Privacy Policy

Last updated: 9/30/2025

This Privacy Policy explains how OptiConvert (“OptiConvert”, “we”, “us”) collects, uses, and discloses personal information when you use our website and web application at opticonvert.ai (the “Service”). The Service is marketed to users in the United States.

Controller/Contact: OptiConvert, 2248 Broadway #2001, New York, NY 10024, United States • hello@opticonvert.ai

What we do

OptiConvert is a B2B SaaS that analyzes a user‑submitted URL and generates AI‑assisted conversion‑rate optimization (CRO) audits (scores and recommendations). We use Next.js, server‑side headless Chromium/Puppeteer, and Google’s Generative AI (Gemini) to analyze page content and (optionally) a screenshot. We authenticate with Supabase (including Google OAuth), stream results using SSE, send emails via Resend/Supabase, process payments via Stripe, and measure usage with Google Analytics and Supabase Analytics. Email verification is required on sign‑up; two‑factor verification (2FA) is available but not required.

Information we collect

A) Information you provide

• Account & identity: email address and password (or Google OAuth); we require email verification.
• Inputs: URLs to analyze and optional “Business Context” (approximately 2,000 characters).
• Preferences: language and theme; choices for marketing emails and product update emails (both configurable in settings).
• Support: content of messages you send to support.

B) Information collected automatically

• Technical/usage data: IP address, device/OS/browser information, page views, in‑app events, referral/source data, request IDs, application performance and error data.
• Analytics: Google Analytics and Supabase Analytics events to understand feature usage and improve the Service.
• Cookies & local storage: see our Cookie Policy for details.

C) From analyzed pages (at your direction)

• Page content & artifacts: page HTML/text and screenshot, headings/links/CTAs/images/scripts/stylesheets/forms, and page performance metrics (e.g., LCP/TTFB/TBT/FCP/LoadTime).
• Incidental personal data: websites you submit may display personal information (e.g., names in testimonials, email addresses), which can be captured during analysis.

D) Information generated by us

• Audit outputs: CRO scores, recommendations, tags, timestamps.
• Billing/entitlements: credit balance, credit ledger, and subscription mapping to Stripe identifiers.
• Settings: your marketing/product update preferences, language, and theme.

How we use information

• Provide and operate the Service: authenticate users, verify email, process submitted URLs, run analysis, stream results, store audit history and credits, and provide support.
• Billing & account administration: process payments via Stripe; manage subscriptions, credits (including pro‑rated upgrades), expirations, and invoices/receipts.
• Security & fraud prevention: CSRF protection, Supabase Row‑Level Security (RLS), access controls, webhook signature verification, error logging, abuse monitoring.
• Communications: transactional (verification, security, billing, product updates) and, where permitted, marketing or product‑update emails (you can opt out at any time).
• Analytics & improvement: aggregate usage and performance insights to maintain and improve the Service.
• Legal/compliance: tax and accounting records; responding to lawful requests.

Cookies & local storage

We use cookies and similar technologies to run and secure the Service and to measure usage.

• Strictly necessary: csrfToken; pendingVerificationEmail; Supabase auth cookies (sb-fdfrhojltqqbopizxsue-auth-token, sb-fdfrhojltqqbopizxsue-auth-token-code-verifier).
• Analytics: Google Analytics cookies (e.g., _ga, _ga_*, _gid).
• LocalStorage: client‑side task/completion flags for audit recommendations.

For details and controls, see our Cookie Policy.

How we share information

We use service providers to operate the Service and do not knowingly sell personal information.

• Stripe (payments, subscriptions, Customer Portal)
• Supabase (database, authentication, analytics; Row‑Level Security enforced)
• Google: Analytics and Generative AI (Gemini) model inference on page content/screenshots
• Resend (SMTP email delivery)
• Hosting/Infrastructure (runtime/CDN/logging); we currently use provider default log retention.

We may disclose information to comply with law, protect rights and safety, or in connection with a corporate transaction.

International transfers

The Service is marketed to U.S. users and processed primarily in the United States. If you access from outside the U.S., your information may be transferred to and processed in the U.S. by us and our providers.

Your choices

• Email preferences: enable/disable marketing and product update emails in settings or via unsubscribe links.
• Cookies: manage through your browser and any cookie banner we present for non‑essential categories.
• Analytics: you may use Google’s opt‑out browser add‑on if desired.

Access, deletion, and other rights

Delete my data: the in‑app control deletes personal data from OptiConvert’s databases. It does not automatically delete information held by independent providers (e.g., Stripe invoices/receipts, Google Analytics aggregates). We will assist with feasible deletion requests to processors where appropriate and lawful, and we retain records required for legal or security purposes (e.g., credit ledgers and invoices).

Access/portability/correction: email hello@opticonvert.ai (we may require identity verification).

U.S. state privacy laws: where applicable (e.g., California), you may have rights to know, delete, correct, and opt out of certain processing. OptiConvert does not sell personal information or share it for cross‑context behavioral advertising as defined by California law.

Eligibility and children

The Service is intended for adults 18 years or older. We do not direct the Service to children under 13 and do not knowingly collect personal information from them.

Security

We use industry‑standard safeguards, including TLS, access controls, CSRF protection, Supabase Row‑Level Security (RLS), least‑privilege key management, optional 2FA, email verification, webhook signature verification, and scoped in‑memory caching. No method of transmission or storage is 100% secure.

Data retention

• Audit records (URLs and outputs): retained for 24 months after your last activity, or until you delete them or close your account—whichever comes first.
• Credit ledger and billing/invoice records: retained for legal/accounting purposes (typically 7 years).
• Server/Supabase logs: retained per provider defaults; Datadog logs are not yet integrated.
• Screenshots and scrape artifacts: processed for analysis; unless embedded in saved audit outputs, we do not persist raw artifacts beyond generating the audit.

Changes to this policy

We will post changes on this page and revise the Effective Date. For material changes, we may notify you by email or in‑app.

Contact

OptiConvert, 2248 Broadway #2001, New York, NY 10024, United States • hello@opticonvert.ai