Privacy Policy
Contents
- Controller
- Principles of data processing
- Server log files
- Contact by email
- Listing form (registration)
- Payment processing
- Customer portal
- Hosting & infrastructure
- Cookies, analytics & tracking
- AI citation check & AI visibility analysis
- GEO tips, newsletter & product updates by email
- Automatic feature on X (from the Gold tier)
- Customer reviews (testimonials)
- Embedded Google search (website search)
- Your rights
- Changes to this policy
1. Controller
The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:
Emanuele Fanizza
Hofsteder Straße 39
44791 Bochum
Germany
Email:
2. Principles of data processing
We process personal data only to the extent permitted by law or where you have consented. We collect only the data necessary for the respective purpose (data minimization pursuant to Art. 5 (1)(c) GDPR).
Legal bases we rely on:
- Art. 6 (1)(b) GDPR — performance of a contract (e.g. processing your entry, handling paid services)
- Art. 6 (1)(c) GDPR — compliance with legal obligations (e.g. retention duties under the German Commercial Code/Fiscal Code)
- Art. 6 (1)(f) GDPR — legitimate interest (e.g. website operation, abuse prevention, communication)
3. Server log files
The hosting provider of this website automatically collects and stores information in so-called server log files, which your browser transmits. These are:
- IP address (anonymized or shortened)
- date and time of the request
- name and URL of the retrieved file
- amount of data transferred
- browser type and version, operating system, referrer URL
This data cannot be attributed to specific persons. It is not merged with other data sources. It is deleted after no later than 7 days. Legal basis: Art. 6 (1)(f) GDPR.
4. Contact by email
If you contact us by email, your details (sender address, subject, message content) are stored to process your request. No transfer to third parties takes place. Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in processing your request).
The data is deleted once your request has been fully processed and no statutory retention obligation prevents deletion.
Online withdrawal function: If you use our withdrawal function at llmstxt.info/widerruf, we process the data entered there (name, order/contract number, email address and optional details) solely to process your withdrawal and to send the legally required confirmation of receipt. Legal basis: Art. 6 (1)(c) GDPR (compliance with a legal obligation under § 356a German Civil Code) and (b) (contract performance). The data is deleted after completion of the process, unless a statutory retention obligation applies.
5. Listing form (registration)
When you register your organization via the listing form (/submit/), we collect the following data:
- name of the organization / product
- URL of the
llms.txtfile - business category (from a predefined list or custom)
- email address (optional, for queries and notifications)
- chosen listing tier (Standard, Bronze, Silver, Gold, Platinum, Diamond)
- free text / context on the implementation (optional)
- social media and web-presence links (all optional, unlockable depending on the chosen tier): X/Twitter handle, LinkedIn, GitHub, YouTube, Instagram, Facebook, Mastodon, Discord, TikTok, Slack invitation link, newsletter URL, additional website URL
This data is stored in a JSON file on our server and serves the operation of the directory. Publicly visible after activation are: organization name, llms.txt URL, category, tier badge and — depending on the chosen tier — free text, custom category and the social media profiles voluntarily provided by the customer. Email addresses are not published.
Because social media links and profile data are provided voluntarily and for the specific purpose of public presentation in the directory, their processing and publication is based on Art. 6 (1)(b) GDPR (contract performance) in conjunction with the express consent given by using the listing form.
Legal basis: Art. 6 (1)(b) GDPR (contract performance / pre-contractual measures). Data remains stored as long as the entry is active. For deletion requests, contact .
5.1 Community entries from public sources
Some directory entries are not created by the owner themselves but by us on the basis of publicly available information (so-called community entries). Only factual basic data is processed: name/designation of the website, its publicly reachable address or llms.txt URL, and a category. Such entries are marked as a “community entry”, are not assigned to a paid tier and are displayed without embedding third-party logos/favicons; detail pages are set to noindex.
The legal basis is our legitimate interest in operating a discoverable industry/topic directory (Art. 6 (1)(f) GDPR). You have the right at any time to object to the processing (Art. 21 GDPR) or to request deletion (Art. 17 GDPR): via the “Remove entry” function on the respective detail page or by email to . To prevent abuse, we send a confirmation link to the address provided; only after it is opened is the entry hidden and the domain blocked from future automatic imports.
6. Payment processing for paid plans
For paid listings (Bronze to Diamond) and one-time add-ons (AI optimization, llms.txt hosting, AI Signal Kit), we process payments via the payment provider Stripe. The provider is Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (“Stripe Europe”). When you book a paid plan, you are forwarded to Stripe’s secure checkout page and enter your payment details there directly.
In particular, the following data is processed:
- email address of the payer
- chosen plan and amount
- payment/card data (you enter these exclusively at Stripe — we do not receive them)
- payment confirmation, payment date and a transaction identifier
The legal basis is Art. 6 (1)(b) GDPR (contract performance). Stripe may also transfer data to Stripe, Inc. in the USA. For this transfer to a third country, Stripe relies on the European Commission’s standard contractual clauses and is certified under the EU-US Data Privacy Framework. Details on data processing by Stripe are in Stripe’s privacy policy at stripe.com/privacy.
