Privacy Policy
Last updated: April 20, 2026
1. Our Approach
Sakyura (the "Service") respects your privacy and complies with Japan's Act on the Protection of Personal Information and other applicable laws. This policy describes how the Service handles user information.
2. Information We Collect
The Service may collect the following:
- Account information (email, display name, password hash)
- Basic profile (name, email) obtained via Google OAuth
- Brand information, prompts, and competitor lists you register
- AI search engine responses and citation URLs we measure on your behalf (ChatGPT, Perplexity, Gemini, Claude, Google AI Overviews)
- Aggregated data from your Google Analytics 4 property when you opt-in to GA4 integration (see "GA4 Integration" below)
- AI crawler access logs (GPTBot / ClaudeBot / PerplexityBot, etc.) recorded via the optional Bot tracker you install on your site
- Billing information (Stripe customer ID, subscription state)
- Payment card details (stored by Stripe in a PCI-DSS compliant environment; not retained by the Service)
- Access logs (IP address, user-agent, timestamps)
- Session identifiers stored via cookies and local storage
3. Google Analytics 4 (GA4) Integration
If you choose to connect your Google Analytics 4 property to the Service, we obtain read-only OAuth access in order to compute and display, on your own dashboard, traffic from AI search engines such as ChatGPT, Claude, Perplexity, Gemini, Copilot, and Felo.
- Scope requested:
https://www.googleapis.com/auth/analytics.readonly(read-only) - Data we read: Aggregated metrics (sessions, users, conversions, landing pages) filtered by the `sessionSource` dimension, only for the GA4 property you select. We do not access individual user behaviour or personally identifiable information.
- How we use it: Solely to display the resulting report on your own dashboard.
- Disclosure to third parties: We never share GA4 data with any third party. We do not use it for AI model training, advertising, resale, or sharing with anyone other than yourself.
- Storage: We store only the OAuth refresh_token on our servers and use it to mint short-lived access_tokens on demand when querying the GA4 Data API. Fetched reports may be cached briefly for performance.
- Disconnection: You can disconnect the integration at any time from your Sakyura dashboard, and additionally revoke access from your Google Account's "Apps with access" page. Once disconnected, we promptly delete your refresh_token.
4. Purposes of Use
- Providing, maintaining, and improving the Service (GEO/AEO measurement dashboard, recommendations, reports)
- Authenticating accounts and preventing abuse
- Supporting users and sending notification emails
- Processing payments and billing
- Analyzing usage and conducting research to improve the Service
- Complying with applicable laws
5. Disclosure to Third Parties
The Service does not disclose personal information to third parties except:
- With the user's consent
- As required by law
- Where necessary to protect the life, body, or property of any person
- Where particularly necessary for improving public health or promoting the sound upbringing of children
- To subprocessors (listed below) to the extent necessary for their services
6. Subprocessors
The Service uses the following third-party services.
| Service | Purpose | Region |
|---|---|---|
| Supabase | Authentication, database, storage | Tokyo |
| Vercel | Hosting | Tokyo |
| OpenAI | Querying the ChatGPT engine for measurement | United States |
| Anthropic | Querying the Claude engine for measurement; generating improvement content | United States |
| Google (Gemini API) | Querying Gemini for measurement; AI Overview measurement via Search grounding | United States / Global |
| Perplexity | Querying Perplexity for measurement | United States |
| Serper.dev | Structured Google search results | United States |
| Google Analytics Data API | Fetching AI traffic reports when users opt-in to GA4 integration | United States / Global |
| Stripe | Payment processing | United States / Japan |
| Resend | Email delivery (notifications, support) | United States |
| Cloudflare | DNS, email routing, CDN | Global |
Note: for subprocessors located outside Japan, we transfer personal data in accordance with Article 28 of Japan's Act on the Protection of Personal Information.
7. Retention
Personal information is retained for the period necessary to achieve the purposes of use, or as required by law. Upon account deletion, we delete personal information within 30 days as a rule (except where retention is required by law). The OAuth refresh_token used for GA4 integration is deleted immediately upon disconnection.
8. Your Rights
You may exercise the following rights with respect to your personal information held by the Service:
- Request disclosure, correction, addition, or deletion
- Request suspension or erasure of use
- Request suspension of disclosure to third parties
To make such a request, please contact us using the contact information below. We will verify your identity and respond in accordance with applicable law.
9. Cookies
The Service uses cookies and local storage for session management, preserving user preferences, and collecting usage statistics. You can disable cookies in your browser settings, but some features may not function properly as a result.
10. Security
The Service implements appropriate technical and organizational measures to prevent the leakage, loss, or damage of personal information. Communications are encrypted with TLS, and access to the database is protected by authentication and authorization controls. GA4 OAuth refresh_tokens are accessible only from the server side via Supabase Row Level Security.
11. Changes to This Policy
The Service may revise this policy without prior notice when laws or business circumstances change. Material changes will be announced on the Service.
12. Contact
For questions about this policy or about the handling of personal information, please contact us at: