Nugentive Labs Inc. ("Nugentive," "we," "us," or "our") operates nugentive.com and provides Answer Engine Optimization (AEO) audit and optimization services. This Privacy Policy explains what personal information we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over it.
Nugentive is headquartered in Grande Prairie, Alberta, Canada. We comply with Alberta's Personal Information Protection Act (PIPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and — for users in the United States — the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Where other privacy laws apply to you, we will honour any stronger rights you have under those laws.
By using our website or purchasing our services, you agree to the practices described in this Policy. If you do not agree, please do not use our website or services.
1. Information We Collect
The information we collect depends on which part of our service you use. We do not collect information from you that we do not need.
1.1 Free AEO Audit
When you submit the free audit form at /aeo-audit/ we collect:
- Website URL — the URL of the business you want audited.
- Email address — so we can deliver your audit results.
- IP address — captured automatically from your browser request. We use it only for abuse prevention and rate limiting (so a single visitor cannot exhaust our paid third-party API quotas).
1.2 Detailed AEO Audit (paid)
After purchasing a Detailed Audit through our checkout, you complete an intake form at which we collect:
- Email address (typically pre-filled from your purchase).
- The URL of the business being audited.
- SamCart Order ID and Receipt ID — confirming your purchase.
- Primary product or service you sell.
- Target geographic location.
- Up to three competitor URLs you want benchmarked.
- Target questions — the AI-search questions you most want to rank for.
1.3 Done-With-You (DWY) Customers
When you purchase a DWY Monthly or DWY Quarterly subscription, SamCart sends us your name, email address, order ID, and product purchased. After purchase, the intake form may collect additional onboarding information necessary to deliver the service (for example: business name, current AEO/SEO status, access credentials you choose to share, and target keywords or questions).
1.4 Done-For-You (DFY) Waitlist
If you join the DFY waitlist at /done-for-you/ we collect: first name, last name, email, business name, city, country, website URL, the AI platforms you care about, the age of your website, your level of website access, your Google Business Profile status, the social/directory platforms you currently use, your approximate Google review count, a short description of the challenge you are trying to solve, and how you heard about us. We use this to qualify the lead and follow up by email.
1.5 Information About Your Website (Audit Subjects)
Once you submit a URL, our audit fetches and analyses publicly available information about that website and the business behind it. This includes: page HTML, robots.txt, llms.txt, sitemap.xml, schema markup, social profile links, Google Business Profile listing data (name, rating, review count, hours, photos count, business status), Bing/Google indexation status, backlink summary data, and public review and SERP signals. This is data about the business you have asked us to audit, not personal information about you as an individual, but we treat it as confidential to your account.
1.6 Payment Information
Payments are processed entirely by our payment processor, SamCart. We never see, store, or have access to your full credit card number, CVV, or banking details. We only receive a record that your purchase succeeded, your name and email, the product purchased, and the SamCart order and receipt IDs.
1.7 Communications
If you email us, reply to one of our emails, or contact us through any other channel, we keep that correspondence to provide support and maintain a record of our business communications.
1.8 Technical Data
Our hosting provider automatically logs basic request data (IP address, user agent, request path, timestamp, response code) for a limited period for security, debugging, and infrastructure monitoring. Email addresses and IP addresses are redacted in our own application logs (for example t***@m***.com and 192.0.x.x) so that engineers debugging an issue cannot easily identify individual users.
2. How We Use Your Information
We use the information we collect to:
- Deliver the service you asked for — run your audit, generate your report, deliver your DWY work product, follow up on your DFY waitlist enquiry.
- Communicate with you — send audit results, intake confirmations, welcome emails, report deliveries, and support replies.
- Prevent abuse — rate-limit submissions, block automated scraping, and protect our paid third-party API quotas.
- Improve our service — diagnose bugs, measure performance, and refine our audit methodology. We use aggregated and de-identified data where possible for this purpose.
- Meet legal obligations — for example, retaining tax and accounting records as required by Canadian law.
We do not sell, rent, trade, or share your personal information with anyone for their own marketing purposes. We do not use your personal information to train AI models, and the AI provider we use to generate report narratives (Anthropic) is contractually prohibited from training on data submitted through its commercial API.