Payment by bank transfer or PayPal remains possible by individual arrangement; with PayPal, data is then shared with PayPal (Europe) S.à r.l. et Cie, S.C.A.
Retention of invoice and payment data: 10 years pursuant to § 147 AO / § 257 HGB (German Fiscal Code / Commercial Code). Legal basis: Art. 6 (1)(b) GDPR (contract performance) and Art. 6 (1)(c) GDPR (statutory retention obligations).
7. Customer portal
For paid plans (Bronze–Diamond) we provide a password-protected customer portal at /portal/. The following is stored:
- username (email address)
- password (bcrypt-hashed value, no plain text)
- view statistics of your own listing page (page-view counter)
- session data (temporary, only for the duration of the session)
Passwords are stored exclusively as a non-reversible bcrypt hash. Plain-text passwords are not stored permanently anywhere. Legal basis: Art. 6 (1)(b) GDPR.
7.1 Monitoring account (Free/Pro/Premium/API) & API access
For the visibility monitoring (Free, Pro, Premium, API tiers) we maintain an account tied to your email address. Access is passwordless via a one-time link sent by email (magic link). We store: email address, chosen plan tier and billing period, the domains and competitor domains you add for monitoring, the last determined status per domain and — with Stripe payment — the Stripe customer/subscription identifier (no card data, see section 6).
If you book the Premium or API tier, you can generate a personal API key. The key itself is not stored in plain text, only as a non-reversible hash; it is shown to you in plain text once at creation. To enforce the monthly call quota we store anonymous usage counters per key (number of calls per month) and the time of last use. This data is processed solely for contract and abuse control (Art. 6 (1)(b) and (f) GDPR) and is deleted upon revocation of the key or termination of the account.
8. Hosting & infrastructure
This website is hosted by ALL-INKL.COM — Neue Medien Münnich:
ALL-INKL.COM — Neue Medien Münnich
Owner: René Münnich
Hauptstraße 68 · 02742 Friedersdorf, Germany
https://all-inkl.com
The servers are located in Germany (EU). A data processing agreement pursuant to Art. 28 GDPR exists with ALL-INKL.COM. Further information: all-inkl.com/datenschutzinformationen/
9. Cookies, analytics & tracking
Cookies
This website sets no tracking cookies and uses no third-party analytics tools (Google Analytics, Matomo or similar). Technically necessary session cookies are used exclusively for the customer portal and are limited to the session duration (session cookie, no expiry date). Consent is not required pursuant to § 25 (2) no. 2 TDDDG.
Own analytics system (server-side)
To improve our offering, we operate a self-hosted, privacy-friendly analytics system. The data is stored exclusively on our server and is not passed on to advertisers or third parties.
The following data is recorded per page view:
- IP address anonymized (last IPv4 octet set to 0, e.g. 192.168.1.0)
- date, time and weekday of the visit
- page visited
- source type (direct / search engine / social media / referral) and source domain (e.g. google.com) — no full referrer URL
- search term (where derivable from a publicly visible search query, e.g. Google search)
- UTM parameters (if contained in the URL visited, e.g. utm_source)
- device type (desktop / tablet / smartphone), browser, operating system
- browser language (from the Accept-Language header)
- country, region, city (via geolocation service, see below)
In addition, the following usage interactions are recorded anonymously via JavaScript:
- screen resolution (transmitted to our server, not stored locally)
- scroll depth (25 / 50 / 75 / 100 % of the page length)
- time spent on the page (in seconds, sent when leaving the page)
- clicks on external links (target domain, no full URL)
- clicks on directory entries, internal search terms, filters used
All analytics data is automatically deleted after 365 days. Attribution to individual persons is not possible due to IP anonymization. No cross-site tracking and no behavioral profiling takes place.
Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in the anonymized analysis and improvement of our web offering).
Geolocation via ip-api.com
To roughly determine country and region, only a shortened, anonymized IP address of the visitor (last octet set to 0, e.g. 93.184.216.0) is transmitted once per day to the service ip-api.com. The full IP address is not transmitted. The service returns information on country and region. The result is cached on our server for 24 hours, so that subsequent requests from the same IP do not trigger a new query. ip-api.com processes IP addresses only to answer the request and does not store them permanently. Further information: ip-api.com/docs/legal.
Legal basis for the transfer: Art. 6 (1)(f) GDPR (legitimate interest in anonymized location data for analyzing the web offering).
