Privacy Policy

1. Information We Collect

We collect the following types of information when you use GroundScore:

• Account Information: Name, email address, and profile information provided through our authentication provider during registration.
• Website Data: Domain names you register for scanning, publicly available website content obtained through automated crawling (HTML structure, meta tags, schema markup, page content).
• Usage Data: GroundScores, scan history, power-up activations, credit transactions, streak data, and interaction patterns within the Service.
• Payment Information: Payment processing is handled by Stripe. We store only transaction references (Stripe customer ID, payment intent ID) — never full card numbers, CVV, or card expiration dates.
• Competitor Data: Competitor domain names you provide and publicly available information from those domains obtained through automated crawling.
• Lead Widget Data: When prospects use your embedded audit widget, we collect their email address, domain name, and the resulting GroundScore. This data is stored in your agency account and is accessible only to you.
• Agency Client Data: If you use agency features, we store client domain names, scan results, and any data you provide about your clients. You are responsible for obtaining appropriate consent from your clients.
• Device and Access Data: IP addresses, browser type, device identifiers, and access timestamps for security, fraud prevention, and rate limiting purposes.

2. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve the GroundScore analysis Service
• Generate GroundScores and optimization recommendations using AI analysis
• Track your progress and scan history over time
• Process credit purchases and manage your account balance
• Send in-app notifications about score changes, competitor movements, and achievements
• Deliver lead widget data to agency accounts
• Analyze usage patterns to improve the Service
• Prevent fraud, abuse, and enforce our Terms of Service
• Detect and prevent multi-account abuse and free tier exploitation
• Comply with legal obligations and respond to lawful requests

3. AI Processing

GroundScore uses artificial intelligence to analyze website content and generate scores. Your website's publicly available content is sent to AI language models for analysis. This processing is essential to the Service and occurs each time a scan is performed (manually or through daily auto-scans). AI-generated content from power-ups is stored in your account and is not shared with other users.

4. Lead Widget and Third-Party Websites

The GroundScore Lead Widget is an embeddable tool that agencies place on their own websites:

• Data Collection: When a visitor uses the widget, we collect their email address (if provided), domain name, and the resulting scan score.
• Data Controller: The agency embedding the widget is the data controller for leads collected through their widget. GroundScore acts as a data processor.
• Agency Responsibility: Agencies are responsible for displaying appropriate privacy notices on their websites where the widget is embedded.
• No Cross-Agency Sharing: Lead data is isolated to the agency that captured it and is never shared with other agencies or users.

5. Data Sharing

We do not sell your personal information. We may share data with:

• Service Providers: Stripe (payment processing), AI model providers (website analysis), email service providers (transactional emails), and cloud hosting providers (data storage).
• Legal Requirements: When required by law, subpoena, or legal process, or to protect our rights and safety.
• Fraud Prevention: We may share device and access data with fraud prevention services to protect the integrity of the Service.

Your GroundScores and scan data are private to your account. Competitor tracking data is visible only to the user who configured the competitors.

6. Data Security

We implement industry-standard security measures to protect your data, including encrypted connections (TLS/SSL), secure authentication tokens, access controls, and regular security audits. Payment data is handled exclusively by Stripe (PCI DSS Level 1 certified). However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

We retain your account data and scan history for as long as your account is active. Scan history is preserved to show score trends over time. If you request account deletion, we will remove your personal data within 30 days, though anonymized aggregate data may be retained for analytics purposes. Transaction records are retained for 7 years to comply with financial reporting requirements and to support chargeback dispute resolution.

8. Website Crawling

GroundScore crawls websites you register and competitor domains you specify. We only access publicly available content (the same content visible to any web browser). We respect robots.txt directives and do not access password-protected or restricted areas. Crawling occurs during initial scans, manual re-scans, daily auto-scans, and lead widget audit scans.

9. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data ("right to be forgotten")
• Export your scan history and account data in a portable format
• Opt out of non-essential communications
• Object to processing of your data for certain purposes
• Restrict processing of your data under certain circumstances
• Withdraw consent where processing is based on consent

California Residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

EU/EEA Residents (GDPR): Our legal basis for processing is contract performance (providing the Service), legitimate interest (fraud prevention, service improvement), and consent (marketing communications). You may lodge a complaint with your local data protection authority.

To exercise these rights, contact us at the email address below. We will respond within 30 days.

10. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. Analytics data is collected through our own infrastructure and is not shared with third-party analytics providers. The Lead Widget uses minimal cookies necessary for its operation and does not track users across websites. For a complete list of cookies we use and how to manage them, please see our Cookie Policy.

11. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required by applicable law.

12. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the Service or via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

For questions about this Privacy Policy or to exercise your data rights, contact us at [email protected].