Privacy Policy
Effective date: June 6, 2026
Stackra is a website audit tool, available on both free and paid plans. This policy explains what data we collect when you use Stackra, how we use it, who we share it with, and what rights you have over it.
We collect the minimum data needed to operate the service. We do not sell your personal data, and we do not use it for advertising.
Submitted URLs and Analysis Data
When you submit a website URL for analysis, we store that URL and the resulting analysis report in our database. Analysis reports include technical metrics, AI-generated narrative summaries, and a Growth Readiness Score. Reports are retained to support features such as history tracking and shareable report links. We do not store the full content of pages we crawl.
Account Data (registered users)
If you create an account, we store your name, email address, and a bcrypt-hashed password. We never store your password in plain text. Your email is used only to send analysis notifications and, if you request it, password reset links. You can delete your account at any time from your settings page, which permanently removes your account data from our database.
Payment Information (paid plans)
When you subscribe to a paid plan, your payment is processed by our payment processor, Stripe. Stripe collects and stores your payment card details directly; Stackra never receives or stores your full card number. We retain only the limited billing records needed to manage your subscription, such as a Stripe customer identifier and your subscription status. Stripe's handling of your data is governed by Stripe's privacy policy.
Server Logs
Our servers generate standard operational logs that include IP addresses, request paths, timestamps, and error messages. These logs are used for security monitoring, debugging, and service reliability. Logs are retained for up to 30 days.
Analytics
We use Google Analytics (GA4) to understand aggregate usage patterns such as which pages are visited and how long analyses take to complete. Google Analytics data is governed by Google's privacy policy. We do not pass personally identifiable information to Google Analytics.
What We Do Not Collect
- Your full payment card number (card details are entered directly with Stripe; we never receive them)
- Device fingerprints or persistent tracking identifiers beyond session cookies
- The private content of websites behind authentication or paywalls
- Data from third-party sources about you
On our paid plans, Stackra lets you optionally connect your Google account so we can layer your real search and traffic data onto your scan reports. Connecting is entirely optional, and you can disconnect at any time from your settings page.
What we access
When you connect your Google account, you grant Stackra read-only access to the following, using these Google API scopes:
- Google Search Console (
webmasters.readonly): your verified sites, plus search performance data such as clicks, impressions, average position, and the queries your pages rank for. - Google Analytics 4 (
analytics.readonly): your property list and aggregate traffic metrics such as sessions and users.
How we use it
We use this data for one purpose only: to display search and traffic metrics alongside the website scan reports you run in Stackra, so your audit reflects how your site actually performs. We do not use Google user data for advertising, we do not sell it, and we do not transfer it to third parties except as needed to operate the service or where required by law.
How we store and protect it
Your Google OAuth tokens and any cached Google data are treated as sensitive data. They are encrypted in transit using HTTPS/TLS and stored in an access-controlled, managed cloud database that encrypts data at rest. Access is restricted to the application services that need it to fulfill your requests. These tokens are used only to fetch the data above on your behalf, are never sold, and are never transferred to third parties except as needed to operate the service or where required by law. When you disconnect your Google account or delete your Stackra account, we delete the associated tokens and cached Google data. See the Data Security section below for the full set of protections we apply.
Limited Use
Stackra's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
On our paid plans, Stackra also lets you optionally connect your Microsoft Bing Webmaster Tools account so we can show your Bing search data alongside your scan reports. Connecting is entirely optional, and you can disconnect at any time from your settings page.
What we access
When you connect your Microsoft account, you grant Stackra read-only access to your Bing Webmaster Tools data using the Webmaster.read scope: your verified sites, plus search performance data such as clicks, impressions, and average position for the queries and pages your site ranks for in Bing.
How we use it
We use this data for one purpose only: to display Bing search metrics alongside the website scan reports you run in Stackra. We do not use Bing user data for advertising, we do not sell it, and we do not transfer it to third parties except as needed to operate the service or where required by law.
How we store and protect it
Your Bing OAuth tokens and any cached Bing data are treated as sensitive data. They are encrypted in transit using HTTPS/TLS and stored in an access-controlled, managed cloud database that encrypts data at rest. These tokens are used only to fetch the data above on your behalf, are never sold, and are never transferred to third parties except as needed to operate the service or where required by law. When you disconnect your Bing account or delete your Stackra account, we delete the associated tokens and cached Bing data.
We apply the following safeguards to protect your information, with particular care for sensitive data such as Google user data and account credentials.
Encryption in transit
All data exchanged between your browser and Stackra, and between Stackra and the third-party APIs we rely on, travels over encrypted HTTPS/TLS connections.
Encryption at rest
Account data, Google OAuth tokens, cached Google data, and analysis reports are stored in a managed cloud database that encrypts data at rest.
Access controls
Access to production systems and stored data is restricted to the application services that require it and to authorized personnel. We do not grant broad or standing access to sensitive data.
Credential protection
Account passwords are stored only as bcrypt hashes and never in plain text. Google OAuth tokens are stored solely to fetch the data you authorize, and are deleted when you disconnect your Google account or delete your Stackra account.
Data minimization and deletion
We collect and retain only the data needed to operate the service, and you can request deletion of your data at any time from your settings page or by contacting us.
Stackra relies on the following third-party services to operate. Each service receives only the data necessary to perform its function.
| Service | Purpose | Data Sent |
|---|---|---|
| OpenAI | AI persona narrative generation | Publicly crawled website content and metrics (no user PII) |
| Google PageSpeed Insights API | Performance and accessibility metrics | Submitted URL only |
| Google Analytics (GA4) | Aggregate usage analytics | Anonymized page interaction data |
| Google Search Console and Analytics API (optional, paid plans) | Read your search and traffic data when you connect your account | Your Google OAuth authorization (read-only); see "Google User Data" above |
| Bing Webmaster Tools API (optional, paid plans) | Read your Bing search data when you connect your account | Your Bing OAuth authorization (read-only); see "Bing Webmaster Tools Data" above |
| Stripe | Payment processing for paid plans | Your payment card and billing details (entered directly with Stripe) |
| Replit | Cloud hosting infrastructure | All application data (hosted environment) |
OpenAI's data handling for API usage is governed by OpenAI's API data usage policies, which state that API inputs and outputs are not used to train their models by default.
| Data Type | Retention Period |
|---|---|
| Analysis reports | Indefinite (supports shareable links and history); deleted on user request |
| Account data | Until account deletion |
| Billing records (paid plans) | Retained while your subscription is active and as required for tax and accounting; card data is held by Stripe, not Stackra |
| Session cookies | Browser session; max 7 days |
| Server logs | Up to 30 days |
EU and EEA Users (GDPR)
We process personal data on the legal basis of legitimate interest: delivering the website audit service you requested. If you have an account, we process account data on the basis of contract performance.
Under the General Data Protection Regulation, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data ("right to be forgotten")
- Object to processing based on legitimate interest
- Request a copy of your data in a portable format
To exercise any of these rights, email us at luke@stackra.app. We will respond within 30 days.
California Users (CCPA)
California residents have the right to know what personal information we collect, to request deletion, and to opt out of the sale of personal information. We do not sell personal information. To submit a request, contact us at the email below.
For privacy questions, data requests, or concerns, contact us at luke@stackra.app.