10. AI citation check & AI visibility analysis
On our tool pages (e.g. the “AI citation check”) and in Pro monitoring you can check whether and how a website is named or cited by AI systems. When you start such an analysis, we transmit the domain or query you entered directly to the official application programming interfaces (APIs) of the respective AI providers, which research the web and return the result to us:
- OpenAI (ChatGPT) — OpenAI, L.L.C., USA · privacy
- Perplexity — Perplexity AI, Inc., USA · privacy
- Google (Gemini) — Google Ireland Ltd. / Google LLC, USA · privacy
- Anthropic (Claude) — Anthropic, PBC, USA · privacy
Depending on the configuration, one or more of these interfaces is queried. We no longer use an intermediary service (proxy) for this. Processed are the domain/query you entered and — to limit abuse and cost — your IP address shortened to the last segment (anonymized). You generally do not enter third-party personal data here. The legal basis is Art. 6 (1)(f) GDPR (legitimate interest in providing the analysis function you expressly requested). Where processing takes place in the USA (third country), it is based on the European Commission’s standard contractual clauses pursuant to Art. 46 GDPR or — where certified — the EU-US Data Privacy Framework. Results are cached for a short time to avoid repeated queries.
11. GEO tips, newsletter & product updates by email
At various points — in particular on our tool pages — you can voluntarily sign up to receive tips on llms.txt/GEO and product updates by email. We use the double opt-in procedure: after you sign up, you first receive an email asking you to confirm the sign-up. Only after your confirmation do we send you further emails.
We process your email address and — to document consent — the time of sign-up/confirmation, your anonymized IP address and the source of the sign-up. The legal basis is your consent under Art. 6 (1)(a) GDPR. You can withdraw at any time via the unsubscribe link in every email or by message to ; we then remove your data from the distribution list. No transfer to third parties for advertising purposes takes place. Technical sending is carried out via our hosting/email provider (see section “Hosting & infrastructure”).
12. Automatic feature on X (Twitter) from the Gold tier
For customers from the Gold tier, we automatically feature their entry on our X profile (@llmstxtinfo) after successful activation. Information from the entry is published — in particular name/designation, category and short description and, if provided, the X handle you stored (as a mention). This information is already part of your public directory entry.
Publication takes place via the application programming interface (API) of the provider Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland (for users from the EEA), part of X Corp. based in the USA. A transfer to the USA (third country) may take place. The legal basis is Art. 6 (1)(b) GDPR (performance of the contract concluded with the booked tier). You may object to this automatic feature already at the time of listing (opt-out box in the listing form) or ask us at any time by email to to remove a post. Information on data processing by X: x.com/en/privacy.
13. Customer reviews (testimonials)
As a customer, you can voluntarily submit a review (testimonial). We process the star rating you provide, your review text and the name/company name you provide and — if given — your role/function.
After a brief editorial review (moderation), we publish approved reviews with the stated name/company name on our website (e.g. on the home page). The legal basis is your consent under Art. 6 (1)(a) GDPR, which you grant by submitting the review form. You can withdraw your consent at any time with effect for the future; we then remove the review from the website. A message to is sufficient.
14. Embedded Google search (website search)
In the directory we offer, alongside our own server-side entry search, an optional full-text search across the entire website (the “Whole site” tab). This is provided technically via the Google Programmable Search Engine (Google Custom Search).
This Google search is not loaded automatically. It is activated only when you select the “Whole site” tab and there expressly click “Enable Google search”. Only then is program code from Google loaded, and a data transfer to Google and the setting of cookies or access to information on your device may occur. As long as you do not actively consent, no connection to Google takes place.
Upon activation, in particular your search term, your IP address and technical information about your browser and device are transmitted to Google. Processing may also take place in the USA.
The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (possibly Google LLC, USA). Details on data processing by Google are in their privacy policy.
The legal basis is your consent (Art. 6 (1)(a) GDPR and § 25 (1) TDDDG for the storage of or access to information on your device), which you grant by clicking “Enable Google search”. Where processing takes place in the USA (third country), it is additionally based on the European Commission’s standard contractual clauses pursuant to Art. 46 GDPR or — where certified — the EU-US Data Privacy Framework.
Your consent is voluntary and not required to use our offering — the own directory search is available to you without Google at any time. You can withdraw a granted consent with effect for the future by deleting the consent stored in your browser (remove website data for llmstxt.info) and not using the Google search further.
15. Your rights
Under the GDPR you have the following rights:
- Access (Art. 15 GDPR) — which data we have stored about you
- Rectification (Art. 16 GDPR) — correction of inaccurate data
- Erasure (Art. 17 GDPR) — removal of your data
- Restriction (Art. 18 GDPR) — restriction of processing
- Data portability (Art. 20 GDPR) — your data in a machine-readable format
- Objection (Art. 21 GDPR) — against processing based on legitimate interests
To exercise your rights, contact:
Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority in North Rhine-Westphalia is the State Commissioner for Data Protection and Freedom of Information NRW (LDI NRW). A list of all German data protection authorities is available from the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
16. Changes to this policy
We reserve the right to adapt this privacy policy in the event of changes in the legal situation or the service. The current version is always available at https://llmstxt.info/datenschutz/.
As of: July 2026