A plain-English overview of how AEOlens stores, transmits, and protects the URLs and content you scan. No legal-form prose — just what we actually do.
Last updated 2026-06-06
AEOlens stores three categories of data: your account (email, name, hashed password if you signed up with password auth), your workspace state (organization details, members, project domains, scan history, simulation results), and page content we crawl for the URLs you submit.
We do not collect or process: payment-card numbers (handled by our payment processor — we never see them), end-user data from your customers, browsing history outside what you explicitly submit, or device fingerprints beyond standard server logs.
aeolens.ai and the API uses TLS 1.2+ with HSTS enabled. The certificate is publicly verifiable.The crawler is the highest-risk surface in an AEO platform: it follows user-supplied URLs. AEOlens enforces multiple layers to prevent server-side request forgery (SSRF):
page.goto before navigation begins.AEOlens/1.0; +https://aeolens.ai/bot) so target site operators can identify and rate-limit us if needed.Every scan, simulation, and project belongs to exactly one workspace (organization). Database access is enforced at multiple layers:
get_org_for_scan and equivalents in the codebase.AEOlens itself runs AI models for the buyer-simulation feature. We use OpenRouter as a routing layer to query ChatGPT, Perplexity, Gemini, Claude, and Grok. Important constraints:
AEOlens uses the following third-party services. Each link points at the provider's own security and data-handling documentation:
If you find a security issue, please email contact@aeolens.ai with a description, reproduction steps, and ideally a suggested mitigation. We aim to acknowledge reports within 2 business days and respond with a remediation plan within 14 days for high-severity issues. We do not currently run a paid bug-bounty program but credit researchers publicly with permission.
Please don't run automated scanners against production. We monitor for them and you'll get rate-limited fast. If you want to do active testing, ask first — we can spin up a sandbox.
In the spirit of honest copy: AEOlens is not SOC 2 certified yet. We're an early-stage product. We have a security posture(the items above) but no third-party attestation. We're working on it; we'll publish here when it lands. If SOC 2 is a hard procurement requirement for your team today, please reach out before signing up.
We'll happily walk through specifics — VPC questions, DPA signing, EU residency, retention overrides for Agency-plan customers.
Contact security