Share My Personal Information" action is required; you may nonetheless contact us to confirm this. We do not knowingly collect or sell the personal information of minors under 16.

You may exercise these rights, or use an authorized agent to do so, by contacting support@gofylo.io. We will verify your request before acting on it.

12.3 India (Digital Personal Data Protection Act, 2023)

If you are in India, Gofylo Technologies Private Limited is the Data Fiduciary for your personal data. We process your personal data based on your consent or another permitted lawful use under the Act. You may access, correct, or delete your personal data, withdraw consent previously given, or raise a privacy grievance, by emailing support@gofylo.io. The Service is intended for adults (18+).

12.4 How to exercise your rights

Email support@gofylo.io. Requests to access, export, correct, or delete your data are handled manually by our team via that address (see Section 17) — there is no self-service deletion endpoint yet. We will respond within the timeframes required by applicable law. There is generally no charge, though we may charge a reasonable fee or decline requests that are manifestly unfounded or excessive, as permitted by law.

13. Cookies & Analytics

We use cookies and similar technologies that are necessary to operate the Service — for example, to keep you signed in and to maintain session security. We may use a limited amount of first-party analytics to understand and improve how the Service is used. We do not use Google Search Console data, or other Google API data, for advertising, and we do not sell personal data collected via cookies. Where required by law, we will request your consent for non-essential cookies and provide controls to manage them; you can also manage cookies through your browser settings.

14. Children's Privacy

Gofylo is intended only for adults aged 18 and over and is not directed to children. We do not knowingly collect personal data from children. If we learn that we have collected a child's personal data without appropriate consent, we will delete it. If you believe a child has provided us personal data, contact support@gofylo.io.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective date" above and, for material changes, provide more prominent notice (for example, by email or an in-app notice). If we begin accessing categories of data not previously disclosed — for example, additional Google scopes — we will update this Policy and obtain any required consent before that access. Your continued use of the Service after an update takes effect constitutes acceptance of the revised Policy.

16. How to Contact Us & Complain

For any privacy question, to exercise your rights, or to raise a concern, contact us at:

  • Email: support@gofylo.io
  • Gofylo Technologies Private Limited, [Registered office: City, State, India]

Supervisory authorities. If you are in the EU/EEA or the UK, you have the right to lodge a complaint with your local data protection supervisory authority (in the UK, the Information Commissioner's Office). We would, however, appreciate the chance to address your concerns first, so we encourage you to contact us at support@gofylo.io before doing so.

17. How We Handle Data Requests

We are committed to honoring the rights described in this Policy. Today, requests to access, export, correct, delete, or erase your personal data — including any Google-derived data — are processed manually by our team when you email support@gofylo.io; there is no self-service deletion endpoint yet. Upon a verified deletion or account-closure request, we delete your account data, including business profile and content, CMS credentials, Google Search Console tokens and retrieved search-analytics data, Backlink Exchange registrations, and associated identifiers, except where we are required or permitted by law to retain certain records. We are continuing to build self-serve tooling for these requests; until then, the manual process above applies and we will act within the timeframes required by applicable law.

This Privacy Policy is provided for general information and is not legal advice.