How Stratogizer handles your data

Stratogizer is the data controller for the personal data described in this policy. If you are inside the European Economic Area (EEA) or United Kingdom, you can reach our privacy contact directly at info@stratogizer.co.za. South African users have rights under the Protection of Personal Information Act, 2013 (POPIA), and may also reach the Information Regulator at inforegulator.org.za.

We collect personal data in the following categories:

a. Account data

• Name, email address, profile photo (when supplied via Google sign-in or upload).
• Workspace, company, and role information you create inside Stratogizer (e.g. agency name, brand names, team-member email addresses you invite).
• Authentication metadata: hashed passwords, sign-in timestamps, IP address, user agent.

b. Strategy & brief content

• Campaign briefs, audience descriptions, brand pillars, competitor lists, budgets, flight dates, and any other strategic content you enter into the platform.
• Documents you upload (brand guidelines, prior performance reports, creative references, PDFs).
• AI-generated outputs (media plans, social strategies, SEO recommendations) and any edits or feedback you record on them.

c. Integration data (third-party platforms)

When you connect a third-party platform (currently Google Search Console; we may add Meta, LinkedIn, TikTok, GA4, and similar in future), we receive an OAuth access token and refresh token from that platform plus the data the relevant scope grants us. See section 3 for the Google-specific disclosure.

d. Usage & device data

• Pages visited, features used, errors encountered, request timestamps, IP address, browser type, and OS.
• Token-usage telemetry from AI generations: input/output token counts, model identifiers, cost in USD/ZAR. This data drives billing and admin reporting.
• Audit log of significant actions (signing in, creating a campaign, generating a strategy, inviting a member) with the actor, timestamp, and IP.

e. Billing data

• Subscription plan, workspace seat counts, invoice history.
• Payments are processed by our payment provider; we do not store your full card number on our servers.

When you connect Google Search Console to Stratogizer, we use Google’s OAuth 2.0 flow to request a single, narrowly-scoped grant. The disclosures below describe exactly what we do with Google user data and apply in addition to the rest of this policy.

a. Scopes we request

• https://www.googleapis.com/auth/webmasters.readonly — read-only access to Search Console data for properties you have granted Stratogizer access to. We use this to list your verified properties and pull search-analytics data (impressions, clicks, click-through rate, average position, by query and by page).
• openid / userinfo.email — used only to label the connected Google account in your workspace so you can recognise which account is connected.

We do not request, access, or store any other Google user data. We do not modify Search Console settings, submit sitemaps, or alter any Google product on your behalf.

b. How we use Google data

• Pull aggregate Search Console performance data for the property you bind to a Stratogizer company.
• Pass that data to our AI provider (Anthropic) to generate SEO and Generative Engine Optimisation (GEO) recommendations for that property.
• Cache the raw Search Console response on the audit row so that re-analysing the same point-in-time audit does not require a fresh API call.
• Display the resulting recommendations and summary metrics inside Stratogizer to the workspace owner, the company manager, and any team member with access to that company.

c. Limited Use of Google user data

Stratogizer’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide and improve user-facing features visible inside Stratogizer (the SEO & GEO module).
• We do not transfer Google user data to others except as needed to provide or improve user-facing features (e.g. our hosting and AI sub-processors listed in section 6) or to comply with applicable law.
• We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
• We do not allow humans to read your Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or for our internal operations where the data has been aggregated and anonymised.

d. Storage & encryption

• OAuth access and refresh tokens are encrypted at rest using AES-256-GCM with a key held outside the database.
• Cached Search Console response payloads live in your workspace’s row-level-secured Postgres tables and are accessible only to authenticated members of that workspace with the right role.

e. Revocation

You can disconnect Stratogizer from Google Search Console at any time:

• Inside Stratogizer: SEO & GEO tab → Disconnect. We immediately revoke the refresh token with Google and delete the stored credential. Past audit results stay in your workspace until you delete them.
• Inside Google: visit myaccount.google.com/permissions and remove Stratogizer’s access.

• To provide the platform: authentication, workspace management, AI generations.
• To produce strategy outputs: your briefs, integration data, and uploaded documents are sent to our AI provider (Anthropic) to generate the requested deliverable.
• To bill you accurately and report token usage to workspace owners and platform admins.
• To detect abuse, debug errors, and keep the service secure and reliable.
• To send service-related email (account confirmations, invitations you trigger, password resets). We do not send marketing email without explicit opt-in.
• To comply with legal obligations and respond to lawful requests from regulators.

