Privacy Policy | Web Auditor

Information we collect

We collect three kinds of information: what you provide directly, what's generated as you use the service, and limited technical data your browser sends.

Account information

Email address and a bcrypt-hashed password when you register.
Full name and (optional) job title, if you provide them during sign-up.
Billing details processed by our payment provider — we never see or store full card numbers.

Usage data

Brand names, domains and industries submitted for auditing.
Audit results, citation maps and recommendation history.
Feature interactions (which screens you visit, which buttons you click) — used only to improve the product.

Technical data

IP address, browser type, operating system, device type.
Session tokens for keeping you signed in.
Error logs and performance diagnostics — never including the content of your audits.

What we don't collectWe don't collect biometric data, contacts, microphone or camera input, location beyond IP-level country, or any data from third-party social profiles. We don't run third-party ad pixels.

How we use information

Every piece of data we hold has a purpose. If we want to use it for something new, we'll ask first.

What	Why
Account info	Provide and operate the service · authenticate sign-ins · handle billing
Usage data	Process audit requests · personalise recommendations · track score history
Technical data	Keep you signed in · prevent fraud and abuse · diagnose bugs · comply with legal obligations
Aggregate & anonymous	Improve product features · publish industry-level visibility benchmarks

We do not sell your personal data to anyone, for any purpose. We do not use your audit data to train AI models — neither ours nor anyone else's.

Cookies & tracking

We use the minimum cookies needed to run the service. There's no third-party advertising network on Web Auditor.

Essential cookies

Required for the service to function — they store your session token and CSRF token. These cannot be disabled because the product won't work without them.

Analytics cookies

Help us understand which features get used so we can ship better ones. We use a self-hosted, privacy-friendly analytics setup — no Google Analytics, no Facebook pixel, no cross-site identifiers. Analytics cookies are only set if you accept them via the banner.

You can withdraw consent any time from Settings · Privacy, or by clearing your browser cookies.

Data sharing & third parties

We share data only with sub-processors that help us operate the service, and only as much as they need to do their job.

Sub-processor	What we share	Why
AI providers (OpenAI, Google, Anthropic)	Brand context only — never account credentials.	To run audit queries.
PayHere	Billing details (handled by PayHere directly).	To process subscription payments.
Hosting (AWS / Cloudflare)	All operational data, encrypted at rest.	Infrastructure and CDN.
Customer support	Email correspondence with our team.	To respond to your support requests.

Every sub-processor is bound by a Data Processing Agreement that restricts how they may use your data. We notify customers 30 days before adding any new sub-processor.

We may also disclose information if required by law, court order, or to protect the rights and safety of users — and we'll let you know unless legally prohibited.

Data retention

We keep your data for as long as your account is active, plus a short grace period in case you come back.

What	How long
Account profile	Until you delete your account, then 30 days.
Audit results	12 months from creation (extended on Pro plans).
Billing records	7 years (tax law).
Error logs	90 days.
Session tokens	30 days, or until you sign out.

You can delete individual audits from your dashboard anytime — they're removed from active storage within 24 hours and from backups within 30 days.

Data security

We follow industry-standard security practices and document them publicly.

Encryption in transit — TLS 1.3 for all client connections.
Encryption at rest — AES-256 for databases and backups.
Bcrypt password hashing — we never store plaintext passwords.
Role-based access — your data is accessible only to you and a small on-call engineering team for support escalations.
Regular reviews — annual external pen-test, quarterly dependency audit, weekly automated security scans.
Sub-processor diligence — every vendor reviewed for SOC 2 / ISO 27001 compliance before onboarding.

A note on absolute securityNo method of transmission or storage is 100% secure. We do everything reasonable to protect your data — but if a breach happens that affects you, we'll notify you within 72 hours, in line with GDPR Article 33.

Your rights

Depending on where you live, you may have any or all of these rights:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate information.
Erasure — request deletion of your account and associated data.
Portability — request your data in a machine-readable JSON format.
Object — object to processing for direct marketing (we don't do this, but the right exists).
Restrict — ask us to stop processing while a dispute is being resolved.
Withdraw consent — at any time, for any optional processing.

The fastest path: Settings · Privacy from your dashboard. Most rights are self-serve. For anything that's not, email privacy@webauditor.ai and we'll respond within 30 days.

International transfers

Web Auditor is operated from the United States. If you're in the EU, UK, Sri Lanka or elsewhere outside the US, your data will be transferred to and processed in the US.

We rely on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum for these transfers, plus additional safeguards: encryption in transit and at rest, restricted access, and contractual obligations with all sub-processors.

Children's privacy

Web Auditor isn't built for children. We don't knowingly collect personal data from anyone under 16. If you believe we have collected data from a child, please contact us at privacy@webauditor.ai and we'll delete it immediately.

Changes to this policy

We may update this policy from time to time as the product evolves. For material changes (anything that affects how we use your data), we'll give 14 days' notice via email and an in-app banner before the change takes effect.

Continued use of the service after the effective date constitutes acceptance of the updated policy. If you disagree, you can export your data and close your account before the change takes effect — no questions asked.

Contact us

Questions, complaints, or rights requests:

Email · privacy@webauditor.ai
DPO · dpo@webauditor.ai
Mail · Web Auditor, Inc., 1 Hacker Way, San Francisco, CA 94301, USA

↑ Back to topLast reviewed · March 12, 2026

Pairs with

Terms of Service

Reading our privacy policy? You'll want our terms too.

Read Terms →