Data controller
SiteVett is operated by its founder. For privacy enquiries, contact privacy@sitevett.com.
What we collect
When you create an account: your email address and a hashed password (we never see your password in plain text). When you run a scan:
- The URL you scanned
- The QA report (score, check results, screenshots of the scanned site)
- Scan metadata (date, page count, check count)
We also temporarily process your IP address for rate limiting and abuse prevention (records automatically deleted after 5 minutes).
Data from scanned websites
When scanning a website, SiteVett crawls publicly accessible pages and collects:
- Page HTML content (sent to LanguageTool for grammar checking)
- Screenshots of each page (sent to Google Gemini for AI visual analysis)
- Page URLs (sent to Google PageSpeed Insights for performance audits)
SiteVett only scans publicly accessible pages and does not authenticate to target websites. Reports may contain content visible on the scanned website. Screenshots are retained as part of the scan report (free tier: 7 days; paid: duration of subscription).
Lawful basis
We process your data on the basis of contractual necessity (to provide the scanning service you signed up for) and legitimate interest (to prevent abuse and maintain service security).
How we use it
- To run scans and generate reports
- To show your scan history and dashboard
- To enforce plan limits and process payments
- To send transactional emails (verification, password reset)
We do not sell your data. No marketing emails unless you opt in.
Third-party services
- Supabase — database and authentication
- Google Gemini API — visual QA checks. Screenshots are sent to Google's API per their API Terms.
- Google PageSpeed Insights — performance audits
- LanguageTool — grammar and spelling checks
- Stripe — payment processing. We never see or store card numbers.
- Google Cloud Run — application hosting
- Cloudflare Turnstile — bot prevention during registration and anonymous scans. See the Cloudflare privacy policy.
International transfers
Your data may be processed in the United States by our service providers (Supabase, Google Cloud, Stripe). These transfers are governed by Standard Contractual Clauses.
Cookies
Essential cookies only (authentication). No tracking, analytics, or advertising cookies. See our cookie policy.
Data retention
- Free tier: reports expire after 7 days
- Paid plans: reports retained for the duration of your subscription
- Single scan purchases: reports are permanent. Your email address (collected by Stripe at checkout) is automatically deleted from our systems after 30 days.
- Account deletion: all application data permanently deleted. Financial transaction records may be retained by our payment processor (Stripe) as required by applicable financial regulations.
Anonymous scans
When you purchase a single scan report without creating an account, we collect:
- Email address (from Stripe checkout) — used to deliver your report. Automatically deleted from our systems after 30 days.
- Scan URL — the website address you submitted for scanning.
- Report data — the scan results, stored permanently.
Lawful basis: contract performance (delivering the report you purchased). To request deletion of your report and data, contact hello@sitevett.com.
Your rights
Under applicable data protection law, you have the right to:
- Access your data via the dashboard
- Delete individual scans or your entire account (Account → Delete Account)
- Export reports as HTML or JSON
- Restrict processing of your data in certain circumstances
- Object to processing based on legitimate interest
- Lodge a complaint with a supervisory authority, in particular in the EU/UK Member State of your habitual residence, place of work, or place of the alleged infringement
To exercise any of these rights, email privacy@sitevett.com.
Children
SiteVett is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children under 16.
Security
HTTPS everywhere. Passwords hashed with bcrypt. API keys stored as SHA-256 hashes. Database connections encrypted.
Data breach notification
In the event of a data breach affecting your personal data, we will notify affected users within 72 hours as required by GDPR.
