Evalta AI
Get Started

Legal

Privacy Policy

Effective date: March 17, 2026 · evaltaai.com

Overview

This Privacy Policy (“Policy”) applies to Evalta AI and governs data collection and usage for the evaltaai.com website and related services (“Service”). All references to “the Company,” “we,” “us,” or “our” refer to Evalta AI. By using the Service, you consent to the data practices described in this Policy.

Information We Collect

Account and identity data

  • Email address
  • Name (if provided via Google OAuth sign-in)
  • Google profile ID (if you sign up using Google OAuth)
  • Subscription and billing status (managed via Stripe)
  • Stripe customer ID

Usage and project data

  • Projects you create, including website URLs you add to the Service
  • Scan history and audit results
  • Issue chat conversation history — every message sent to and received from the AI agent, stored per issue thread
  • Notification preferences
  • Page selections for PSI (PageSpeed Insights) analysis

Scanned website data

What gets stored when you scan a siteWe store full page HTML, performance audit results, and extracted content for every page you submit. This data is retained for the life of your account.

When you submit a URL for analysis, we retrieve and store the following from each page scanned:

  • Page URLs crawled
  • Full raw HTML of each page (stored for AI analysis context)
  • Full PageSpeed Insights / Lighthouse audit JSON response
  • Extracted page data: title, meta description, headings (H1–H6), body text, word count
  • Images: src, alt text, and dimensions
  • JSON-LD structured data, Open Graph tags, canonical URL, robots meta, viewport meta
  • Navigation items, internal and external links
  • Tech stack detection results
  • HTTP status code, content type, page size, and content hash
  • Performance metrics: LCP, CLS, performance score, and other Core Web Vitals
  • Issues detected per page: type, title, description, severity, affected elements, wasted ms/bytes
  • AI-generated content analysis results

You are responsible for only submitting URLs for websites you own or have explicit authorization to scan. Scanned pages may contain proprietary, draft, or personally identifiable content — you assume responsibility for the content of any pages you submit.

Data we do not store

  • Passwords — authentication is handled via Google OAuth or magic link only; no passwords are stored on our servers
  • Payment card details — Stripe processes all payments and card data never touches our servers
  • Visitor data from scanned websites — we analyze page content only, not the traffic or users of the websites you scan

Device and technical data

  • IP address, browser type, operating system, and referring URLs collected automatically when you access the Service

How We Use Your Information

  • To operate and deliver the services you have requested, including running audits and generating reports
  • To process payments and manage your subscription
  • To send transactional communications: scan results, billing notices, and service updates
  • To send marketing or promotional communications — you may opt out at any time via the unsubscribe link in any marketing email
  • To improve the Service, diagnose technical issues, and monitor for security incidents
  • To comply with legal obligations

Third-Party Data Processors

We share your data with the following third-party service providers to operate the Service. Each provider is contractually required to handle data in accordance with applicable privacy laws and their own published privacy and data processing terms.

ProviderWhat they receive and why
AnthropicPage HTML content and AI chat conversation messages are sent to Anthropic's API for AI-powered audit analysis and recommendations. Anthropic's privacy policy governs their handling of this data.
Google (PSI API)Page URLs are submitted to Google's PageSpeed Insights API for performance analysis.
SupabaseAll account, project, scan, and conversation data is stored in Supabase-hosted databases.
StripeBilling and subscription data. Payment card details are handled entirely by Stripe and never stored on Evalta AI servers.
ResendYour email address is shared with Resend to deliver transactional and notification emails.
PostHogAnonymized usage analytics — feature interactions and session activity — to help us improve the Service.
SentryError logs for monitoring and debugging. These may include user IDs and page URLs associated with errors.
RailwayPage HTML is fetched via a Playwright-based service hosted on Railway as part of the scanning pipeline.

We do not sell, rent, or lease your personal information to third parties. Deletion requests submitted to Evalta AI apply to data we hold directly. We cannot guarantee deletion of residual data held in third-party processors' own internal logs — you may contact those providers directly for deletion from their systems.

