Privacy Policy

VisibleFront is run by VISIBLEFRONT LTD, a company registered in England & Wales under company number 17288404. Our registered office is 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

For anything to do with this policy, your personal data, or to make a data-protection request, email us at hello@visiblefront.com.

For the personal data described in this policy, VISIBLEFRONT LTD is the data controller under the UK GDPR and the Data Protection Act 2018. There is one exception: when an end customer submits a booking request through a business's public profile, we act as a processor on behalf of that business, and the business is the controller of that booking data.

We measure how visible a local business is to AI assistants such as ChatGPT, Google Gemini and Perplexity. We do this by asking those assistants the kinds of questions real customers ask, then scoring how often the business is recognised or recommended, on a 0 to 100 AI Visibility Score.

We offer a free AI-visibility scan with an emailed report, and a paid subscription that adds a hosted, machine-readable public business profile (at a /b/[slug] web address), help correcting and propagating the business's listing data, monthly rescans, a dashboard with an AI guide/concierge, and an optional booking button.

We also publish a public AI Visibility Index: monthly city-by-city rankings of local businesses by AI visibility, released as open data under the CC BY 4.0 licence (attribution to VisibleFront required).

We collect only the data we need for each feature. Here is each category, why we collect it, and the lawful basis we rely on under the UK GDPR.

• Free scan request: the business name, city, the requester's email (so we can send the report), and the source/referrer. Lawful basis: consent and/or legitimate interest, because the person asked us to run the scan.
• Pilot / design-partner signup: business name and email. Lawful basis: consent / legitimate interest.
• Owner account (for someone who claims and publishes a profile): email and an authentication session, handled via Supabase Auth, with optional Google sign-in. Lawful basis: performance of a contract.
• Business profile content: the business facts an owner confirms or edits, such as services, prices, opening hours, address and phone. The public profile shows only facts the owner has confirmed or edited (an honesty gate). Lawful basis: contract / legitimate interest.
• Booking requests made through a business's public profile: the end customer's name, email and/or phone, requested time, the service, and any notes, submitted so the business can respond. We pass this to the business and act as its processor. Lawful basis: the requester's request and the business's legitimate interest.
• Optional Google Calendar connection (started by the owner): OAuth tokens used only to check free/busy and create events on the owner's own calendar. Lawful basis: consent, revocable at any time.
• Payments: handled by Stripe. We do not store full card numbers; Stripe processes the payment details. We receive subscription status and related metadata from Stripe. Lawful basis: performance of a contract.
• Marketing outreach: we may process publicly available business contact details (B2B) to send a small number of cold emails to businesses in the US and UK; every email includes an unsubscribe link. Lawful basis: legitimate interest.

We have built privacy into how the service works, not just into this policy:

• Our website analytics is Cloudflare Web Analytics: privacy-first and cookieless, with no personal data and no cross-site tracking.
• When we use a visitor's IP address to rate-limit the free scan, the IP is SHA-256 hashed before storage. We never store raw IP addresses, and the hashed keys are date-scoped and expire automatically.
• Business data passed to the AI guide/concierge is sanitised and fenced as reference-only, as a defence against prompt injection.
• We use essential cookies only (login/session via Supabase Auth, and cookies Stripe may set during checkout). We use no advertising or tracking cookies.

We use essential cookies only. These are the cookies needed to keep you logged in and to run your session (via Supabase Auth), and any cookies Stripe sets while you are going through checkout.

We do not use advertising or tracking cookies, and our analytics (Cloudflare Web Analytics) is cookieless, so it does not set cookies or track you across sites.

We do not sell your personal data. We share it only with the service providers we need to run VisibleFront. Each one acts on our behalf, or receives data only for the purpose listed below:

• Cloudflare: hosting, CDN, edge compute, key-value storage, and privacy-first website analytics (Cloudflare Web Analytics).
• Supabase: our database and authentication.
• Stripe: payment processing.
• Resend: transactional and notification email.
• OpenRouter (and the underlying AI model providers it routes to): powers the dashboard AI guide/concierge.
• The AI assistants we measure (OpenAI/ChatGPT, Google/Gemini, Perplexity): they receive public business queries during a scan, and they do not receive any end-customer personal data.
• Google: OAuth, and only if an owner chooses to connect Google Calendar.

Some of our sub-processors are located outside the UK and EEA, for example in the United States.

Where personal data is transferred internationally, we rely on appropriate safeguards, such as the UK International Data Transfer Agreement / Addendum, the EU Standard Contractual Clauses, or an adequacy decision.

We keep scan/lead and account data while the account or relationship is active, and for as long as we need it to meet our legal, tax and accounting obligations. After that, we delete or anonymise it.

The hashed keys we use to rate-limit the free scan are date-scoped and expire automatically.

Under the UK GDPR you have the following rights over your personal data:

• Access: ask for a copy of the personal data we hold about you.
• Rectification: ask us to correct data that is wrong or incomplete.
• Erasure: ask us to delete your data.
• Restriction: ask us to limit how we use your data.
• Portability: ask for the data you gave us in a portable, machine-readable format.
• Objection: object to our processing where we rely on legitimate interest, including the right to object to direct marketing at any time.
• Withdraw consent: where we rely on your consent, you can withdraw it at any time, without affecting processing already carried out.

To exercise any of these rights, email us at hello@visiblefront.com. You also have the right to complain to the Information Commissioner's Office (ICO), the UK's data-protection regulator, at ico.org.uk. We would appreciate the chance to address your concern first, but you can go to the ICO at any time.

VisibleFront is a business-to-business service for local businesses and their owners. It is not directed at children, and we do not knowingly collect personal data from anyone under 18.

If you believe a child has provided us with personal data, contact us at hello@visiblefront.com and we will delete it.

We may update this policy from time to time. When we make a material change, we will update the “last updated” date shown at the top of this page and, where appropriate, notify users.