Privacy Policy
Effective Date: October 2026
Executive Summary
- →SitePrivacyScore provides automated compliance auditing tools. We do not sell or monetize personal data or scan intelligence.
- →You retain ownership of all PII processed by our platform.
- →We act as a strict Data Processor utilizing verified Sub-processors for essential infrastructure operation.
01. Scope of Policy
This Privacy Policy explains how SitePrivacyScore ("we," "us," or "our") collects, uses, discloses, and protects information in connection with our website, compliance scanning tools, application programming interfaces (APIs), and related services (collectively, the "Services"). This Policy applies to all users (collectively, "Users," "you," or "your") accessing our Services.
02. Data We Collect
We collect information you directly provide to us, and information automatically collected through your use of the Services:
- Account Information: Name, email address, and authentication credentials necessary to establish and maintain an account.
- Operational Data: Target domain URLs submitted for scanning, generated health scores, and metadata regarding tracking scripts identified during the audit execution.
- Financial Information: We utilize secure global payment gateways for transaction processing. SitePrivacyScore does not directly collect or store full credit card numbers or raw banking authorization hashes.
- Technical Telemetry: IP addresses, browser types, and standard HTTP request headers necessary for security monitoring and abuse prevention.
03. Browser Extension Data Sharing
When you use the SitePrivacyScore browser extension, scan data remains local to your browser extension until you explicitly request that a result be opened or verified on SitePrivacyScore.
- User-initiated only: The extension sends scan results to SitePrivacyScore only when you choose to open a scan result or deep scan report on our website.
- Scan reference first: The website receives a scan identifier and target URL, then requests the stored result directly from your installed extension. We do not trust URL parameters as the final source of report data.
- Data categories shared: The shared payload may include the scanned URL, detected trackers, cookie findings, security and compliance findings, counts of observed requests and cookies, and the scan timestamp.
- No silent browsing export: The extension does not continuously transmit your browsing history to SitePrivacyScore. Only the scan result you choose to open is made available to our website for report generation and display.
04. Legal Basis for Processing (GDPR)
Where the European Union General Data Protection Regulation (GDPR) applies, our legal basis for collecting and processing personal data depends on the data concerned and the specific context in which we collect it. We primarily rely on the following bases:
- Contractual Necessity: Processing is required to fulfill our Terms of Service (e.g., authenticating your account and delivering scan reports).
- Legitimate Interests: Processing is necessary for our legitimate business interests, provided those interests are not overridden by your fundamental rights (e.g., platform security, fraud prevention, and service optimization).
05. How We Use Data
We act strictly as a Data Processor when executing compliance scans. Data collected is utilized for the following restricted purposes:
- To provision, operate, and maintain the Services.
- To authenticate Users and enforce Row-Level Security authorizations.
- To generate requested Compliance PDFs and dashboard visualizations.
- To investigate and prevent fraudulent transactions, unauthorized access, and other illegal activities.
06. Sub-Processors
To deliver robust infrastructure, we engage third-party service providers ("Sub-processors") who are strictly bound by Data Processing Agreements (DPAs). Current Sub-processors include:
- Supabase: Core database infrastructure and cryptographic authentication (SOC2 Compliant).
- Cloudflare: Edge hosting, DNS management, and Web Application Firewall (WAF) execution.
- Payment Gateways: PCI-DSS compliant financial transaction and processing facilitation.
- Resend: Transactional communications routing.
07. Data Retention
We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a requested service or to comply with applicable legal, tax, or accounting requirements). Operating reports and scan outputs are stored until explicitly deleted by the Data Controller or until the termination of the User agreement.
08. International Data Transfers
Information collected via the Services may be stored and processed in the United States or any other country in which we or our Sub-processors maintain facilities. If we transfer personal data originating from the European Economic Area (EEA), the UK, or Switzerland to countries lacking an adequacy decision, we deploy appropriate safeguards, including the execution of Standard Contractual Clauses (SCCs).
09. Security Measures
We implement technical and organizational measures designed to secure your information from accidental loss and from unauthorized access, use, alteration, and disclosure. This includes cryptographic transit (TLS 1.2+), encrypted rest storage layers, and rigorous access control logging. However, no internet-based platform can guarantee absolute security.
10. Your Rights
Depending on your jurisdiction, you may have specific statutory rights:
GDPR (European Union) & UK GDPR
- Right to Access, Rectification, or Erasure of personal data.
- Right to Restrict or Object to processing.
- Right to Data Portability.
- Right to withdraw consent at any time.
CCPA / CPRA (California)
- Right to know what personal information is collected, disclosed, or sold.
- Right to request deletion of personal information.
- Right to opt-out of the "sale" or "sharing" of personal information (Note: SitePrivacyScore does not sell or share personal information for cross-context behavioral advertising).
- Right to non-discrimination for exercising these rights.
As a privacy-focused platform, we inherently respect the Global Privacy Control (GPC) HTTP header. We automatically suppress any non-essential telemetry across our domains upon receiving a Sec-GPC: 1 signal.
11. Use of Artificial Intelligence Systems
SitePrivacyScore prioritizes deterministic heuristics and static analysis engines to assess domain compliance. Where generative or programmatic systems are utilized specifically for structuring documentation (e.g., generating PDF Executive Summaries), we maintain strict data compartmentalization architectures. We contractually ensure that no User scan data, domain vulnerabilities, or operational analytics submitted to the platform are utilized to train public, localized, or foundational Large Language Models (LLMs).
12. Children's Privacy
Our Services are explicitly designed for B2B enterprise utilization and are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that an individual under 16 has furnished us with personal data without verifiable parental consent, we will execute immediate erasure protocols.
13. Contact Information
For questions, concerns, or to execute statutory Data Subject Access Requests (DSARs) regarding this Privacy Policy, please contact our designated Privacy Coordinator:
SitePrivacyScore Inc.
Legal & Compliance Department
Email: privacy@siteprivacyscore.com