Privacy Policy

Last updated: 3/8/2026

This Privacy Policy explains how OptiConvert (“OptiConvert”, “we”, “us”) collects, uses, and discloses personal information when you use our website and web application at opticonvert.ai (the “Service”). The Service is marketed to users in the United States.

Controller/Contact: OptiConvert, 2248 Broadway #2001, New York, NY 10024, United States • hello@opticonvert.ai

What we do

OptiConvert is a B2B SaaS that analyzes a user‑submitted URL and generates AI‑assisted conversion‑rate optimization (CRO) audits (scores and recommendations). We use Next.js, server‑side headless Chromium/Puppeteer, and Google’s Generative AI (Gemini) to analyze page content and (optionally) a screenshot. We authenticate with Supabase (including Google OAuth), stream results using SSE, send emails via Resend/Supabase, process payments via Stripe, and measure usage with our first‑party analytics system stored in Supabase. Email verification is required on sign‑up; two‑factor verification (2FA) is available but not required.

Information we collect

A) Information you provide

• Account & identity: email address and password (or Google OAuth); we require email verification.
• Inputs: URLs to analyze and optional “Business Context” (approximately 2,000 characters).
• Preferences: language and theme; choices for marketing emails and product update emails (both configurable in settings).
• Support: content of messages you send to support.

B) Information collected automatically

• Technical/usage data: device/OS/browser information, page views, in‑app events, referral/source data, request IDs, application performance and error data. IP addresses may be logged by our hosting infrastructure (e.g., CDN, server runtime) but are not captured or stored by our first‑party analytics system.
• Analytics: first‑party usage events (e.g., page views, feature interactions) collected through our own analytics system and stored in Supabase. Each browser session is assigned a random session identifier stored in sessionStorage. We also collect browser type, device type, viewport size, referrer URL, and the page URL. We do not use Google Analytics or any third‑party analytics SDK.
• Cookies & local storage: see our Cookie Policy for details.

C) From analyzed pages (at your direction)

• Page content & artifacts: page HTML/text and screenshot, headings/links/CTAs/images/scripts/stylesheets/forms, and page performance metrics (e.g., LCP/TTFB/TBT/FCP/LoadTime).
• Incidental personal data: websites you submit may display personal information (e.g., names in testimonials, email addresses), which can be captured during analysis.

D) Information generated by us

• Analysis outputs: CRO scores, recommendations, tags, timestamps.
• Billing/entitlements: credit balance, credit ledger, and subscription mapping to Stripe identifiers.
• Settings: your marketing/product update preferences, language, and theme.

How we use information

• Provide and operate the Service: authenticate users, verify email, process submitted URLs, run analysis, stream results, store audit history and credits, and provide support.
• Billing & account administration: process payments via Stripe; manage subscriptions, credits (including pro‑rated upgrades), expirations, and invoices/receipts.
• Security & fraud prevention: CSRF protection, Supabase Row‑Level Security (RLS), access controls, webhook signature verification, error logging, abuse monitoring.
• Communications: transactional (verification, security, billing, product updates) and, where permitted, marketing or product‑update emails (you can opt out at any time).
• Analytics & improvement: aggregate usage and performance insights to maintain and improve the Service.
• Legal/compliance: tax and accounting records; responding to lawful requests.

Our AI‑generated scores and recommendations are informational tools to assist your decision‑making. They are not automated decisions that produce legal or similarly significant effects.

Cookies & local storage

We use cookies and similar technologies to run and secure the Service and to measure usage.

• Strictly necessary: csrfToken; Supabase auth cookies (sb-fdfrhojltqqbopizxsue-auth-token, sb-fdfrhojltqqbopizxsue-auth-token-code-verifier).
• Analytics: our first‑party analytics system does not set cookies. A random session identifier is stored in sessionStorage and cleared automatically when you close the browser tab.

For details and controls, see our Cookie Policy.

How we share information

We use service providers to operate the Service and do not knowingly sell personal information.