We do not sell your personal data. We do not use your strategy content, briefs, or integration data to train AI models — Anthropic processes prompts but does not retain them for model training under the API terms we use.

Where required by law (POPIA in South Africa, GDPR in the EEA/UK), we rely on the following legal bases:

• Performance of a contract — to provide the features you sign up for.
• Legitimate interests — to keep the service secure, improve it, and prevent abuse.
• Consent — for connecting third-party platforms (you click through an OAuth consent screen) and for any future marketing communications.
• Legal obligation — to comply with tax, accounting, and lawful regulator requests.

We share personal data only with the sub-processors needed to operate Stratogizer. Each provider is bound by data-processing agreements:

• Supabase Inc.

  EU (eu-west-1)

  Hosted Postgres database, authentication, file storage.

• Vercel Inc.

  Global edge / EU primary

  Application hosting, edge runtime, request logs.

• Anthropic, PBC

  USA

  AI model inference (Claude) for strategy and audit generations.

• n8n GmbH (n8n Cloud)

  EU

  Workflow orchestration between Stratogizer and AI providers.

• Resend, Inc.

  USA

  Transactional email delivery (account, invitations, password resets).

• Google LLC

  Global

  OAuth identity provider and Search Console API (only when you connect).

We may also share data with professional advisers (accountants, lawyers) under confidentiality, and with regulators or law enforcement if compelled by valid legal process. We will, where lawfully possible, notify you before complying with such a request.

• All traffic to and from the platform is encrypted in transit (HTTPS/TLS 1.2+).
• OAuth access and refresh tokens are encrypted at rest with AES-256-GCM. The encryption key is held in our deployment-environment configuration, separate from the database.
• All workspace data is segregated by row-level security: a workspace member can only ever read or write rows belonging to workspaces and companies they have been granted access to.
• Access to production systems is restricted to a small number of authorised engineers, protected by single sign-on and multi-factor authentication. Production access is logged.
• We will notify affected users and the Information Regulator within 72 hours of confirming any personal-data breach that meets the POPIA/GDPR notification threshold.

• Account data is retained while your workspace is active and for up to 90 days after closure, after which it is permanently deleted.
• Strategy briefs, generations, and audit results are retained as long as the parent workspace exists. Workspace owners can delete individual records at any time.
• OAuth tokens are deleted immediately when you disconnect the integration. We also revoke them with the upstream provider.
• Audit log entries are retained for up to 24 months for security and compliance purposes, then deleted.
• Billing records are retained for the period required by South African tax law (currently 5 years).

You can request earlier deletion of any data we hold about you by emailing info@stratogizer.co.za. We will respond within 30 days.

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data — most fields are editable directly inside Stratogizer.
• Delete your account and associated workspace data.
• Port your strategy outputs (PDF export is available for every generation; raw data export is available on request).
• Object to processing you believe is unlawful.
• Withdraw consent for any processing that relies on consent (e.g. third-party integrations) at any time.
• Lodge a complaint with the South African Information Regulator (POPIA) or your local supervisory authority (GDPR).

To exercise any of these rights, email info@stratogizer.co.za. We may need to verify your identity before responding.

Stratogizer is a B2B product not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please email info@stratogizer.co.za and we will delete it.

Some of our sub-processors are based outside South Africa and the EEA (notably Anthropic and Resend in the United States). When we transfer personal data internationally, we rely on Standard Contractual Clauses or equivalent safeguards approved by the relevant data protection authorities, and we ensure the recipient is committed to protecting the data to the same standard as this policy requires.

We may update this policy as we add features and platforms (Meta, LinkedIn, GA4, etc.). When we make material changes, we will update the “Last updated” date at the top and, where the change materially affects how we process your data, notify active workspace owners by email at least 14 days before the change takes effect.

For privacy questions, data-rights requests, or to report a concern:

• Privacy contact: info@stratogizer.co.za
• General support: info@stratogizer.co.za
• Postal address: Stratogizer (Pty) Ltd, 1 Hewitt Street, Durbanville, 7550, South Africa

South African Information Regulator: inforegulator.org.za.