Privacy policy.

1. Who we are

PACO GEO is operated by PACO AI. Our website is pacoai.co. For any question about this policy or how we handle your data, email emmad@pacoai.co.

2. What PACO GEO does

PACO GEO optimizes small-business visibility across Google Business Profile, Bing Places, Apple Business Connect, Foursquare, and the customer's own domain so that AI models like ChatGPT, Perplexity, and Gemini cite the business for local queries.

3. Data we collect

• Account information: name, email, and login credentials you provide during sign-up.
• Business information: business name, address, phone number, website, hours, services, and any onboarding answers you give us.
• Connected platform data: information we read from platforms you connect (see the Google Business Profile section below).
• Payment information: processed by Stripe. We do not store card numbers.
• Usage data: pages viewed, actions taken, and error logs so we can debug and improve the service.

4. Google Business Profile access

When you connect your Google Business Profile to PACO GEO, the following applies.

Scope requested

PACO requests the https://www.googleapis.com/auth/business.manage scope. This is the scope Google requires for any application that reads and writes Google Business Profile data on the owner's behalf.

Data we read

PACO reads your business locations, posts, and reviews to understand the account state. This read is how we detect what is already optimized, what is missing, and what we should propose to improve your visibility in AI search.

Writes we perform

PACO writes updates to your business description, scheduled posts, and review replies only after you approve each change in the PACO dashboard. No write is ever sent to Google without a human approval click from you. Every proposed write is shown in a side-by-side Before and After diff inside the dashboard before you accept it.

Storage and encryption

We store access and refresh tokens encrypted at rest using Fernet (AES-128-CBC + HMAC) with a key held in our Railway environment. Tokens are never written to logs. Database backups inherit the same at-rest encryption.

Revocation

You can revoke PACO's access at any time from the PACO dashboard Disconnect button, or from your Google Account permissions page at myaccount.google.com/permissions. Revocation is honored within one minute.

Retention

We retain connection data for the lifetime of your subscription plus 30 days, then purge. If you cancel, your tokens are revoked and your connection record is deleted at the end of the 30-day window.

5. What we do not do

• We do not sell your data to anyone, ever.
• We do not share your data with third parties except the sub-processors listed below, and only for the purposes described.
• We do not write to your Google Business Profile, Bing Places, Apple Business Connect, or any other connected platform without your explicit in-dashboard approval.
• We do not use your business data or your customers' review content to train AI models. Drafts we generate for you go through third-party LLM providers under their standard API terms (no training on API inputs).

6. Sub-processors

• Railway. Application hosting and Postgres database.
• OpenRouter. Routes requests to LLM providers (Gemini, Claude, Kimi) for draft generation.
• Stripe. Payment processing.
• Resend. Transactional email delivery.

7. Your rights

You can request access to your data, a portable export of your data, or deletion of your account at any time. Email emmad@pacoai.co and we will respond within 7 days. Deletion requests are honored by purging your account record, your connected-platform tokens, and all derived profile data. Backups roll off within 30 days.

8. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Access to production is limited to the founder. We log errors and access attempts and review them regularly. If we ever discover a breach that affects your data, we will notify you by email within 72 hours.

9. Children

PACO GEO is a business tool. We do not knowingly collect data from anyone under 16. If you believe a minor has submitted data, email emmad@pacoai.co and we will delete it.

10. Changes to this policy

If we make material changes to this policy, we will email you before the changes take effect. Minor edits (typos, clarifications) are published without notice and reflected in the "Last updated" date above.

11. Contact

Questions, requests, or security disclosures: emmad@pacoai.co.

PACO AI, Hermosa Beach, California. See also our Terms of Service.