Privacy Policy
Last updated: May 9, 2026
This Privacy Policy explains how personal data is collected, used, and protected when you use AI Visibility Checker(the “Service”), available at aibotchecker.online. It is written to satisfy the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Romanian implementing law (Law 190/2018).
1. Who we are (Data Controller)
The data controller is AI Visibility Checker, the operator of this Service. For any data‑protection question or to exercise your rights below, you can reach us at:
office [at] aibotchecker.online
2. What we collect and why
| Category | Data | Purpose & legal basis |
|---|---|---|
| Account | Email, name, hashed password | To create and authenticate your account. Legal basis: performance of a contract (Art. 6(1) (b)). |
| Audits you run | URLs you submit, scan results (HTML snapshots, scores, issues), schedule configuration | To provide the audit service. Legal basis: performance of a contract. |
| Quick checks | URL submitted, your IP address, scan result | To provide the unauthenticated quick‑check feature and enforce a fair‑use limit (3/IP/day). Legal basis: legitimate interest (Art. 6(1)(f)) in preventing abuse. |
| Server logs | IP address, user agent, request path, timestamp | For security, debugging, and abuse prevention. Legal basis: legitimate interest. Retained 30 days. |
| Analytics | Page views, scrolls, outbound clicks (Google Analytics 4 with Consent Mode v2) | To understand product usage in aggregate. Until you accept analytics cookies, GA runs in cookieless ping mode: anonymous, no _ga*cookies, IP truncated, no cross‑session identifier. Legal basis: legitimate interest (Art. 6(1)(f)) in aggregate measurement for cookieless pings; consent (Art. 6(1)(a)) for full tracking once you opt in. |
| Email (transactional) | Email address used for password reset, audit completion notifications, and regression alerts | To deliver service‑essential notifications. Legal basis: performance of a contract. |
We do not sell your data, nor share it with advertisers. We do notuse any automated decision‑making or profiling that produces legal effects on you.
3. Sub‑processors (third parties that handle data on our behalf)
- DigitalOcean LLC(hosting, EU‑Frankfurt region). Stores all account, audit, and log data.
- Cloudflare, Inc. (CDN, DNS, DDoS protection). Sees request metadata (IP, URL, headers) for traffic in transit. Cloudflare GDPR DPA applies.
- Google LLC / Google Ireland (Google Analytics 4). Loaded only on public marketing pages, only with consent. Anonymized telemetry; no PII sent.
- PostHog Inc.(product analytics, EU region). Active inside the authenticated dashboard only. Captures pseudonymized event data (user numeric id, plan, feature‑use events like
audit_created) so we can understand product usage and improve the service. No email, no name, no audit URLs sent. Opt‑out via the Manage Cookies link in the footer. - Anthropic, PBC(optional LLM provider for AI‑generated
llms.txt). Only invoked when you click “Generate” on a given audit. The page text crawled is sent to Anthropic's API for summarization. - Stripe Payments Europe, Ltd.(Ireland). Processes all paid subscriptions. We never see your card details — you enter them on a Stripe‑hosted Checkout page. We store only a Stripe customer ID, the subscription status, and the renewal date. Stripe is GDPR‑compliant under SCCs and is the same provider used by Apple, Google, and most SaaS in the EU.
All sub‑processors are contractually bound by GDPR‑compliant terms. Personal data is not transferred outside the EEA except under Standard Contractual Clauses (Cloudflare, Google, Anthropic).
4. Retention
- Account & audit data: kept until you delete your account.
- Server logs: 30 days.
- Quick‑check rate‑limit counters: 24 hours (sliding).
- Analytics data: Google Analytics retains event data for 14 months by default.
- Backups: encrypted database backups retained up to 30 days.
5. Your rights under GDPR
You have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectification of inaccurate data (Art. 16).
- Erasure(“right to be forgotten”, Art. 17). Available in‑app via Settings → Delete account.
- Data portability(Art. 20). Available in‑app via Settings → Export data— returns a JSON file with all your account and audit data.
- Restriction of processing (Art. 18) and objection (Art. 21).
- Withdraw consent at any time, for processing based on consent. Use the Manage cookies link in the footer to withdraw analytics consent.
- Lodge a complaint with the Romanian Supervisory Authority (ANSPDCP) or any other EU Data Protection Authority.
To exercise any right, email office [at] aibotchecker.online. We respond within 30 days as required by Art. 12(3).
6. Security
All traffic is served over HTTPS with strong TLS. Passwords are hashed with bcrypt. The database resides on a single‑tenant server in DigitalOcean Frankfurt with regular encrypted backups. We do not log passwords, plaintext or otherwise. Personal API tokens are stored hashed.
7. Children
The Service is not directed at individuals under 16. We do not knowingly collect data from children.
8. Changes to this Policy
We may update this policy. Material changes will be communicated via email and via a banner on the home page at least 14 days before they take effect.