Skip to content
Beta Free audit

Draft Honest first draft. Will be reviewed by a UK GDPR-competent lawyer before launch.

Reviewed: 15 May 2026 Next review: 15 November 2026

Privacy

Privacy policy.

What we collect, why we collect it, who we share it with, and how long we keep it. Written plainly. Reviewed every six months.

Who we are

Wingenious Ltd is the controller of the personal data described here. We are a company registered in England and Wales and registered with the UK Information Commissioner’s Office (ICO) as a data controller.

Registered address and ICO registration number will appear here before launch. Contact: the contact form.

What we collect

When you run a free audit (no account)

  • The URL you submitted
  • Your email address (collected before the PDF report is sent)
  • Your IP address (used for rate limiting and abuse prevention)
  • Your browser’s user agent string
  • The audit results we derived from your submitted URL
  • Whether you have given marketing consent

When you run a paid audit

  • Everything above
  • Payment details (handled by Stripe, we do not store card numbers)
  • Your billing email
  • Your Stripe customer ID

When you create an account

  • Everything above
  • Your account email (may be the same as the audit email)
  • Authentication metadata (session tokens, records of magic-link issuance)
  • Your audit history

When you connect a Google service (Pro tier and above)

  • OAuth refresh and access tokens (encrypted at rest)
  • The minimum scope needed for the audit to function: GA4 read-only and Search Console read-only
  • We do not store your underlying GA4 or Search Console data beyond what is needed to produce the report; tokens are revocable at any time

Collected automatically

  • Plausible analytics (self-hosted, no cookies, no personal identification, aggregated only)
  • Server logs (IP, path, status, duration) retained per our retention schedule below

How we use it

To deliver the audit you asked for

We run the audit, store the result so you can download the PDF, and send it to you.

Lawful basis: Contract (Article 6(1)(b) UK GDPR).

To improve the product

If you opt in, we use anonymised, aggregated audit data to build an industry benchmark and to refine the methodology. Individual sites, businesses, and audits are never identifiable in the aggregate.

Lawful basis: Consent (Article 6(1)(a)). You can opt out at any time.

To send marketing communications

If you opt in, we send occasional emails about the product, the AI Breakfast Club, and Wingenious consulting services. Every email contains an unsubscribe link.

Lawful basis: Consent (Article 6(1)(a)).

To meet legal and accounting obligations

We retain payment records under UK accounting law and respond to lawful requests.

Lawful basis: Legal obligation (Article 6(1)(c)).

Who we share data with

Three third parties, each documented as a data processor or joint controller. We do not share your data with advertising networks, data brokers, or any analytics provider beyond our self-hosted Plausible instance.

  • Anthropic PBC, receives the content of pages we have crawled, plus our prompts, for AI inference. Data processor. US-based; transfers are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
  • Stripe Payments UK Ltd, receives payment details when you pay for an audit. Joint controller for payment data.
  • Mailgun (Sinch), receives your email address and our email content to deliver the message. Data processor.

Data processing agreements with all three are on file.

International transfers

Data leaves the UK for the three processors above. Each transfer is covered by the UK IDTA or the UK Addendum to the EU SCCs, plus a transfer risk assessment held on file as required by ICO guidance.

How long we keep your data

  • Free audit data: 24 months from audit completion, then deleted.
  • Paid audit data: 60 months from audit completion (covers paid-tier obligations), then deleted.
  • Anonymised benchmark data: retained indefinitely (cannot be linked back to a person).
  • Payment records: 6 years (UK accounting law).
  • Account data: until you delete your account, then a further 30 days for backup recovery.

Your rights

Under UK GDPR Articles 15 to 22, you have the right to:

  • Know what data we hold about you. We respond within one month.
  • Correct data that is wrong.
  • Delete your data, within the limits of legal retention requirements (e.g. payment records).
  • Restrict certain uses of your data.
  • Port a machine-readable copy of your data to yourself or another controller.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time, for purposes that rely on consent.

Subject access requests go through the contact form. We respond within one month.

Cookies

We use strictly necessary cookies for authentication and session management only. We do not use advertising or tracking cookies. Our Plausible analytics is cookieless and aggregates only.

Full detail is on the cookies page.

Children

freewebsiteaudit.ai is not directed at children under 18. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us and we will remove it.

Changes to this policy

We update this policy as the product changes. Material changes are notified by email to registered users and via a prominent notice on the site. Previous versions are archived and available on request.

Complaints

If you are not satisfied with how we handle your data, you can complain to the UK Information Commissioner’s Office (ICO):

Questions? Use the contact form and a human replies within one working day.

Wingenious Ltd · Registered in England and Wales · Wrexham, North Wales.

Run my free audit