Privacy Policy
Last updated: 23 May 2026
AEOVIO Pty Ltd ("Aeovio", "we", "us", "our") respects your privacy and is committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). This Privacy Policy explains how we collect, hold, use, disclose, and protect personal information when you use the Aeovio platform, website, customer portal, WordPress plugin, and related services (collectively, the "Services").
This Privacy Policy is published under APP 1 (open and transparent management of personal information).
1. About Aeovio and contacting us
Aeovio is an autonomous AI SEO/AEO platform that helps Australian businesses plan, generate, publish, and measure search engine optimisation content and execution. Our service combines AI-generated content, agent automation, a WordPress plugin, and reporting tools.
If you have any questions about this Privacy Policy or how we handle your personal information, please contact our Privacy Officer at:
- Email: hello@aeovio.com.au
- Postal: AEOVIO Pty Ltd, Level 1/105 High St, Prahran VIC 3181, Australia
We aim to respond to all privacy enquiries within 30 days.
2. Anonymity and pseudonymity (APP 2)
Where it is lawful and practical, you may interact with our public website without identifying yourself. However, to use the Services (for example, to sign up for an account, receive content generated by the platform, or have us interact with your Google Search Console or Google Analytics 4 data), we need to identify you — anonymous or pseudonymous use of the Services is not practical because the Services are inherently account-bound and integrated with third-party tools tied to your business identity.
3. The personal information we collect (APP 3)
We only collect personal information that is reasonably necessary for, or directly related to, one or more of our functions or activities.
3.1 Personal information you provide directly
- Account details: full name, email address, password (stored hashed), notification preferences.
- Organisation details: business name, primary website domain, industry, target market, country, currency.
- Billing details: Stripe customer ID. Aeovio does not store full payment-card numbers — these are handled directly by Stripe.
- Support communications: the content of any support tickets, chat messages, or emails you send us.
3.2 Personal information we collect through the Services
- OAuth tokens for Google Search Console, Google Analytics 4, and Google Business Profile when you connect those accounts. These tokens are encrypted at rest using AES-256-GCM and are used solely to retrieve SEO performance data for your account.
- Plugin API keys for the Aeovio WordPress plugin. Keys are shown once on generation and stored only as HMAC hashes.
- Usage information: which features of the Services you use, when, and from what IP address; basic device and browser information; audit-log records of significant account actions.
- SEO data: keywords, rankings, content drafts, audit reports, competitor data — most of which is not "personal information" but may incidentally contain personal information (for example, an author byline on a competitor's page).
3.3 Personal information we collect from third parties
- Google APIs: when you connect Google Search Console, Google Analytics 4, or Google Business Profile, we receive performance data attributed to your properties under your authorisation.
- DataForSEO and Firecrawl: we receive ranking and crawl data about your website(s) and publicly visible competitor websites.
- Stripe: we receive subscription, invoice, and payment-status information.
4. Unsolicited personal information (APP 4)
If we receive personal information that we did not solicit (for example, an unsolicited email containing information about a third party), we will, as soon as practicable, determine whether we could have collected the information under APP 3. If not, and the information is not contained in a Commonwealth record, we will destroy or de-identify it as soon as practicable, provided it is lawful and reasonable to do so.
5. Notification of collection (APP 5)
When we collect personal information about you, we take reasonable steps to make sure you are aware of:
- our identity and contact details;
- the fact and circumstances of the collection;
- whether the collection is required or authorised by law;
- the purposes of the collection;
- the consequences if we do not collect the information;
- our usual disclosures (including overseas disclosures — see §8);
- the existence of this Privacy Policy; and
- how to access, correct, or complain about the handling of your personal information.
We provide this notification through this Privacy Policy, through point-of-collection notices in the signup flow, and through cookie banners at first visit.
6. How we use and disclose personal information (APP 6)
6.1 Primary purposes
We use and disclose personal information primarily to:
- create and administer your account;
- deliver the Services you have subscribed to (audits, content generation, ranking checks, publishing, reporting);
- process payments through Stripe;
- send service-related communications (account, billing, security, support);
- generate SEO content using third-party AI services (see §6.4) on your behalf and at your direction;
- maintain platform security, prevent fraud, and meet our legal obligations.
