Privacy Policy

Last updated: 15 April 2026

1. Overview

GSC Wizard ("the service", "I", "me") is a web application that connects to Google Search Console and related SEO data sources to provide analytics, reports, and automation for site owners. This policy describes exactly what data I store, why I store it, and how long I keep it.

2. Information I Collect

2.1 Account & identity

  • Profile: your name, email address, and profile image, received from Google when you sign in with OAuth.
  • Linked Google accounts: encrypted OAuth access and refresh tokens, account email, account name, and the scope granted (webmasters.readonly). Tokens are encrypted at rest with AES-256-GCM.
  • Email forwarding token: a unique token that lets you forward Google Search Console notification emails into the app for parsing.

2.2 Search Console & SEO data

When you use reports, I request data from the Google Search Console API, the Google URL Inspection API, and optionally from Bing Webmaster Tools and IndexNow. The following is stored in my database:

  • Sites you track (URLs, tags, branded keywords, sitemap URLs, optional GA4 / BigQuery configuration, optional encrypted Bing API key, optional IndexNow key).
  • Report cache - cached JSON responses for Queries, Pages, Countries, Dashboard, and similar reports, keyed to your user so repeated views don't burn API quota. Each entry has an expiry timestamp.
  • Sampling & CTR-curve reports - aggregated sampling metrics and CTR-by-position buckets per site and date range.
  • URL inspections & bulk inspection batches - results of Google's Index API (verdict, coverage state, last crawl time, referring URLs, page fetch state) and the batch jobs you run against them.
  • Indexing tracker - URLs you watch, their current and previous indexing status, a history of status transitions, and queued warnings for email digests.
  • On-page SEO crawls & reports - title, meta description and H1 tags fetched from your own pages, plus findings that cross-reference those with your GSC queries. Full HTML bodies are not stored.
  • Topic clusters, content groups, experiments, saved filters, redirect mappings you create inside the app.
  • GSC messages - if you forward Google's notification emails via your forwarding token, the parsed subject, body, sender, category, and severity are stored.
  • IndexNow submissions - an audit trail of URLs you submit and the response code returned.

2.3 Sharing & client portal

  • Clients: email addresses and names of external people you grant access to shared reports.
  • Shared reports: snapshots (HTML or JSON data) of reports you explicitly choose to share.
  • Magic-link & client sessions: one-time tokens and short-lived session records that let invited clients view shared reports without a password.

2.4 Billing

Subscriptions are managed by Stripe. I store a subscription record linking your account to a Stripe customer and plan; payment card details are handled by Stripe and never touch my servers.

2.5 Operational data

  • API usage counters per site per day, used to respect Google's 2,000/day URL Inspection quota.
  • Rate-limit counters to prevent abuse of shared endpoints.
  • Feature events for the optional gamification UI (e.g. "first report generated"). You can disable gamification in your profile.

3. How I Use Your Data

Stored data is used only to:

  • Authenticate you and keep your session active.
  • Call Google, Bing and IndexNow APIs on your behalf to build the reports you request.
  • Cache those results so the app is fast and stays within API quotas.
  • Send account, billing and (if you opt in) indexing-warning emails.
  • Let you share reports with clients you explicitly invite.
  • Diagnose errors and improve the product (see Analytics below).

I do not sell your data, I do not use your Search Console data to train AI models, and I do not share it with third parties except the sub-processors listed below.

4. Sub-processors

  • Supabase - authentication and PostgreSQL database.
  • Vercel - application hosting and edge functions.
  • Stripe - payment processing and subscription billing.
  • Google - OAuth, Search Console API, URL Inspection API.
  • Microsoft Bing - Webmaster Tools API (only if you provide a key).
  • PostHog - product analytics and error tracking.
  • Email provider - transactional and digest emails.

5. Analytics & Error Tracking

I use PostHog to understand how the product is used and to catch errors.

Marketing site (before sign-in)

Cookieless, aggregated tracking only: page path, referrer, coarse country, device type. No identifiers are stored on your device until you accept the cookie banner.

Application (after sign-in)

If you accept analytics cookies, PostHog associates events with your user ID so I can reproduce bugs you report and understand which features are used. Events cover feature usage, session duration, and errors. Your Search Console data is never sent to PostHog.

6. Cookies

See the dedicated Cookie Policy for the full list of cookies and local-storage keys used by the service.

7. Data Retention

  • Account & linked Google accounts: kept until you delete your account or disconnect the integration.
  • Report cache: automatically expires based on per-entry TTL.
  • CTR-curve & API-usage data: auto-cleaned after ~7 days.
  • Rate-limit entries: auto-cleaned once expired.
  • URL inspections, indexing history, on-page crawls, GSC messages, redirect mappings, IndexNow submissions: kept for as long as the related site exists, as a historical audit trail.
  • Magic links & client sessions: short expiry (hours).
  • Billing records: retained as long as required by applicable tax and accounting law.

8. Security

  • Google OAuth tokens and Bing API keys are encrypted at rest (AES-256-GCM).
  • Row-level security policies on every database table restrict rows to their owner.
  • Traffic is served over HTTPS/TLS.
  • Access to the production database is restricted to the service role and to me as the operator.

9. Google API Services

GSC Wizard's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Search Console data is used only to provide user-facing features you request, is not shared with third parties, is not used for advertising, and is not used to train generalized ML/AI models.

10. Your Rights

You have the right to:

  • Access and export your data from your account page.
  • Request correction or deletion of your account and all associated data.
  • Revoke Google's OAuth grant at any time via your Google Account settings.
  • Withdraw analytics consent at any time via the cookie banner.
  • Lodge a complaint with your local data-protection authority.

11. Children's Privacy

This service is not intended for children under 13 and I do not knowingly collect personal information from children under 13.

12. Changes to This Policy

I may update this Privacy Policy from time to time. Material changes will be reflected on this page with an updated "Last updated" date.

13. Contact

Questions or data-subject requests:

[email protected]