Privacy Policy
Last updated: 19 May 2026 · Version 1.1
This policy applies to all users globally, including residents of the European Union, United Kingdom, United States (California), and India. Jurisdiction-specific rights are listed in Section 7.
1. Who we are
SiteScanFix (“we”, “us”, “our”) is a website auditing service operated by Manoj, registered in India.
For users in the European Union and European Economic Area, we act as the Data Controller under the General Data Protection Regulation (GDPR) 2016/679.
For users in the United Kingdom, we act as the Data Controller under the UK GDPR and Data Protection Act 2018.
For users in India, we are the Data Fiduciary under the Digital Personal Data Protection Act 2023 (“DPDP Act”).
Contact: support@sitescanfix.com
2. Data we collect
- Account data: Email address, hashed password or OAuth provider identifier (Google), account creation date and IP address at registration.
- Scan data: URLs you submit for scanning, raw scanner output, computed scores, AI-generated summaries, and PDF reports. Stored for 90 days then automatically and permanently deleted.
- Consent records: Timestamp and IP address of each scan consent and data-processing consent. Retained for 1 year in an append-only audit log for legal compliance.
- Payment data: Subscription plan and status, Razorpay subscription ID, billing timestamps. Card numbers, CVVs, and bank details are processed exclusively by Razorpay — we never store them.
- Usage data: Number of scans consumed, quota limits, scan timestamps. No page-level analytics, heatmaps, session recordings, or tracking pixels are used.
- Log data: Server-side request logs (IP address, user agent, HTTP status, timestamp) retained for 30 days for security monitoring and abuse prevention.
We do not collect: precise geolocation, biometric data, racial or ethnic origin, political opinions, health data, or any special-category data under GDPR Article 9.
3. Lawful basis for processing (GDPR / UK GDPR)
For EU and UK users, we rely on the following lawful bases:
| Processing activity | Lawful basis |
|---|---|
| Running your scan and delivering the report | Performance of a contract (Art. 6(1)(b)) |
| Sending the PDF report by email | Performance of a contract (Art. 6(1)(b)) |
| Storing consent records | Legal obligation (Art. 6(1)(c)) + Legitimate interests (Art. 6(1)(f)) |
| Processing subscription payments | Performance of a contract (Art. 6(1)(b)) |
| Security monitoring and abuse prevention | Legitimate interests (Art. 6(1)(f)) |
| Complying with data retention obligations | Legal obligation (Art. 6(1)(c)) |
For India (DPDP Act): processing is based on your explicit consent given via the two consent checkboxes before each scan, and on our legitimate use for service delivery and legal compliance.
4. How we use your data
- Providing the website audit service and generating reports.
- Sending you the scan PDF report by email (via Resend).
- Enforcing scan quotas and managing your subscription (via Razorpay).
- Security monitoring, rate limiting, and abuse prevention.
- Complying with legal obligations across applicable jurisdictions.
We do not sell, rent, share, or license your personal data to third parties for marketing, advertising, or profiling purposes. We do not use your data to train AI models.
5. Third-party processors
We share data with the following sub-processors under Data Processing Agreements (DPAs) or equivalent contractual safeguards. Each processor receives only the minimum data required to perform their function.
| Processor | Location | Purpose | Data shared |
|---|---|---|---|
| Supabase | US / EU (configurable) | Database, Auth & Storage | Email, scan data, consent records |
| Railway | US | Backend hosting | Processed in-memory, not persisted |
| Vercel | Global CDN | Frontend hosting & CDN | IP address (edge logs, 30 days) |
| Google — PageSpeed Insights | US | Performance scoring | Scanned URL only |
| Google — Gemini AI | US | AI summary generation | Scan results (no personal data) |
| Razorpay | India | Payment processing | Email, subscription events |
| Resend | US | Transactional email | Email address, PDF download link |
| Sentry | US | Error monitoring | Stack traces (no user PII) |
6. International data transfers
Our processors are located primarily in the United States and India. When personal data from the EU/EEA or UK is transferred outside those regions, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission (for EU transfers) and UK International Data Transfer Agreements (IDTAs) (for UK transfers), incorporated into our agreements with US-based processors.
