1. What We Collect
Daylytix collects only the data necessary to provide and improve the service. We collect information in the following categories:
- Account data: Name, email address, and hashed password when you register. If you sign in via Google OAuth, we receive your name, email, and profile picture from Google.
- Billing data: Subscription plan and billing status. Payment details (card numbers, etc.) are handled exclusively by Stripe and are never stored on our servers.
- Audit data: URLs, crawl results, audit scores, and SEO metrics for sites you choose to audit. This data belongs to you and is stored to power your dashboard, history, and reports.
- Usage data: Anonymised logs of features used, audit frequency, and error events. Used to improve the product. No personally identifiable information is stored in usage logs.
- Configuration data: Agency name, logo, brand colours, and integration keys (GSC service account JSON, GA4 property ID) that you provide to configure the platform.
2. How We Use Your Data
We use the data we collect solely to operate and improve Daylytix. Specifically:
- To authenticate your account and maintain your session.
- To run site audits, crawl URLs you provide, and generate reports on your behalf.
- To process subscription billing and manage your plan via Stripe.
- To send transactional emails - including audit completion notifications, scheduled report deliveries, and performance budget alerts - to the email address you registered with.
- To improve platform reliability, fix bugs, and prioritise new features based on anonymised usage patterns.
We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not use your data to train AI models.
3. Third-Party Services
Daylytix integrates with the following third-party services to deliver its functionality:
Google OAuth / Google Search Console / Google Analytics 4: When you connect GSC or GA4, Daylytix accesses your Google account data via OAuth 2.0. We use your GSC and GA4 data exclusively to populate your Daylytix audit reports and dashboard. This data is fetched on-demand during audits and is not stored permanently beyond your audit result files, which remain in your account and under your control. Daylytix's use of Google APIs is in compliance with Google's API Services User Data Policy, including the Limited Use requirements.
- Stripe: Handles all payment processing. Card details are never transmitted to or stored on Daylytix servers. Stripe's privacy policy applies to billing data.
- AI provider: If you configure an AI provider API key for AI features, requests are sent directly to the AI provider API. Daylytix does not proxy or store the contents of AI generation requests beyond what is shown in your session.
- Google Fonts: Used to load the Inter typeface for the web interface. Google's standard font service terms apply.
- Bing Webmaster Tools API: Accessed on your behalf using credentials you provide. Data is used only within your audit session and reports.
4. Data Storage & Security
Audit results and account data are stored on servers located within the European Union. We apply industry-standard security practices including:
- Passwords stored using bcrypt hashing - plain-text passwords are never stored.
- All data transmitted over HTTPS using TLS 1.2 or higher.
- Service account credentials and API keys stored in encrypted configuration files with restricted file system access.
- Regular security reviews and dependency updates.
Audit JSON files are retained for 90 days by default to support score history and comparison features. You may delete individual audits or your entire account at any time from your account settings.
5. Your Rights
Depending on your location, you may have the following rights under applicable data protection law (including GDPR for EU residents):
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your account and all associated data. We will process erasure requests within 30 days.
- Portability: Request your audit data in a machine-readable format (JSON export is available from within the platform).
- Objection: Object to processing of your personal data where we rely on legitimate interests as the legal basis.
- Withdraw consent: Revoke Google OAuth access at any time via your Google account permissions page. This will disable GSC and GA4 integrations.
To exercise any of these rights, contact us at privacy@daylytix.com.
6. Cookies
Daylytix uses a minimal set of cookies necessary to operate the service:
- Session cookie: A secure, HTTP-only cookie that maintains your authenticated session. It expires when you close your browser or log out.
- CSRF token: A security cookie that protects against cross-site request forgery attacks.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in cross-site tracking networks.