• Stripe (payments, subscriptions, Customer Portal)
• Supabase (database, authentication, analytics; Row‑Level Security enforced)
• Google: Generative AI (Gemini) model inference on page content/screenshots. We use Google's paid Gemini API. Under Google's paid API terms, your submitted content and analysis responses are not used by Google to train or improve their models.
• Resend (SMTP email delivery)
• Hosting/Infrastructure (runtime/CDN/logging); we currently use provider default log retention.

We do not allow third parties to collect personally identifiable information about your online activities while you use our Service, except as described in this policy (e.g., Stripe during checkout).

We may disclose information to comply with law, protect rights and safety, or in connection with a corporate transaction.

Optimization pixel / script

If you enable the OptiConvert optimization pixel on your website, a lightweight script is loaded on your pages. The script reads DOM elements and applies CSS or attribute mutations according to the rules you have saved in the OptiConvert editor. The script fetches its configuration payload from the OptiConvert API.

The optimization script does not track your website's visitors, does not collect analytics or personal data from visitors, and does not set cookies on visitor browsers. The script fetches its configuration from OptiConvert's servers, which may result in incidental IP address logging by hosting infrastructure consistent with standard web traffic; we do not use these logs to identify or profile your visitors. The script operates entirely within the visitor's browser to apply the visual changes you have configured.

International transfers

The Service is marketed to U.S. users and processed primarily in the United States. If you access from outside the U.S., your information may be transferred to and processed in the U.S. by us and our providers.

Your choices

• Email preferences: enable/disable marketing and product update emails in settings or via unsubscribe links.
• Cookies: manage through your browser and any cookie banner we present for non‑essential categories.
• Analytics: our first‑party analytics uses a random session identifier stored in sessionStorage. You can clear it by closing your browser tab or clearing site data in your browser settings.

Access, deletion, and other rights

Delete my data: the in‑app control deletes personal data from OptiConvert’s databases. It does not automatically delete information held by independent providers (e.g., Stripe invoices/receipts). We will assist with feasible deletion requests to processors where appropriate and lawful, and we retain records required for legal or security purposes (e.g., credit ledgers and invoices).

Access/portability/correction: email hello@opticonvert.ai. We may require identity verification before processing your request. We will respond within forty‑five (45) days of receiving a verifiable request. If we need additional time, we will notify you of the extension and the reason.

Authorized agents: you may designate an authorized agent to make a request on your behalf. We may require the agent to provide proof of authorization and may still verify your identity directly.

Appeal: if we deny your request, you may appeal by emailing hello@opticonvert.ai with the subject line "Privacy Appeal." We will respond to your appeal within forty‑five (45) days.

U.S. state privacy laws: where applicable (e.g., California), you may have rights to know, delete, correct, and opt out of certain processing. OptiConvert does not sell personal information or share it for cross‑context behavioral advertising as defined by California law.

Eligibility and children

The Service is intended for adults 18 years or older. We do not direct the Service to children under 13 and do not knowingly collect personal information from them.

Security

We use industry‑standard safeguards, including TLS, access controls, CSRF protection, Supabase Row‑Level Security (RLS), least‑privilege key management, optional 2FA, email verification, webhook signature verification, and scoped in‑memory caching. No method of transmission or storage is 100% secure.

We require our service providers to maintain appropriate administrative, technical, and physical safeguards for personal data.

In the event of a data breach involving your personal information, we will notify you as required by applicable law.

Data retention

• Analysis records (URLs and outputs): retained while your account is active and for a reasonable period thereafter, or until you delete them or close your account — whichever comes first.
• Credit ledger and billing/invoice records: retained as required for legal and accounting purposes.
• Server and infrastructure logs: retained per hosting provider defaults.
• Screenshots and scrape artifacts: processed for analysis; unless embedded in saved analysis outputs, we do not persist raw artifacts beyond generating the analysis.

When personal data is no longer needed for its stated purpose and no legal retention obligation applies, we securely delete or de‑identify it.

Changes to this policy

We will post changes on this page and revise the Effective Date. For material changes, we may notify you by email or in‑app.

Contact

OptiConvert, 2248 Broadway #2001, New York, NY 10024, United States • hello@opticonvert.ai