3. Legal Bases for Processing
Where applicable law requires us to identify a legal basis, we rely on:
- Performance of a contract — to deliver the audit or service you purchased or requested.
- Legitimate interests — to prevent fraud and abuse, maintain security, debug our systems, and improve our service, balanced against your interests.
- Consent — for any optional uses, such as marketing emails (if and when we offer them) or any non-essential cookies.
- Legal obligation — to comply with tax, accounting, and other statutory requirements.
4. Sub-Processors and Third-Party Services
To run our business we share specific data with the third-party service providers ("sub-processors") listed below. Each receives only the data it needs to perform its function, and we use contractual safeguards (data processing terms, security commitments) where the provider offers them. We do not authorise any sub-processor to use your data for its own purposes.
4.1 Infrastructure and Storage
- Google LLC (Firebase / Google Cloud Platform) — hosts our website, runs our serverless backend (Cloud Functions), stores all customer records in Firestore, stores audit results and reports, handles authentication for admin users, captures basic analytics events (Firebase Analytics), and aggregates application logs (Cloud Logging). Data may be processed in Google data centres located in the United States. Google Privacy Policy.
4.2 Payments
- SamCart, LLC — processes all checkouts and subscription billing for paid services. When SamCart confirms a purchase, it sends us a webhook containing your name, email, order ID, receipt ID, and product name. Card data never reaches Nugentive. SamCart Privacy Policy.
4.3 Email Delivery
- Twilio SendGrid — sends all transactional email from Nugentive: audit results, intake confirmations, welcome emails, and report deliveries. We share your email address and the contents of the message being sent. Twilio Privacy Notice.
4.4 AI Report Generation
- Anthropic PBC — receives your audited URL, your audit's category scores, and the underlying signal data, so its Claude model can generate the natural-language findings, quick wins, and executive summary in your report. Anthropic does not train its models on data submitted via its commercial API and deletes prompts and outputs in line with its commercial data policy. We do not send your email address, name, or payment information to Anthropic. Anthropic Privacy Policy.
4.5 Website Fetching
- Apify Technologies s.r.o. — when our direct fetch of your website is blocked by anti-bot protection, we use Apify's scraping infrastructure (Cheerio Scraper or Anti-Bot Bypass actors) to retrieve publicly available HTML from the URL you submitted. We send Apify the URL and our fetch parameters; Apify returns the HTML. Apify Privacy Policy.
4.6 SEO, GBP, and SERP Data
- DataForSEO — looks up Google Business Profile listings, SERP rankings, Bing indexation, backlink summaries, competitor backlink gaps, and public review data for the domain and competitor domains you have submitted. We send DataForSEO the relevant domain, keywords, and location parameters. DataForSEO Privacy Policy.
- Google Maps Platform (Places API, PageSpeed Insights, Chrome UX Report, Knowledge Graph Search) — looks up your Google Business Profile, real-world page-speed metrics, and entity data. We send Google the domain, business name, or place identifier we are looking up.
4.7 Public Brand Mentions
- Reddit, Inc. — we query Reddit's public search endpoint for public posts mentioning the domain being audited. No personal information is sent; we send only the domain name as a search term. Reddit Privacy Policy.
4.8 Fonts and Scheduling
- Google Fonts — serves the typefaces used on our website. When your browser loads our pages, it requests font files directly from Google's servers, which receive your IP address and basic request metadata. We do not send your name or email to Google Fonts.
- Calendly — when you click a "Book a Call" or scheduling link that takes you to Calendly, you leave our site and any information you enter on Calendly is governed by Calendly's policies. Calendly is not used by default on our forms.
If we add or change a sub-processor in a material way, we will update this list. The current list above reflects every third-party service that receives personal data as part of our normal operations.
5. International Data Transfers
Several of our sub-processors (Google Cloud, SamCart, SendGrid, Anthropic, Apify, DataForSEO, Reddit) operate primarily in the United States. By using our services from outside the United States, you understand that your personal information may be transferred to, stored in, and processed in the United States and potentially other countries where these providers operate. We rely on the contractual and security commitments offered by these providers (including, where applicable, Standard Contractual Clauses and equivalent safeguards) to protect your data during transfer.