6.2 Secondary purposes
We may use and disclose personal information for secondary purposes that are related to a primary purpose where you would reasonably expect us to do so — for example, to improve the Services, perform internal analytics on aggregated usage, or respond to support enquiries about historical activity.
6.3 Disclosure to third parties
We disclose personal information to:
- Sub-processors that operate parts of the platform — see §8 and the separate Data Processing Addendum;
- Professional advisers (lawyers, accountants, auditors) under confidentiality obligations;
- Law enforcement, regulators, or courts where required by law (for example, in response to a valid subpoena or notice from the Office of the Australian Information Commissioner);
- Successors in the event of a merger, acquisition, or sale of all or part of Aeovio's business, subject to appropriate confidentiality obligations.
We do not sell personal information.
6.4 AI-assisted processing
The Services use third-party large-language-model and image-generation services (currently Anthropic Claude and OpenAI). When you use a content-generation feature, the prompt — which may include your business context, target keywords, and instructions — is sent to those services for processing. We do not knowingly include identifiable personal information about end users in those prompts unless you supply it. AI providers process this data subject to their own terms; see §8 for cross-border handling.
7. Direct marketing (APP 7)
We may use your email address to send you marketing communications about Aeovio products and features. You can opt out of marketing at any time by:
- clicking the "unsubscribe" link in any marketing email;
- changing your notification preferences in your account settings; or
- emailing hello@aeovio.com.au.
We will continue to send you transactional and service messages (billing, security, account, support) even after you opt out of marketing, because those messages are necessary to operate your account.
8. Cross-border disclosure of personal information (APP 8)
The Services are operated from infrastructure located outside Australia. As a result, your personal information is disclosed to overseas recipients. We take reasonable steps to ensure these recipients handle personal information consistently with the APPs, including through contractual safeguards and selecting providers with recognised security certifications.
8.1 Overseas sub-processors
| Recipient | Function | Country |
|---|---|---|
| Supabase | Database, authentication, file storage | United States |
| Stripe | Payment and subscription processing | United States |
| Resend | Transactional and marketing email | United States |
| Anthropic | AI content and strategy generation | United States |
| OpenAI | AI image generation | United States |
| Vercel | Application hosting and edge delivery | United States |
| Firecrawl | Website crawling and content extraction | United States |
| DataForSEO | SEO data, rankings, SERP analysis | Bulgaria |
A more detailed sub-processor list, including the categories of data shared and the safeguards in place, is set out in our Data Processing Addendum.
8.2 Offshore internal delivery personnel
In addition to the sub-processors above, Aeovio engages offshore delivery personnel located in Pakistan and South Africa to perform a range of internal functions, including customer support, content quality review, account configuration, and platform operations. These personnel may access personal information (including names, email addresses, business context, and SEO performance data) held in our systems on a role-based, need-to-know basis to deliver the Services.
We take the following steps to protect personal information accessed by offshore delivery personnel:
- contractual confidentiality and data-protection obligations equivalent to those expected under the Privacy Act;
- mandatory privacy and security training before access is granted;
- role-based access controls within our platform, with audit logging of significant actions;
- prohibition on copying or exporting personal information outside our managed systems.
By using the Services, you acknowledge that personal information you provide may be accessed by personnel located in Pakistan and South Africa for the purposes described above. If you have specific concerns about this disclosure, please contact hello@aeovio.com.au before signing up so we can discuss them.
8.3 Effect of overseas disclosure
Under APP 8.1, Aeovio remains accountable for the acts and practices of overseas recipients in relation to personal information disclosed to them, except in the narrow circumstances set out in APP 8.2 (which generally do not apply to our overseas sub-processor and delivery arrangements). In other words, if an overseas recipient mishandles your personal information, you can still seek redress from Aeovio under the Privacy Act.
9. Government identifiers (APP 9)
We do not collect, use, or disclose government-issued identifiers (such as Medicare numbers, Tax File Numbers, or driver licence numbers) as part of providing the Services.
