Privacy Policy

1. Overview

check your website! is a website audit product. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you visit our public pages, create an account, submit a website for audit, or use the service.

This policy is written with an EU and GDPR-first posture. Depending on where you live, you may have additional rights under local law.

2. Controller

Filip Kustec is the current controller for personal data processed through the service, unless another written agreement says otherwise. Until the operating company is incorporated, the service is operated by Filip Kustec as an individual founder. After incorporation, the operation of check your website! may be transferred to the new legal entity and these policies will be updated.

You can reach us about privacy at privacy@check-your-website.com.

3. Personal data we collect

We may collect:

• account data, such as name, email address, authentication provider details, and account identifiers;
• website audit data, such as submitted URLs, page metadata, crawl results, audit findings, screenshots or page-derived evidence if enabled, and run history;
• usage data, such as pages viewed, actions taken, device information, browser information, approximate location from IP address, referrer, and timestamps;
• support and feedback data, such as messages, ratings, issue reports, and survey responses;
• billing data if paid features are offered, such as plan, payment status, invoices, billing contact details, and payment processor references;
• technical and security data, such as IP address, logs, error reports, authentication events, rate-limit events, and abuse-prevention signals;
• cookie and similar storage data as described in the Cookie Policy at /cookies.

4. How we use personal data

We use personal data to:

• create and manage accounts;
• authenticate users and protect sessions;
• run website audits and show audit results;
• use AI-assisted systems to classify public page content, generate diagnostic explanations, and draft recommendations;
• save submitted sites, dashboards, history, and preferences;
• provide support and respond to messages;
• improve product quality, reliability, and usability;
• monitor security, prevent abuse, and investigate incidents;
• measure product usage and public-page performance;
• send service messages, such as verification, security, billing, or product notices;
• comply with legal, tax, accounting, and regulatory duties.

5. Legal bases under the GDPR

We process personal data under these legal bases where they apply:

• contract, when processing is needed to create your account, provide the service, run audits, and manage paid features;
• legitimate interests, when processing is needed to secure, maintain, debug, improve, and understand the service, provided those interests are not overridden by your rights;
• consent, when required for optional analytics, marketing, or non-essential cookies;
• legal obligation, when processing is needed for tax, accounting, law enforcement, regulatory, or compliance duties;
• vital interests or public interest only if a rare situation requires it and the law allows it.

6. Website audit data

You should only submit websites that you own, manage, or are authorized to audit.

Website audit data may include page content, metadata, technical signals, links, robots and sitemap evidence, performance data, and generated recommendations. If the submitted website contains personal data, that data may be processed as part of the audit.

You are responsible for making sure that you have the right to submit the website for analysis.

7. Cookies and similar storage

We use cookies and similar browser storage for essential service functions, preferences, authentication support, analytics, and product reliability. See the Cookie Policy at /cookies for more detail.

8. Sharing personal data

We may share personal data with:

• hosting and infrastructure providers;
• authentication providers;
• analytics and product measurement providers;
• error monitoring and observability providers;
• AI inference and website analysis providers;
• crawler, scraping, and page performance providers;
• email and communication providers;
• payment processors if paid features are offered;
• professional advisers, such as lawyers, accountants, and auditors;
• public authorities or other parties when required by law or needed to protect rights, safety, security, or legal claims.

We do not sell personal data.

9. Current service providers

Based on the current production architecture, the service uses these provider categories to operate check your website!:

• Vercel for frontend hosting and edge runtime.
• Railway for backend hosting and background worker runtime.
• PlanetScale Postgres for the production application database.
• Upstash Redis for queues, rate limiting, cache coordination, and worker coordination.
• Clerk for authentication, account sessions, email verification, Google sign-in, and session-abuse protections used by the auth flow.
• Sentry for error monitoring, reliability telemetry, tracing, and masked replay-on-error diagnostics.
• PostHog for optional product analytics after analytics consent.
• OpenRouter and selected AI model providers for AI inference used to generate audit explanations and recommendations.
• Firecrawl for crawler/scraping fallback where public website access requires it.
• Google PageSpeed Insights for page performance measurements.
• Configured SMTP/email providers for operational email notifications, if enabled.
• The internal campaign-results service for campaign result handoff, if enabled.

Provider availability can change as the service evolves. When a provider materially changes how personal data is processed, we update this policy or the relevant data processing documentation.

10. AI-assisted processing

The service uses AI to analyze submitted public website content and technical audit evidence, then generate diagnostic explanations, issue summaries, and suggested fixes. AI outputs are assistive and may be incomplete or incorrect. The service does not automatically change your website or make binding decisions about you.

Submitted URLs, bounded page text, technical signals, and audit evidence may be sent to AI and website analysis providers when needed to deliver the audit. Do not submit websites that you are not authorized to audit, and do not intentionally submit pages containing special-category personal data.

11. International transfers

Some providers may process data outside your country or outside the European Economic Area. When required, we use appropriate safeguards such as adequacy decisions, standard contractual clauses, provider data processing terms, or other lawful transfer mechanisms.

12. Retention

We keep personal data only as long as needed for the purposes described in this policy, unless a longer period is required by law.

Typical retention depends on the data type:

• account data is kept while the account is active and then deleted through the account deletion flow, subject to legal retention duties and provider retention limits;
• audit history is kept while needed to provide dashboards, history, support, and account records, and website-level audit data is deleted when you delete a website from the service;
• security logs are kept for a limited period needed to detect abuse and investigate incidents;
• billing and tax records are kept as required by law;
• analytics data is kept according to provider settings and product needs.

Anonymous public trial links are short-lived, and onboarding resume sessions are time-limited. Some third-party providers may retain operational logs under their own data processing terms.

13. Security

We use technical and organizational measures designed to protect personal data. These may include access controls, encryption in transit, authentication controls, logging, monitoring, rate limiting, and separation of user-owned data.

No system is perfectly secure. You are responsible for using a secure email account, protecting your login method, and telling us about suspected unauthorized access.

14. Your rights

Depending on your location and the legal basis for processing, you may have the right to:

• access your personal data;
• correct inaccurate personal data;
• delete personal data;
• restrict processing;
• object to processing;
• receive a portable copy of your data;
• withdraw consent where processing is based on consent;
• complain to a data protection authority.

You can exercise rights by contacting us at privacy@check-your-website.com. We may need to verify your identity before responding.

15. Children

check your website! is not intended for children. Do not use the service if you are under the age required to create an online service account in your country.

16. Changes to this policy

We may update this Privacy Policy when the service, the law, or our data practices change. The updated date shows when the latest version took effect.

17. Contact

For privacy questions or to exercise your rights, contact us at privacy@check-your-website.com. We may need to verify your identity before responding.