Privacy Policy

Introduction

At Sitecheck, we take your privacy seriously. This Privacy Policy explains how we collect, use, and protect your personal information when you use our website analysis service. Sitecheck is a service provided by Elunor (CVR-nr. 46462041), a sole proprietorship registered in Denmark, which acts as the data controller for personal data processed through this service. This Privacy Policy is an informational document under GDPR and does not create warranties or liability beyond what is set out in applicable law and the Terms of Service.

Data Controller

The data controller responsible for your personal data is Elunor (CVR-nr. 46462041), a sole proprietorship (enkeltmandsvirksomhed) registered in Denmark, operating the Sitecheck service. Business address: Jens Benzons Gade 14, 2. tv, 5000 Odense C, Denmark. You may contact us at support@sitecheck.dk for any privacy-related questions or to exercise your rights.

Legal Bases for Processing (GDPR Art. 6)

We process your personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing your account data, scan results, and subscription information is necessary to deliver the service you signed up for.
• Legitimate interests (Art. 6(1)(f)): We process minimal technical data (e.g., server logs, error tracking) to operate, secure, and improve the platform. This is balanced against your privacy interests.
• Consent (Art. 6(1)(a)): Analytics and optional cookies are only activated after you give explicit consent via our cookie banner. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): We retain billing records as required by Danish bookkeeping law.

Data Collection

Cookies and Tracking

We use cookies and similar technologies to provide and improve our service. You have full control over optional cookies through our Cookie Preferences.

Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right to Access (Art. 15): Request a copy of your personal data and information about how it is processed
• Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ('right to be forgotten')
• Right to Restrict Processing (Art. 18): Limit how we use your data in certain circumstances
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent for optional data collection at any time without affecting prior processing
• Right not to be subject to automated decisions (Art. 22): We do not make solely automated decisions that produce legal or similarly significant effects on you
• Right to Lodge a Complaint (Art. 77): Lodge a complaint with the Danish Data Protection Authority (Datatilsynet) if you believe your personal data is being handled unlawfully

To exercise any of these rights, contact us at support@sitecheck.dk. We will respond within 30 days of receiving your request, as required by GDPR. For complex or multiple requests, we may extend this period by a further two months with prior notice. You also have the right to lodge a complaint with the Danish DPA: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark (www.datatilsynet.dk).

Data Retention

• Account data: retained while your account is active. When you delete your account, profile data, identities, scan configurations, and scan results are deleted within 30 days
• Scan results and screenshots: stored while your account is active, subject to the report limits on your plan. Deleted alongside the account
• Billing records: retained for 5 years from the end of the accounting year in which the transaction occurred, as required by the Danish Bookkeeping Act (bogføringsloven §10). This applies even after account deletion. Records cover invoices, receipts, and Stripe transaction metadata — not authentication or scan data
• Server logs: rolling 30-day retention, then automatically purged
• Error logs: first-party application error diagnostics (technical error messages and stack traces, no analytics) retained for 30 days, then automatically purged
• Analytics data (PostHog): 180 days, then automatically deleted. Only collected if you have given analytics consent
• Database backups: encrypted backups retained for up to 30 days, then overwritten
• Cookie consent: stored until you withdraw consent or clear browser data

Data Security and Breach Notification

We implement industry-standard security measures to protect your data, including encryption in transit (TLS/SSL), encryption at rest for backups, salted password hashing, role-based access control, and least-privilege database access via Postgres Row-Level Security. A summary of our technical and organisational measures is set out in Annex II of the Data Processing Agreement. Disclosure of these measures does not constitute a guarantee against security incidents and does not create liability beyond what is set out in the Terms of Service. Our authentication and database layer is operated by Supabase (EU region). In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Danish Data Protection Authority (Datatilsynet) without undue delay and, where feasible, within 72 hours of becoming aware, as required by GDPR Art. 33. Where the breach is likely to result in a high risk, we will also notify affected users without undue delay, as required by GDPR Art. 34.

Third-Party Services and Subprocessors

We use the following third-party services to deliver Sitecheck. For services that act as processors on our behalf, we have Data Processing Agreements (DPAs) in place as required by GDPR Art. 28. For services that act as independent or joint controllers (notably OAuth sign-in providers and Stripe), their own privacy policies apply to the processing they perform. Sitecheck is not responsible for the data practices, availability, or accuracy of third-party services, and disclosure of these services does not create warranties or liability beyond what is set out in the Terms of Service.

