Privacy Policy

Last updated: 14 May 2026

1. Overview

GSC Wizard ("the service", "I", "me") is a web application that connects to Google Search Console and related SEO data sources to provide analytics, reports, and automation for site owners. This policy describes exactly what data I store, why I store it, and how long I keep it.

2. Information I Collect

2.1 Account & identity

  • Profile: your name, email address, and profile image, received from Google when you sign in with OAuth.
  • Linked Google accounts: encrypted OAuth access and refresh tokens, account email, account name, and the scopes granted. The default scope is webmasters.readonly (read-only Search Console). If you opt in to BigQuery synchronization (see 2.2), you may be asked separately to grant bigquery.readonly on top, so the service can read your Search Console bulk export from your own BigQuery dataset. Tokens are encrypted at rest with AES-256-GCM.
  • Email forwarding token: a unique token that lets you forward Google Search Console notification emails into the app for parsing.

2.2 Search Console & SEO data

When you use reports, I request data from the Google Search Console API, the Google URL Inspection API, and optionally from Bing Webmaster Tools and IndexNow. If you have enabled Search Console bulk data export into your own Google BigQuery dataset and choose to connect it, I read those same Search Console performance rows from BigQuery instead of (or in addition to) the API. Only the dataset you point me at is read, and only the searchdata_site_impression, searchdata_url_impression and ExportLog tables that Google's bulk export writes. The following is stored in my database:

  • Sites you track (URLs, tags, branded keywords, sitemap URLs, optional GA4 configuration, optional BigQuery configuration: the GCP project ID, dataset ID and table prefix you point the integration at, plus sync state such as last-synced date, optional encrypted Bing API key, optional IndexNow key).
  • Report cache - cached JSON responses for Queries, Pages, Countries, Dashboard, and similar reports, keyed to your user so repeated views don't burn API quota. Each entry has an expiry timestamp.
  • Sampling & CTR-curve reports - aggregated sampling metrics and CTR-by-position buckets per site and date range.
  • URL inspections & bulk inspection batches - results of Google's Index API (verdict, coverage state, last crawl time, referring URLs, page fetch state) and the batch jobs you run against them.
  • Indexing tracker - URLs you watch, their current and previous indexing status, a history of status transitions, and queued warnings for email digests.
  • On-page SEO crawls & reports - title, meta description and H1 tags fetched from your own pages, plus findings that cross-reference those with your GSC queries. Full HTML bodies are not stored.
  • Topic clusters, content groups, experiments, saved filters, redirect mappings you create inside the app.
  • GSC messages - if you forward Google's notification emails via your forwarding token, the parsed subject, body, sender, category, and severity are stored.
  • IndexNow submissions - an audit trail of URLs you submit and the response code returned.

2.3 Sharing & client portal

  • Clients: email addresses and names of external people you grant access to shared reports.
  • Shared reports: snapshots (HTML or JSON data) of reports you explicitly choose to share.
  • Magic-link & client sessions: one-time tokens and short-lived session records that let invited clients view shared reports without a password.

2.4 Billing

Subscriptions are managed by Stripe. I store a subscription record linking your account to a Stripe customer and plan; payment card details are handled by Stripe and never touch my servers.

2.5 Operational data

  • API usage counters per site per day, used to respect Google's 2,000/day URL Inspection quota.
  • Rate-limit counters to prevent abuse of shared endpoints.
  • Feature events for the optional gamification UI (e.g. "first report generated"). You can disable gamification in your profile.

3. How I Use Your Data

Stored data is used only to:

  • Authenticate you and keep your session active.
  • Call Google, Bing and IndexNow APIs on your behalf to build the reports you request.
  • Cache those results so the app is fast and stays within API quotas.
  • Send account, billing and (if you opt in) indexing-warning emails.
  • Let you share reports with clients you explicitly invite.
  • Diagnose errors and improve the product (see Analytics below).

I do not sell your data, I do not use your Search Console data to train AI models, and I do not share it with third parties except the sub-processors listed below.

4. Sub-processors

  • Supabase - authentication and PostgreSQL database.
  • Hetzner - application hosting (EU data center, Falkenstein).
  • Vercel - marketing website hosting (www.gscwizard.com).
  • Stripe - payment processing and subscription billing.
  • Google - OAuth, Search Console API, URL Inspection API, and (if you opt in) BigQuery read-only access to your own GSC bulk-export dataset.
  • Microsoft Bing - Webmaster Tools API (only if you provide a key).
  • PostHog - product analytics and error tracking.
  • Email provider - transactional and digest emails.

5. Analytics & Error Tracking

I use PostHog to understand how the product is used and to catch errors.

Marketing site (before sign-in)

Cookieless, aggregated tracking only: page path, referrer, coarse country, device type. No identifiers are stored on your device until you accept the cookie banner.

Application (after sign-in)

If you accept analytics cookies, PostHog associates events with your user ID so I can reproduce bugs you report and understand which features are used. Events cover feature usage, session duration, and errors. Your Search Console data is never sent to PostHog.

6. Cookies

See the dedicated Cookie Policy for the full list of cookies and local-storage keys used by the service.

7. Data Retention

  • Account & linked Google accounts: kept until you delete your account or disconnect the integration.
  • Report cache: automatically expires based on per-entry TTL.
  • CTR-curve & API-usage data: auto-cleaned after ~7 days.
  • Rate-limit entries: auto-cleaned once expired.
  • URL inspections, indexing history, on-page crawls, GSC messages, redirect mappings, IndexNow submissions: kept for as long as the related site exists, as a historical audit trail.
  • Magic links & client sessions: short expiry (hours).
  • Billing records: retained as long as required by applicable tax and accounting law.

8. Security

  • Google OAuth tokens and Bing API keys are encrypted at rest (AES-256-GCM).
  • Row-level security policies on every database table restrict rows to their owner.
  • Traffic is served over HTTPS/TLS.
  • Access to the production database is restricted to the service role and to me as the operator.

9. Google API Services

GSC Wizard's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Search Console data, and (if you opt in) the rows I read from your BigQuery bulk-export dataset, are used only to provide user-facing features you request. They are not shared with third parties, are not used for advertising, and are not used to train generalized ML/AI models. The optional BigQuery scope (bigquery.readonly) is requested only when you click "Connect BigQuery" in your settings, can be revoked at any time from your Google Account, and is never requested for users who do not opt in.

10. Your Rights

You have the right to:

  • Access and export your data from your account page.
  • Request correction or deletion of your account and all associated data.
  • Revoke Google's OAuth grant at any time via your Google Account settings.
  • Withdraw analytics consent at any time via the cookie banner.
  • Lodge a complaint with your local data-protection authority.

11. Children's Privacy

This service is not intended for children under 13 and I do not knowingly collect personal information from children under 13.

12. Changes to This Policy

I may update this Privacy Policy from time to time. Material changes will be reflected on this page with an updated "Last updated" date.

13. Contact

Questions or data-subject requests:

privacy@gscwizard.com