SiteRoast

Privacy Policy

Last updated: 11 June 2026

1. Who we are

SiteRoast (“we”, “us”, “our”) provides an online service that analyses websites you submit and generates conversion-focused audit reports using automated and AI-assisted processing. The service is operated from India and may be used by individuals and businesses worldwide.

SiteRoast is currently hosted on Railway-managed infrastructure. We may change hosting providers or domains as the service evolves; material privacy obligations remain governed by this policy.

For privacy questions, contact us at [email protected].

2. Scope

This Privacy Policy explains how we collect, use, store, and share personal data when you use our website, applications, and related services (together, the “Service”). It is intended to meet common transparency expectations, including concepts similar to those under the EU/UK General Data Protection Regulation (“GDPR”) where they apply to you. It does not limit any rights you may have under applicable local law.

3. Data we collect

We may process the following categories of information:

  • Website URLs and extracted content. When you submit a URL, we fetch and process publicly available page data (for example HTML, text, metadata, and screenshots where our pipeline captures them) to produce audits. We do not control third-party sites and only process what you ask us to analyse.
  • Account and authentication data. If you create an account or sign in (for example via email/password or a third-party identity provider), we process identifiers such as your user ID, email address, display name, and authentication tokens as needed to run the Service.
  • Usage and technical data. Such as IP address, device and browser type, approximate location derived from IP, pages viewed, timestamps, diagnostics, and security logs. This helps us operate, secure, and improve the Service.
  • Billing-related data. When you pay via Dodo Payments (or another processor we use), they process payment details; we typically receive limited billing metadata (for example transaction IDs, plan, credits purchased, and payment status), not your full card or bank details.
  • Locally stored reports.To improve performance and offline access, the app may save roast summaries, report payloads, and history indexes in your browser's local storage. This data stays on your device unless you sync or export it; clearing site data removes it from that browser.
  • Communications. If you email us or use in-product support, we keep the content of those messages as needed to respond.
  • Agency delivery data. If you use Agency Pack features (white-label exports, client share links, or email delivery), we process client email addresses you provide, delivery timestamps, share tokens, audited URLs, and fulfillment metadata in our agency_fulfillment ledger to operate the Service, prevent abuse, and improve product quality. You are responsible for having a lawful basis to share client contact details with us.
  • Public share links. When you create a share link, anyone with the link may view the report until it expires or is revoked. Each link uses a long random token (192-bit) that is not guessable; treat share URLs like passwords and only send them to intended recipients. Links may hide the domain name when you enable anonymization. Export/download on shared views is controlled by your link settings.

4. How we use data and AI

We use the information above to provide the Service—primarily to generate audits, scores, and reports based on the URLs and data you submit. Processing may include automated analysis and AI-assisted steps (for example language models or other ML services) that interpret extracted site content and produce recommendations.

We also use data to:

  • Authenticate users, enforce limits, and prevent abuse or fraud;
  • Maintain security, debug issues, and improve reliability and performance;
  • Comply with law, respond to lawful requests, and protect our rights;
  • Send service-related notices (and, where permitted, product updates you can opt out of).

Outputs are informational and do not constitute professional legal, financial, or guaranteed business advice. See our Terms for limitations.

5. Legal bases (GDPR-style)

Where GDPR or similar rules apply, we rely on one or more of the following:

  • Contract — processing necessary to provide the Service you request.
  • Legitimate interests — for example securing the Service, improving features, and limited analytics, balanced against your rights.
  • Consent — where we ask for it (for example non-essential cookies or certain marketing), you may withdraw consent at any time without affecting prior lawful processing.
  • Legal obligation — where the law requires us to process or retain data.

6. Third-party services

We use trusted service providers who process data on our behalf under appropriate agreements. Non-exhaustive examples:

  • Google Firebase (or similar) for authentication, hosting, databases, and related infrastructure;
  • Dodo Payments (or other payment processors) for payments and order handling;
  • AI and infrastructure providers that power model inference and content processing;
  • Resend (or similar) for client report email delivery when Agency features are used;
  • Analytics vendors (for example PostHog, Plausible, or Microsoft Clarity) when enabled in our deployment.

Each provider has its own privacy policy. We recommend reviewing their terms if you want detail on how they handle data.

7. International transfers

We operate from India and may process or store data in India and other countries where our providers maintain facilities. If we transfer personal data from the EEA, UK, or Switzerland to countries not deemed adequate, we use appropriate safeguards (such as standard contractual clauses) where required by law.

8. Retention

We keep personal data only as long as needed for the purposes above, unless a longer period is required or permitted by law. Indicative periods (subject to change and your choices):

  • Account data — for the life of your account plus a short wind-down period, unless we must retain certain records longer.
  • Audit inputs and outputs — long enough to deliver the Service, let you access saved reports (including copies stored on your device), and resolve disputes; we may delete or anonymise sooner when no longer needed.
  • Security and billing records — as required for security, accounting, and legal compliance. If you use self-service deletion, we may keep limited transaction metadata needed for those purposes with your account identifiers removed where feasible.
  • Agency fulfillment ledger — delivery method, client email (when you email a report), share token reference, audited URL, and timestamps for up to 24 months to operate delivery features, resolve disputes, and improve the product.
  • Share link metadata — token, expiry, and owner reference until the link expires or is revoked.

You may delete your account yourself from in-product settings (Settings → Delete account), which removes your sign-in identity and deletes or detaches personal data we associate with that account, subject to the billing and legal retention points above. You may also request deletion or other privacy rights by emailing us. Some residual copies may persist in backups for a limited time before automatic purge.

9. Cookies and similar technologies

We and our partners may use cookies, local storage, pixels, and similar technologies to remember preferences, keep you signed in, measure usage, and protect against abuse. Essential cookies are needed for core functionality. Where law requires consent for non-essential cookies or analytics, we will obtain it through our cookie controls or prompts where available.

You can restrict cookies through your browser settings; disabling some cookies may affect how the Service works. See our Cookie Policy for details.

10. Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, or object to certain processing, and to data portability. Where processing is based on consent, you may withdraw consent. You may also have the right to lodge a complaint with a supervisory authority.

To exercise rights, you can use Settings → Delete account for full self-service account erasure, or email [email protected] for access, correction, portability, objection, or other requests. We may need to verify your identity before fulfilling requests. We will respond within the timeframe required by applicable law where applicable.

11. Security

We implement reasonable technical and organisational measures designed to protect personal data. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

12. Children

The Service is not directed at children under 16 (or the minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have, contact us and we will take appropriate steps to delete it.

13. Changes

We may update this Privacy Policy from time to time. We will post the revised version with a new “Last updated” date and, where appropriate, provide additional notice (for example by email or in-product message).

14. Contact

Questions or requests: [email protected]