• Supabase Inc. (processor) — authentication, Postgres database, and storage. Servers in the EU (Frankfurt). DPA in place. https://supabase.com/privacy
• PostHog Inc. — EU Cloud (processor) — opt-in product analytics. Data stored in the EU. Only loaded after explicit cookie consent. DPA in place. https://posthog.com/privacy
• Stripe Payments Europe Ltd. (independent controller for payment processing) — receives your name, email, billing address, and payment-card details directly via the Stripe Checkout interface. We never see or store full card numbers. Stripe is PCI DSS Level 1 certified. https://stripe.com/privacy
• Google LLC — OAuth sign-in (independent controller) — if you sign in with Google, we receive your name, email, Google account ID, and (where provided) profile picture URL. Google's processing as the OAuth provider is governed by Google's own Privacy Policy. https://policies.google.com/privacy
• Google LLC — PageSpeed Insights API (independent controller for analyses you request) — URLs you submit for performance analysis are transmitted to Google. Transfers covered by Standard Contractual Clauses. https://policies.google.com/privacy
• GitHub, Inc. (Microsoft Corporation) (independent controller) — if you sign in with GitHub, we receive your username, primary email, GitHub user ID, and (where provided) profile picture URL. https://docs.github.com/site-policy/privacy-policies
• Resend, Inc. (processor) — delivery of transactional emails (sign-up confirmations, password resets, uptime alerts, billing notices). We do not send marketing emails. DPA in place. https://resend.com/legal/privacy-policy
• BlitzBrowser (processor) — hosted headless-Chrome rendering used to fetch and inspect the URLs you submit for scanning. The URLs you submit, the rendered DOM, and request/response metadata are transmitted to this service strictly to perform the scan and are not retained by BlitzBrowser beyond the scan.
• Vercel Inc. (processor) — application hosting and edge delivery. US-based; transfers covered by Standard Contractual Clauses. DPA in place. https://vercel.com/legal/privacy-policy
• Hetzner Online GmbH (processor) — server infrastructure for our scanning daemons (sitecheck-runner, scan-daemon, uptime-daemon) and S3-compatible object storage for scan artefacts (screenshots, JSON reports). EU datacentres (Germany/Finland). DPA in place. https://www.hetzner.com/legal/privacy-policy

International data transfers: Some services listed above (Stripe, Google, GitHub/Microsoft, Vercel, Resend) are based in or operated from the United States. Where personal data is transferred outside the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses (SCCs) under GDPR Art. 46, or — for transfers to organisations certified under the EU-U.S. Data Privacy Framework — on the European Commission's adequacy decision of 10 July 2023.

We do not send marketing or newsletter emails. Email from Sitecheck is strictly transactional: account verification, password resets, billing notices, uptime alerts, and security notifications. You cannot opt out of strictly-necessary transactional email while you have an active account.

Automated Decision-Making

Sitecheck does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals (GDPR Art. 22). Subscription tier upgrades and access control are rule-based processes, not AI-driven profiling decisions.

Aggregated and Anonymized Data

We may collect, generate, and use aggregated, de-identified, or anonymized data derived from your use of the service — for example, distribution of issue types found, scan performance metrics, feature-usage statistics, or benchmark data — for the purposes of operating, securing, improving, and benchmarking the service, communicating about the service, and producing reports or statistics. Such aggregated or anonymized data does not identify you, your account, your customers, or specific scanned URLs. We may retain, publish, and share such aggregated or anonymized data without restriction. We will not publish anonymized data in a manner that would reasonably permit re-identification of you or specific scanned sites.

Data Protection Officer

Elunor is not required to appoint a Data Protection Officer under GDPR Art. 37: our core activities do not consist of large-scale, regular and systematic monitoring of data subjects, nor of large-scale processing of special categories of data. Privacy matters are handled directly by the data controller. You may contact us at any time at support@sitecheck.dk for privacy-related questions, to exercise your rights, or to report a concern.

Children's Privacy

Sitecheck is not directed to children. Under Danish implementation of GDPR Art. 8 (Databeskyttelsesloven §6 stk. 3), the age of digital consent in Denmark is 13. We do not knowingly collect personal data from children under 13 without verified parental consent. If you believe we may have collected data from a child under 13, please contact us at support@sitecheck.dk and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, regulatory guidance, or our processing arrangements. We will notify you of any material changes by updating the 'Last Updated' date at the top of this policy and, where required by law, by seeking fresh consent or providing direct notice via email. Continued use of the service after the effective date constitutes acceptance of the revised policy.

Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us: