Privacy Policy

Updated March 11, 2026

What we collect

When you create an account: your email address and a hashed password (we never see your password in plain text). When you run a scan:

• The URL you scanned
• The QA report (score, check results, screenshots of the scanned site)
• Scan metadata (date, page count, check count)

We do not collect personal information about visitors to the sites you scan. Reports contain only publicly visible content.

Lawful basis

We process your data on the basis of contractual necessity (to provide the scanning service you signed up for) and legitimate interest (to prevent abuse and maintain service security).

How we use it

• To run scans and generate reports
• To show your scan history and dashboard
• To enforce plan limits and process payments
• To send transactional emails (verification, password reset)

We do not sell your data. No marketing emails unless you opt in.

Third-party services

• Supabase — database and authentication
• Google Gemini API — visual QA checks. Screenshots are sent to Google's API per their API Terms.
• Google PageSpeed Insights — performance audits
• LanguageTool — grammar and spelling checks
• Stripe — payment processing. We never see or store card numbers.
• Google Cloud Run — application hosting
• Cloudflare Turnstile — bot prevention during registration and anonymous scans. See Cloudflare privacy policy.

International transfers

Your data may be processed in the United States by our service providers (Supabase, Google Cloud, Stripe). These transfers are governed by Standard Contractual Clauses.

Cookies

Essential cookies only (authentication). No tracking, analytics, or advertising cookies. See our cookie policy.

Data retention

• Free tier: reports expire after 7 days
• Paid plans: reports retained for the duration of your subscription
• Account deletion: all data permanently deleted

Your rights

• Access your data via the dashboard
• Delete individual scans or your entire account
• Export reports as HTML or JSON

Security

HTTPS everywhere. Passwords hashed with bcrypt. API keys stored as SHA-256 hashes. Database connections encrypted.

Data breach notification

In the event of a data breach affecting your personal data, we will notify affected users within 72 hours as required by GDPR.

Contact

Privacy questions or data requests: privacy@sitevett.com