10. Quality of personal information (APP 10)
We take reasonable steps to ensure the personal information we collect is accurate, up to date, and complete, and that personal information we use or disclose is also relevant. You can help us by keeping your account profile current. If you believe any personal information we hold about you is inaccurate, please follow §13 to request a correction.
11. Security of personal information (APP 11)
We take the following technical and organisational measures to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure:
- Encryption in transit: all communications between your browser and the Services use TLS.
- Encryption at rest: OAuth tokens and other sensitive credentials are encrypted using AES-256-GCM with keys held in our secrets manager. The underlying database is encrypted at rest by the database provider.
- Authentication: passwords are stored using strong one-way hashing; we support multi-factor authentication.
- API key handling: plugin API keys are shown once and stored only as HMAC hashes.
- Access controls: role-based access (superadmin / staff / client_admin / client_viewer / white_label_partner) with least-privilege defaults.
- Audit logging: significant account actions are recorded for security review.
- Rate limiting and abuse prevention: to protect against credential stuffing, scraping, and abuse.
- Personnel: background-vetted staff with mandatory privacy and security training; contractual confidentiality obligations.
No system is perfectly secure. If a data breach occurs that is likely to result in serious harm, we will follow §14.
12. Accessing your personal information (APP 12)
You have a right to request access to the personal information we hold about you. To make a request:
- log in to your account and use the self-service data export tool in Settings → Account & Data; or
- email hello@aeovio.com.au.
We will respond within 30 days. We do not charge for access requests, although we may charge a reasonable fee for the actual cost of producing copies in unusual cases (for example, if you request a particularly large historical export). We will tell you the fee before we incur the cost.
In limited circumstances permitted by the Privacy Act (for example, where access would have an unreasonable impact on others' privacy, or where giving access would prejudice an investigation of unlawful activity), we may decline a request. If we do, we will tell you in writing, give our reasons, and explain how you can complain.
13. Correcting your personal information (APP 13)
If personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you may request a correction. You can:
- update your profile directly in the account portal; or
- email hello@aeovio.com.au.
We will respond within 30 days. If we correct personal information we have previously disclosed to a sub-processor, we will, on request, take reasonable steps to notify that sub-processor of the correction.
If we refuse a correction request, we will tell you in writing, give our reasons, and explain how you can complain. You may also ask us to attach a statement to the relevant record noting that you consider the information to be inaccurate, out of date, incomplete, irrelevant, or misleading.
14. Notifiable Data Breaches scheme
Aeovio is committed to compliance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
If we become aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, and we cannot prevent the likely risk of serious harm with remedial action, we will:
- assess the breach within 30 days of becoming aware of it;
- notify the Office of the Australian Information Commissioner (OAIC); and
- notify affected individuals, including a description of the breach, the kinds of information involved, and recommendations for the steps individuals should take in response.
If you suspect a data breach affecting your account, please contact hello@aeovio.com.au immediately.
15. Retention of personal information
We retain personal information only for as long as it is necessary for the purposes set out in this Privacy Policy, or as required by law.
- Active accounts: for as long as the account is active.
- Cancelled accounts: core account data is retained for 30 days after cancellation to allow restoration if you change your mind and to enable data export, then deleted or de-identified, except where retention is required by law (for example, tax records under the Income Tax Assessment Act).
- Billing and tax records: retained for the period required by Australian tax law (currently 5 years).
- Backups: routine backups containing your data may persist for a short period after deletion before being overwritten in the normal backup rotation.
16. Cookies and similar technologies
We use cookies and similar technologies on our website and within the customer portal. See our Cookie Policy for details, including the cookies we use, their purposes, and how to manage your preferences.
17. Children's personal information
The Services are not directed at children and we do not knowingly collect personal information from children under 18. If you believe a child has provided personal information to us, please contact hello@aeovio.com.au and we will take steps to delete it.
18. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The current version will always be available on our website with a clear "last updated" date. For material changes that significantly affect how we handle personal information, we will give you reasonable notice (typically by email or in-portal notification) before the change takes effect.
19. How to complain
If you believe we have breached this Privacy Policy, the APPs, or the Privacy Act, please contact us first at hello@aeovio.com.au so we can try to resolve your concern. We aim to respond within 30 days.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):
- Website: https://www.oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001