Privacy Policy

1. Introduction

Welcome to WebPeek ("we," "our," or "us"). We are committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website intelligence API service.

By using WebPeek, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

1.1 Who We Are & Our Roles (Controller vs Processor)

For account, billing, support, and marketing data, WebPeek is the "data controller."

For customer-submitted URLs and website content processed by our API (metadata, audits, screenshots), WebPeek acts as a "data processor" (or "service provider" / "processor" under applicable laws), processing data solely on your documented instructions.

2. Information We Collect

2.1 Information You Provide

When you register for an account and use our API, we collect:

• Account information (name, email address, company name)
• Billing information (processed securely through Stripe or Lemon Squeezy)
• API keys and authentication credentials
• Support and communication records

2.2 Automatically Collected Information

When you use our API, we automatically collect:

• API usage data (endpoints called, request/response metadata, timestamps)
• URLs you submit for analysis (metadata extraction, SEO audits, screenshots)
• Technical information (IP address, browser type, API version used)
• Performance metrics (response times, error rates)
• Aggregated usage statistics for billing and analytics

Important: URLs may contain personal data or secrets (e.g., tokens, emails, query strings). You are responsible for removing or redacting sensitive values before submission. We may automatically redact common secrets (e.g., token, apikey) in logs.

2.3 Third-Party Website Data

Our API processes publicly accessible websites on your behalf. We only access and analyze public web pages that do not require authentication. We do not scrape content behind logins, paywalls, or password-protected areas.

By default we respect robots.txt. Customers may choose to override this behavior (where legally permissible) via API parameters; you are responsible for ensuring your use complies with the target site's terms and applicable law.

Important: We do not use submitted content to train any AI or machine learning models.

3. Legal Bases for Processing (GDPR)

We process personal data under these legal bases:

• Contract necessity – to provide the API and fulfill our agreement with you
• Legitimate interests – to secure, improve, and measure the service (e.g., abuse prevention, debugging)
• Consent – where required (e.g., optional emails, certain analytics)

We do not intentionally process special category data and ask customers not to submit it via the API.

4. How We Use Your Information

We use the collected information for the following purposes:

• To provide and maintain our API service
• To process your requests for metadata extraction, SEO audits, and website snapshots
• To manage your account and billing
• To monitor usage and enforce rate limits based on your subscription tier
• To improve our service, develop new features, and optimize performance
• To detect, prevent, and address technical issues or security vulnerabilities
• To communicate with you about service updates, security alerts, and support
• To comply with legal obligations and enforce our Terms of Service

5. Data Storage and Security

5.1 Where We Store Your Data

Your data is stored securely using industry-standard infrastructure:

• Account data and API keys: Encrypted in PostgreSQL database
• Cached results: Temporarily stored in Redis with automatic expiration
• Screenshots and snapshots: Stored in secure cloud storage (S3-compatible)
• Application logs: Retained for security auditing and performance monitoring

5.2 Security Measures

We implement appropriate technical and organizational security measures:

• Encryption in transit (TLS/HTTPS) and at rest for sensitive data
• API key authentication with secure key generation and storage
• Rate limiting and SSRF protection to prevent abuse
• Regular security audits and vulnerability assessments
• Role-based access controls (least privilege principle)
• Structured logging (Pino) for security auditability

Access to personal data is role-based (least privilege). Employees and contractors are bound by confidentiality obligations and receive regular security and privacy training.

5.3 Security Incidents & Breach Notification

We maintain an incident response program. Where a personal-data breach is likely to result in risk to individuals, we will notify affected customers without undue delay and within 72 hours where legally required, including the nature of the breach and mitigation steps.

5.4 Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Account & billing: Retained while your account is active and up to 7 years after closure for tax/audit requirements
• API request logs (incl. IPs): 90 days (security & billing disputes)
• Cached metadata/SEO results: Up to 24 hours (configurable by plan)
• Screenshots/snapshots: Default 30 days (configurable); you can request immediate purge via API or support

On request, we will delete or anonymize data unless we must retain it by law or for the establishment, exercise, or defense of legal claims.

Upon verified deletion requests, we delete active copies within 30 days and remove from backups within 90 days as backups naturally expire. Backups are encrypted, access-restricted, and automatically purged after their retention period.

6. Third-Party Services & Sub-Processors

We use trusted third-party services (sub-processors) to operate our platform:

• Payment processors: Stripe and/or Lemon Squeezy for secure billing (subject to their respective privacy policies)
• Cloud infrastructure: Hosting providers (Fly.io, Railway) for API deployment
• Database: Supabase for data storage and authentication
• Analytics (with consent): Google Tag Manager and Firebase Analytics (Google) for website usage analytics, user behavior insights, and tag management. Only activated when users consent to analytics cookies.
• Advertising (with consent): X (Twitter) Pixel and Reddit Pixel for advertising measurement, conversion tracking, and remarketing. Only activated when users consent to advertising cookies.
• Email services: For transactional emails and support communications
• Rendering engine: We use headless browser automation (e.g., Playwright/Puppeteer) running on our own infrastructure

These third parties have access only to the information necessary to perform their functions and are obligated to maintain confidentiality. Analytics and advertising services are only activated after obtaining your explicit consent through our cookie banner.

We maintain an up-to-date list of sub-processors (including region and purpose) and will notify customers of material changes before onboarding a new sub-processor where required. You may subscribe to updates or object where applicable by law.

7. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• With your consent: When you explicitly authorize us to share specific information
• Service providers: With trusted vendors who assist in operating our service (as described in Section 6)
• Legal compliance: When required by law, court order, or government regulation
• Protection of rights: To enforce our Terms of Service, protect our rights, or prevent fraud and abuse
• Business transfers: In the event of a merger, acquisition, or sale of assets (with notice to users)

We carefully review all law enforcement or government requests for data and only respond when legally required and consistent with international due process standards.

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data (subject to legal retention requirements)
• Portability: Request a machine-readable copy of your data
• Objection: Object to certain processing activities
• Withdrawal: Withdraw consent where processing is based on consent

To exercise these rights, email hello@webpeek.dev or use the dashboard. For security, we may require verification (for example, confirming control of your registered email) before acting on requests, and we may decline requests that would adversely affect others' privacy or legitimate business interests. We will respond within 30 days (or the statutory period) and indicate if extensions are needed due to complexity.

9. California Residents (CCPA/CPRA)

We are a service provider for API data and a business for account/billing. We do not "sell" or "share" personal information as defined by CPRA, nor do we use Sensitive Personal Information for purposes requiring a "Limit Use" link. We honor Global Privacy Control (GPC) signals where applicable.

California residents have rights to know, delete, correct, and non-discrimination. Submit requests at hello@webpeek.dev.

10. Cookies and Tracking

Our website uses cookies and similar tracking technologies to enhance your experience and measure our marketing effectiveness. We provide a cookie consent banner when you first visit our site, allowing you to choose whether to accept non-essential cookies.

10.1 Types of Cookies We Use

• Essential cookies: Required for authentication and security (session management, API key validation). These cookies are necessary for the service to function and cannot be disabled.
• Analytics cookies: With your consent, we use Google Tag Manager and Firebase Analytics (Google) to understand how visitors interact with our website, measure page views, user engagement, and site performance. Google Tag Manager helps us manage and deploy marketing tags without modifying code. This helps us improve our service and user experience.
• Advertising cookies: With your consent, we use X (Twitter) Pixel and Reddit Pixel to measure the effectiveness of our advertising campaigns and to build audiences for targeted advertising. This includes tracking page visits, user interactions, and conversions.

10.2 Third-Party Tracking Technologies

When you consent to cookies, the following third-party services may collect information:

• Google Tag Manager: A tag management system that allows us to quickly and easily update measurement codes and related code fragments (tags) on our website. GTM itself does not collect personal data but enables other tracking services. Subject to Google's Privacy Policy.
• Firebase Analytics (Google): Collects anonymous usage data including page views, device type, browser information, and user interactions. Subject to Google's Privacy Policy.
• X (Twitter) Pixel: Tracks page visits, user interactions, and conversions for advertising measurement, conversion tracking, and remarketing purposes. Subject to X's Privacy Policy.
• Reddit Pixel: Tracks page visits and user interactions for advertising measurement and remarketing purposes. Subject to Reddit's Privacy Policy.

10.3 Managing Your Cookie Preferences

You have full control over non-essential cookies:

• Cookie banner: When you first visit our site, you can choose to accept or decline non-essential cookies (analytics and advertising)
• Browser settings: You can control cookie preferences through your browser settings and delete existing cookies at any time
• Change preferences: Clear your browser's local storage for webpeek.dev to reset your cookie preferences and see the consent banner again

Note: Declining non-essential cookies will not affect your ability to use our API or core services. However, it may limit our ability to improve our service based on usage analytics and measure the effectiveness of our marketing efforts.

We respond to Global Privacy Control (GPC) signals where applicable. Standard Do Not Track signals are not consistently honored across the web and are unsupported.

11. International Data Transfers

Our service is operated globally, and your data may be transferred to and processed in countries other than your own. We ensure that such transfers comply with applicable data protection laws, including GDPR for European users and CCPA for California residents.

When transferring personal data internationally, we use appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and, where relevant, the UK IDTA/Addendum. We perform transfer risk assessments and implement supplementary safeguards (encryption in transit/at rest, access controls).

Cross-border Storage Locations

Your data may be stored and processed in data centers located in the EU and US, operated by our infrastructure providers (Fly.io, Railway, Supabase). We select data center locations based on performance, availability, and compliance with applicable data protection standards.

12. Data Processing Addendum (DPA)

For customers subject to GDPR/UK GDPR, our Data Processing Addendum (including SCCs) is available for signature on request or via the dashboard and governs our role as data processor where applicable.

13. Customer Responsibilities

You are responsible for:

• Safeguarding API keys and account credentials
• Complying with site terms and laws when submitting URLs/content
• Not sending sensitive or regulated data to the API unless we explicitly support and agree to process it
• Ensuring your use of the service complies with applicable privacy laws and third-party terms

14. Automated Decision-Making

We do not use automated decision-making that produces legal or similarly significant effects on individuals.

15. Children's Privacy

WebPeek is not intended for children under 16 in the EU/EEA and under 18 elsewhere. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete such information promptly.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will notify you of material changes by:

• Updating the "Last updated" date at the top of this page
• Sending an email notification to your registered email address
• Displaying a prominent notice on our website or dashboard

Your continued use of the service after such changes constitutes acceptance of the updated policy.

A changelog of prior Privacy Policy versions is available upon request.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We take your privacy seriously and will respond to all inquiries within a reasonable timeframe.