Privacy Policy
1. Who we are
Findrix ("we", "us") is the data controller for information you provide directly. For data we process on behalf of our customers (e.g. their site content, their LLM probe results), our customers are the controllers and Findrix is a processor. A Data Processing Agreement (DPA) applies on Pro and Business tiers (available Phase 2).
2. Data we collect
2.1 Account data
- Email address (for sign-in and notifications)
- OAuth identifiers (when you sign in with Google)
- Billing name + payment method (when on a paid tier — handled by Stripe, not stored on our servers)
2.2 Audit data
- Site URLs you submit for auditing
- HTML, schema, robots.txt, llms.txt, sitemap content fetched from those URLs
- LLM probe responses (prompts and answers from ChatGPT, Claude, Gemini, Perplexity)
- Deploy operation logs (what schema/content patches we shipped, when, where)
2.3 Usage data
- IP address (for rate limiting and abuse prevention)
- User agent (for compatibility metrics)
- Anonymized product analytics events (only with consent — see cookie policy)
3. Why we process this data
Lawful bases under GDPR Article 6:
- Performance of contract: running audits, deploying fixes, generating reports — without these we cannot deliver the service you signed up for.
- Legitimate interest: rate limiting, fraud prevention, abuse mitigation, security audit logs.
- Consent: product analytics (PostHog, Google Analytics), marketing email subscriptions. You can withdraw at any time.
- Legal obligation: tax records on paid invoices, responses to lawful subpoenas.
4. Where data is stored
Primary database: Supabase Postgres in eu-west-1 (Ireland). Hosting and edge: Vercel fra1 (Frankfurt). Analytics: PostHog EU instance (eu.i.posthog.com) and, with your consent, Google Analytics 4 (Google LLC, United States — see international transfers below). Sub-processors are listed in full in our sub-processor list.
Some sub-processors (LLM providers like OpenAI and Anthropic, and — with your consent — Google Analytics) operate primarily in the US. When we send data to them, we rely on Standard Contractual Clauses (SCCs) for the international transfer. We never send raw customer billing or auth data to LLM providers — only the prompts and (where relevant) site content needed for the probe.
5. How long we keep data
- Account data: while your account is active, plus 90 days post-cancellation for export.
- Audit data: while your account is active. Per-customer retention controls available on Pro tier.
- Server logs: 30 days rolling.
- Billing records: 7 years (legal obligation).
Deleting your account. You can close your account at any time from your account settings. Closing it starts a 30-day grace period (cancellable any time before it ends); after that, your login and email are permanently removed. Audit data may be retained in anonymized form, no longer linked to you or any login. To erase all data we hold about you — including anonymized history — email privacy@findrix.ai and we will complete the erasure within 30 days.
6. Who we share data with
We share data only with the sub-processors listed in our sub-processor list, and only as necessary to deliver the service. We never sell personal data to third parties. We never train AI models on customer confidential data.
We disclose data to law enforcement only when required by valid legal process. We publish a yearly transparency report on these requests (Phase 6).
7. Your rights (GDPR / CCPA)
You have the right to:
- Access the personal data we hold about you (GDPR Art. 15)
- Correct inaccurate data (Art. 16)
- Delete your data (Art. 17, "right to be forgotten")
- Restrict processing (Art. 18)
- Port your data (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7)
- Lodge a complaint with your local supervisory authority (Art. 77)
For California residents: equivalent rights under CCPA. We do not sell personal data — "Do Not Sell" requests are honored automatically as part of our default policy.
To exercise any right, email privacy@findrix.ai. We respond within 30 days.
8. Security
Technical and organizational measures:
- TLS 1.3 in transit, AES-256 at rest (Supabase + Vercel default)
- SSRF protection (DNS pinning) on all outbound fetches
- Hash-chained audit log of administrative actions
- OAuth-scoped credentials for stack deploys (no broad credentials stored)
- Rate limiting + Cloudflare Turnstile bot mitigation
- Security disclosures: /.well-known/security.txt
9. Children
Findrix is a B2B product, not directed at children. We do not knowingly collect data from anyone under 16. If you believe we have received such data, contact privacy@findrix.ai and we will delete it.
10. Changes to this policy
We post material changes here at least 30 days before they take effect. We notify account holders by email. The full revision history is available on request.
11. Contact
Privacy questions: privacy@findrix.ai
Data Protection Officer: dpo@findrix.ai
EU representative: TBD (Phase 1 — to be appointed before paid tier launch)
12. Sub-processors snapshot
Current sub-processors (full list with regions and data types at /legal/sub-processors):
| Sub-processor | Service | Region |
|---|---|---|
| Supabase | Postgres database + Auth | EU (eu-west-1) |
| Vercel | Hosting + Edge Network | EU central (fra1 Frankfurt) |
| Inngest | Workflow Runtime | US-east + EU |
| Resend | Transactional Email | US-east |
| Anthropic | Claude API (audit + tracking) | US |
| OpenAI | GPT-5 API (citation tracking) | US |
| Google AI | Gemini API (citation tracking) | US + EU |
| Perplexity | Sonar API (citation tracking) | US |
| xAI | Grok API (citation tracking) | US |
| Browserbase | Headless Chrome (site crawling) | US |
| PostHog | Product Analytics (consent-gated) | EU (eu.i.posthog.com) |
| Google Analytics 4 | Web Analytics (consent-gated, Consent Mode v2) | US (Google LLC; SCCs) |
| Cloudflare Turnstile | Bot Mitigation | Global edge |