6. Cookies, Local Storage, and Tracking
We keep our tracking footprint small.
- Cookies set by Nugentive — we do not currently set any first-party tracking, advertising, or analytics cookies.
- Cookies set by third parties — when your browser loads Google Fonts, Google may set cookies under its own domain. Embedded third-party tools (such as a SamCart checkout iframe or a Calendly scheduling page) may set their own cookies under their respective domains.
- Local storage — when you start a free audit we store a small record in your browser's
localStorage under the key nugentive.activeAudit. It contains only your audit ID and a timestamp, expires automatically after 30 minutes, and is used so you can refresh or navigate away and still return to your in-progress audit. It is not used for tracking and is not shared with anyone. - Analytics — Firebase Analytics may record anonymised, aggregated usage events (such as page views) to help us understand how the site is used. We do not use these events to build a personal profile of you.
You can configure your browser to block or delete cookies and local storage. Doing so may prevent in-progress audits from resuming correctly but will not block access to the site.
7. Data Retention
We keep personal information only as long as we need it.
- Audit records (URL, email, IP, scores, reports) — retained in Firestore indefinitely so you can revisit your historical audits and so we can re-audit you on request. You may ask us to delete them at any time (see Section 9).
- Detailed Audit, DWY, and DFY records — retained for the duration of your relationship with us plus a reasonable period afterward to maintain business records and meet tax/accounting obligations (typically up to seven years, as required under Canadian law).
- Email logs — SendGrid retains delivery metadata according to its own policy.
- Application logs (Cloud Logging) — retained for the default Google Cloud retention period (typically 30 days), with email and IP fields already redacted.
- Payment records — held by SamCart according to its policy and retained by us in summary form for accounting purposes as required by law.
When information is no longer needed and we have no legal obligation to retain it, we delete or anonymise it.
8. Security
We use reasonable administrative, technical, and physical safeguards to protect personal information:
- Customer data is stored on Google Cloud infrastructure with encryption in transit (TLS) and at rest.
- Access to production systems and customer data is restricted to authorised personnel.
- API keys and secrets are stored in Google Secret Manager, not in source code.
- Sensitive fields (email, IP) are redacted in application logs.
- SamCart-issued access tokens are used to gate access to your detailed-audit report.
No internet-connected system is ever completely secure. We cannot guarantee absolute security and will notify affected users and, where required, the relevant regulator if we become aware of a personal information breach that creates a real risk of significant harm.
9. Your Privacy Rights
Subject to limited exceptions in applicable law, you have the right to:
- Access — request a copy of the personal information we hold about you.
- Correct — request that we correct inaccurate or incomplete information.
- Delete — request that we delete personal information we hold about you. We may retain information we are required to keep for legal or accounting purposes.
- Withdraw consent — withdraw any consent you have given, subject to legal or contractual restrictions.
- Opt out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising. There is nothing to opt out of, but you have the right to confirm this.
- Non-discrimination — we will not deny you service, charge you a different price, or provide a lower-quality service because you exercised your privacy rights.
- Complain to a regulator — if you believe we have mishandled your information, you can complain to the Office of the Information and Privacy Commissioner of Alberta, the Office of the Privacy Commissioner of Canada, or — for California residents — the California Attorney General.
To exercise any of these rights, email us at privacy@nugentive.com from the email address associated with your record. We may ask for additional information to verify your identity. We respond to verifiable requests within 30 days (Canada) or 45 days (California), with the option to extend if a request is unusually complex.
10. Children's Privacy
Our website and services are intended for business owners and operators aged 18 or older. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please email privacy@nugentive.com and we will delete it.
11. Automated Decision-Making
Our free audit scores your website automatically based on signals our system collects. The resulting score and the narrative findings (which are generated with the help of an AI model) do not produce legal or similarly significant decisions about you — they are recommendations about your website's AI visibility, intended to help you improve it. A human at Nugentive reviews and may revise the report before any paid Detailed Audit is delivered.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The Effective Date at the top of this page reflects the most recent revision. If we make material changes, we will take reasonable steps to notify you (for example, by email to customers or a notice on the site). Your continued use of the website or services after a change becomes effective constitutes acceptance of the revised Policy.