Privacy Policy
Last updated: 27 May 2026
This policy explains what personal data Site IQ collects when you use the website intelligence service at siteiq.monkata.ai, why we collect it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR).
1. Who we are
Site IQ ("we") is the controller of the personal data described below. Site IQ is operated from Bulgaria (EU); our full company registration details are available on request. The quickest way to reach us about privacy matters is our contact form.
2. What data we collect
- Account data - the email address you sign in with (authentication is handled by Supabase).
- Audited domains - the domains and URLs you submit for an audit.
- Crawled third-party page content - the public page content Site IQ fetches from the domain you submit (up to 10 pages), used to run the checks and generate the summary and chat. This may itself contain personal data if it appears on the audited pages.
- Embeddings - numerical vector representations of the crawled content, stored so the chat can search the audited pages.
- Chat history - the questions you ask about a report and the AI answers, stored with that report.
- Logs and technical data - IP address, timestamps and basic request metadata generated automatically when you use the service, kept for security and debugging.
3. How we use it, and our legal bases
- To perform the audit you requested - crawling the domain, running the 58 deterministic checks, producing the score, the AI summary and the chat. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
- To keep the service secure and working - authentication, abuse prevention, debugging and logging. Legal basis: our legitimate interests (Art. 6(1)(f) GDPR) in operating a safe, reliable service.
- To understand and improve the product - privacy-friendly, consent-gated analytics (Google Analytics 4 via Google Tag Manager) about how the site is used. Legal basis: your consent (Art. 6(1)(a) GDPR). Analytics cookies load only after you accept, and you can withdraw at any time (see Cookies).
We do not use your data for advertising, and we do not sell it.
4. Cookies and analytics
Strictly-necessary cookies. The session cookies set by Supabase keep you signed in. These are essential to provide the service, so they do not require consent. If you clear or block them you will be signed out.
Analytics cookies (consent-based). We use Google Analytics 4, loaded through Google Tag Manager, to understand how Site IQ is used so we can improve it. We run Google Consent Mode v2 with analytics and advertising storage denied by default in the EU/EEA/UK, so nothing non-essential is set until you choose. On your first visit a banner offers Accept and Reject as equal options, plus a Manage panel for per-category choices. Analytics cookies are set only if you accept.
We store your choice in your browser (a siteiq-consent entry and a matching cookie) for up to 365 days so we do not ask on every visit. You can change or withdraw your choice at any time using the Cookie settings link in the footer, and we honour your browser's Global Privacy Control signal. We do not use advertising cookies and we do not sell your data.
5. Sub-processors
We rely on a small number of trusted providers to run the service. Each processes personal data only on our instructions:
| Name | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database, authentication, vector storage (account email, reports, crawled content, embeddings, chat) | EU (Frankfurt / Ireland) | Data stored in the EU region; Data Processing Agreement |
| Vercel | Application hosting | EU edge; US company | EU-US Data Privacy Framework (DPF) + SCCs |
| n8n Cloud | Automation pipeline that runs the audit and chat workflows | EU (Azure) | EU region; Data Processing Agreement |
| Firecrawl | Crawls the public pages of the domain you submit | United States | Standard Contractual Clauses (SCCs) |
| OpenAI | Embeddings, the AI summary and the chat answers | United States (EU data residency available on request) | SCCs; EU data residency option |
| Google (Analytics 4 / Tag Manager) | Consent-based product analytics, only after you accept. IP anonymised; not used for ads, not sold. | United States | SCCs + EU-US DPF; Consent Mode v2 (denied by default in the EU) |
Where crawled content goes: the page content we crawl is sent to Firecrawl (US) to fetch it and to OpenAI (US by default) to create embeddings and generate the summary and chat answers. Under their API terms, neither Firecrawl nor OpenAI uses this content to train their models.
6. International transfers
Your account data, reports, crawled content, embeddings and chat history are stored in the EU (Supabase, Frankfurt / Ireland). Some processing involves transfers outside the EU/EEA - specifically to Firecrawl, OpenAI and (only with your analytics consent) Google in the United States. These transfers are covered by Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (Vercel). OpenAI also offers EU data residency on request, which we can enable for accounts that need it.
7. How long we keep it (retention)
- Account data - deleted within 30 days of you deleting your account.
- Reports, crawled content and embeddings - you can delete any individual report at any time, and they are automatically purged after 90 days.
- Chat history - stored with its report and deleted together with that report.
8. Your rights under the GDPR
If your personal data is processed, you have the right to:
- Access - get a copy of the data we hold about you.
- Rectification - correct inaccurate or incomplete data.
- Erasure - have your data deleted ("right to be forgotten").
- Portability - receive your data in a portable, machine-readable format.
- Objection - object to processing based on our legitimate interests.
To exercise any of these, contact us through our contact form. You also have the right to lodge a complaint with your local supervisory authority. In Bulgaria this is the Commission for Personal Data Protection (CPDP / КЗЛД) - cpdp.bg.
9. AI disclosure
The executive summary and the chat answers are generated by AI (OpenAI models). In line with the EU AI Act's transparency requirements, we make this clear: AI-generated output can be incomplete or wrong, the score itself is computed by deterministic rules rather than AI, and you should not treat any AI output as professional advice.
10. How we handle crawled third-party content
When you submit a domain, we crawl its public pages solely to produce the audit you requested - to run the checks, build the embeddings, and power the summary and chat for that report. We do not use the crawled content for any other purpose.
You warrant that you are authorized to submit each domain or URL- that you either own it or have the owner's permission to have it audited. See our Terms & acceptable use for details.
11. Security
- All traffic is served over HTTPS.
- Data is encrypted at rest in our EU database.
- Row Level Security (RLS) enforces tenant isolation, so each account can only ever access its own reports and chat.
- We do not sell your data.
12. Contact and effective date
Questions about this policy or your data? Reach us any time through our contact form. This policy is effective as of May 2026. If we make material changes we will update the "Last updated" date above and, where appropriate, notify you.