The short version:We collect what we need to run the Service, and nothing we don’t. We don’t sell your data. You can export or delete your account at any time.
1. Who we are
WebsiteAuditTools (the “Service”) is operated by us at hello@websiteaudittools.com. This policy explains what personal data we collect, why we collect it, and how we look after it. By using the Service you agree to this policy.
2. What we collect
Account information
When you create an account we collect your name, email address, and a securely-hashed password. If you sign in via Google or GitHub OAuth, we receive the basic profile fields those providers return (name, email, avatar URL).
Audit data
Every audit you run is stored against your account so you can view it later. We keep the URL you submitted, the report we generated (scores, findings, page metadata), and timestamps. Anonymous audits are tied only to the requesting IP address for rate-limiting and abuse prevention.
Crawled page content
Our crawler fetches publicly accessible pages at the URL you submit. We store derived signals from those pages — title tags, meta descriptions, headings, structured-data flags, response times — but we do not store the full HTML of those pages long-term.
Technical data
We log standard technical data on every request: IP address, browser user-agent, timestamps, and the API endpoints you hit. This data is used for debugging, abuse prevention, and aggregate usage analytics.
Cookies
We use one essential cookie: an HTTP-only session cookie set by our authentication provider so you stay signed in. We do not use advertising or cross-site tracking cookies. The marketing site uses a single small request to /api/auth-stateto swap the “Get started” button to “Dashboard” if you’re signed in — no cookies are read on the marketing site itself.
3. Why we collect it
- To run the Service: store your account, deliver audit reports, send transactional emails (account verification, security alerts).
- To improve the Service: aggregate, anonymized audit data helps us calibrate our scoring engine and prioritize new checks.
- To prevent abuse: rate-limit anonymous audits, detect credential-stuffing attacks, block automated scraping of our backend.
- To meet legal obligations: respond to lawful requests from authorities, handle disputes, enforce our Terms of Service.
We do not use your data to:
- Sell or rent it to third parties for marketing.
- Train large language models without your explicit consent.
- Build advertising profiles or share it with ad networks.
4. Who we share it with
We share data only with the small set of service providers we need to operate the Service:
- Supabase — managed PostgreSQL database where account and audit data is stored.
- Upstash — managed Redis used for the audit job queue and rate limits.
- Google and GitHub — OAuth identity providers if you choose to sign in via them.
- Google PageSpeed Insights API— when an audit includes performance metrics, we forward the URL you submitted (no personal data) to Google’s public API.
- DeepSeek — used to generate AI-prioritized fix suggestions for paid plans. We send the audit findings and the URL, not your personal data.
Each provider is bound by their own data-processing terms. We do not sell, rent, or trade personal data with any party for marketing or advertising.
5. How long we keep it
- Account data— kept while your account is active. Deleted within 30 days of account deletion.
- Audit reports— kept while your account is active so you can revisit them. Anonymous audits are deleted on a rolling basis (typically within 30 days).
- Technical logs— kept for up to 90 days for security and debugging.
- Aggregate / anonymized data— may be retained indefinitely since it can’t be linked back to you.
6. Your rights
You can at any time:
- Access your data — your dashboard shows everything we hold on you. Email us for a machine-readable export if you want one.
- Correct your data — update your name and email from your account settings.
- Delete your account— from your account settings, or by emailing us. We’ll confirm deletion within 30 days.
- Object or restrict processing— if you’re in the EU/UK and want us to stop a specific type of processing, email us.
- Lodge a complaint— with your local data-protection authority, if you believe we’ve mishandled your data.
For any of the above, email hello@websiteaudittools.com and we’ll respond within 30 days.
7. Security
We protect your data with industry-standard measures:
- HTTPS/TLS for all traffic to and from the Service.
- Passwords are hashed with bcrypt before being stored — we never see or store your raw password.
- Sessions are stored in PostgreSQL behind an HTTP-only,
Securecookie, not in browser-readable storage. - Database and queue providers offer encryption at rest.
- Production secrets are stored only in our deploy platform, never in source control.
No system is perfectly secure. If we ever experience a breach affecting your data, we’ll notify you and the relevant authorities within 72 hours of becoming aware of it, in line with the GDPR standard.
8. International transfers
Our database and queue providers operate data centers in multiple regions. Your data may be processed in regions outside your home country. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for transfers out of the EEA/UK.
9. Children
The Service is not directed to children under 13 (or the age of digital consent in your country, whichever is higher). We don’t knowingly collect data from children. If you believe a child has signed up, email us and we’ll delete the account.
10. Changes to this policy
We may update this policy as the Service evolves. The “Last updated” date at the top reflects the most recent change. For material changes (new data categories, new third parties) we’ll email you and post an in-app notice before the change takes effect.
11. Contact
Email hello@websiteaudittools.com for anything privacy-related — data access, deletion, complaints, questions about specific processing.
This policy is intended to be a practical, plain-English explanation of what we do. It is not a substitute for legal advice. If you operate in a highly regulated industry (healthcare, finance) and need a custom data-processing addendum, contact us and we’ll work through one.