- Adequacy decisions where available (e.g., EU-US Data Privacy Framework for participating US entities).
You may request a copy of the relevant transfer safeguards by emailing support@sitescanfix.com.
7. Your rights
Depending on where you reside, different rights apply. To exercise any right, email support@sitescanfix.com with the subject line “Data Rights Request — [your right]”. We respond within 30 days (EU/UK: within 1 month; CCPA: 45 days).
EU / EEA and UK residents (GDPR & UK GDPR)
- Access (Art. 15): Obtain a copy of the personal data we hold about you.
- Rectification (Art. 16): Correct inaccurate or incomplete data.
- Erasure (Art. 17): Delete your account and all associated data. Use the dashboard or contact us — processed immediately.
- Portability (Art. 20): Receive your scan data in a structured, machine-readable format.
- Restriction (Art. 18): Restrict processing of your data in certain circumstances.
- Objection (Art. 21): Object to processing based on legitimate interests.
- Lodge a complaint: EU residents may complain to their national Data Protection Authority (DPA). UK residents may complain to the Information Commissioner's Office (ICO) at ico.org.uk.
California residents (CCPA / CPRA)
- Right to know: Request the categories and specific pieces of personal information we have collected about you in the past 12 months.
- Right to delete: Request deletion of personal information we have collected about you, subject to certain exceptions.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt out of sale / sharing: We do not sell or share your personal information for cross-context behavioural advertising. No opt-out is required.
- Right to non-discrimination: We will not discriminate against you for exercising any CCPA right.
- Authorised agents may submit requests on your behalf with written authorisation.
India residents (DPDP Act 2023)
- Access: Request a summary of personal data held and processing activities.
- Correction & erasure: Request correction or deletion of your data. Processed via the dashboard or by contacting the Grievance Officer.
- Grievance redressal: Lodge a complaint with our Grievance Officer (Section 11). Unresolved grievances may be escalated to the Data Protection Board of India once operational.
- Nomination: Nominate another individual to exercise your rights in the event of your death or incapacity.
8. Data retention
| Data type | Retention period |
|---|---|
| Scan results, AI summaries & PDF reports | Deleted automatically 90 days after scan date |
| Account data (email, profile) | Retained until account is deleted |
| Consent & audit log | 1 year (append-only; cannot be modified) |
| Payment records (Razorpay) | As required by applicable tax and financial law (typically 7 years) |
| Server request logs | Deleted after 30 days |
| Vercel edge logs | 30 days (managed by Vercel) |
9. Cookies
We use only session cookies strictly necessary for authentication, managed by Supabase Auth. These cookies are set only after you sign in and are deleted when your session ends or you sign out.
We do not use advertising cookies, analytics cookies, third-party tracking cookies, browser fingerprinting, or any technology designed to track you across sites. No cookie consent banner is required under ePrivacy Directive rules for strictly necessary cookies.
10. Security
- All data is transmitted over TLS 1.2 or higher.
- Database access is governed by Row-Level Security (RLS) policies — users can only access their own data.
- Passwords are hashed using bcrypt via Supabase Auth.
- API keys and secrets are stored as environment variables; never in source code.
- All outbound HTTP requests from our backend pass through an SSRF validator before execution.
- Scan quota enforcement uses atomic SQL to prevent race conditions.
11. Children's privacy
This Service is not directed at children under the age of 13 (or 16 in the EU where a Member State has set that threshold). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at support@sitescanfix.com and we will delete it promptly.
12. Grievance Officer (India DPDP Act)
In accordance with the DPDP Act 2023, we have appointed a Grievance Officer. We acknowledge complaints within 48 hours and resolve them within 30 days.
Grievance Officer: Manoj (Founder, SiteScanFix)
Email: support@sitescanfix.com
Response SLA: 30 days from receipt
Escalation: Unresolved complaints may be referred to the Data Protection Board of India once the Board is constituted.
13. Changes to this policy
We will notify registered users by email of any material changes at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact & Data Protection enquiries
For any privacy question, data rights request, or concern about our data practices, contact us at support@sitescanfix.com with the subject line “Privacy Enquiry”.
EU/EEA residents who are not satisfied with our response may contact their local supervisory authority. A list of EU DPAs is available at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.