Cookies and Analytics

The Service uses cookies and similar tracking technologies to maintain session state, remember preferences, and analyze usage patterns. PostHog collects anonymized data about how users interact with the Service, including page views, feature usage, and session duration.

You may disable cookies through your browser settings, though doing so may affect the functionality of the Service. By continuing to use the Service, you consent to our use of cookies as described in this Policy.

Data Retention

We retain your personal information, project data, scan results, raw HTML, and conversation history for the life of your account.

Upon cancellation or expiration of a paid subscription, your data is retained for up to 30 days following the end of your subscription period, after which it is permanently deleted.

When you delete your account, all associated data is permanently deleted from our systems — including projects, scan results, page HTML, audit reports, and conversation history. This satisfies GDPR and CCPA deletion requirements for data held directly by Evalta AI.

Free tier accounts that are inactive for an extended period may have their data deleted at Evalta AI's discretion, with reasonable notice provided where possible.

Data Deletion Requests

You may request deletion of your data at any time through either of the following methods:

Self-serveDelete your account through your account settings — this triggers immediate, permanent deletion of all associated data.
EmailSubmit a deletion request to privacy@evaltaai.com — we will verify your identity and process the deletion within 30 days.

Upon a verified deletion request, we will delete your account data, projects, scan results, page HTML, audit reports, and conversation history from our systems. Deletion of residual data from third-party processors' own internal logs (Sentry, PostHog, etc.) is outside our direct control — you may contact those providers separately.

California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to KnowRequest details on what personal data we collect, use, and share.
Right to DeleteRequest deletion of your personal data, subject to legal exceptions.
Right to CorrectRequest corrections to inaccurate personal information.
Right to Opt-OutOpt out of sale or sharing of data for advertising. We do not sell personal data.
Restrict Sensitive DataLimit the use of sensitive personal information.
No RetaliationWe will not discriminate against you for exercising these rights.

To exercise your California privacy rights, contact us at privacy@evaltaai.com.

European Privacy Rights (GDPR)

If you are located in the European Union or United Kingdom, the GDPR or UK GDPR may apply to our processing of your personal data. Our lawful basis for processing is: (a) performance of a contract when processing is necessary to deliver the Service; (b) legitimate interests for analytics and service improvement; and (c) your consent where explicitly obtained.

Under GDPR you have the right to:

  • Access a copy of the personal data we hold about you
  • Request correction of inaccurate data
  • Request erasure of your personal data
  • Object to or restrict processing of your data
  • Request portability of your data in a structured, machine-readable format
  • Lodge a complaint with your local data protection authority

To exercise your GDPR rights, contact us at privacy@evaltaai.com. We will respond within 30 days.

Children Under Thirteen

Evalta AI does not knowingly collect personally identifiable information from children under the age of 13. If you are under 13, you must ask your parent or guardian for permission to use this Service.

Email Communications

We may contact you via email for announcements, promotional offers, alerts, confirmations, and other general communications. We may receive a notification when you open an email from us or click a link therein.

To stop receiving marketing emails, click the unsubscribe link in any marketing email. Transactional emails related to your account and subscription cannot be opted out of while your account is active.

External Data Storage

We store your data on servers provided by third-party cloud infrastructure providers (see Third-Party Data Processors above). All providers are required to maintain appropriate security measures for the data they store on our behalf.

Changes to This Policy

We reserve the right to change this Policy from time to time. When changes are significant, we will notify you by email to the primary address on your account and/or by placing a prominent notice on the Site. Your continued use of the Service after such modifications constitutes your acknowledgment of the modified Policy and agreement to be bound by it.

Contact Us

Evalta AI welcomes your questions or comments regarding this Policy.

Evalta AI
General inquiriesinfo@evaltaai.com
Privacy & data requestsprivacy@evaltaai.com