This document is a starting template and not legal advice. It must be reviewed and adapted by qualified legal counsel before you rely on it. Every placeholder shown in [brackets] — including the legal entity name, registered address, commercial-register number and the data-protection contact — must be completed with your real details before publication.
This Privacy Policy explains how [Legal entity name](“Legible”, “we”, “us”) collects, uses, discloses and protects personal data when you visit legibleindex.comor use the Legible service (the “Service”), a Generative Engine Optimization and AI-visibility tool that scores how ready a website is to be found and cited by AI assistants. It applies alongside our Cookie Policy and Terms of Service.
Who is responsible for your data
The data controller is [Legal entity name], [registered address], commercial-register no. [CHE-/UID number]. For any privacy question, or to exercise your rights, contact our data-protection contact [name / function] at hello@legibleindex.com.
What data we collect
We collect only the data we need to run the Service:
- Account data. Your email address. Legible uses passwordless, magic-link authentication, so we do not collect or store a password from you.
- Scan history. The URLs you submit for scanning and the resulting readiness scores, kept so you can revisit past audits in your dashboard.
- Subscription & billing data. Your plan, subscription status and billing identifiers. Card numbers are entered directly with our payment processor (Stripe) and are never seen or stored by Legible.
- Monitoring & alert configuration. Any monitoring rules and alert settings you create, so we can run scheduled re-scans and notify you.
- Technical data. Your IP address is processed transiently for rate-limiting and abuse prevention; it is not stored in our database long-term. We also process standard request metadata needed to deliver and secure the Service.
- Scanned page content. When you scan a URL, we fetch that publicly accessible page and extract its text. We do not control and are not responsible for personal data that a third party may have published on the page you choose to scan.
How and why we use your data — and the legal bases
Under the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nFADP) we process personal data on the following grounds:
- To provide the Service — authenticating you, running scans, storing scan history, operating monitoring and sending you results. Legal basis: performance of our contract with you (GDPR Art. 6(1)(b)).
- To process payments and manage subscriptions for the Pro plan. Legal basis: performance of our contract (GDPR Art. 6(1)(b)).
- To send transactional email — magic-link sign-in messages and alerts you have configured. Legal basis: contract performance and our legitimate interest in operating the Service (GDPR Art. 6(1)(b) and (f)).
- To secure the Service and prevent abuse — transient IP-based rate-limiting and security logging. Legal basis: our legitimate interest in keeping the Service available and secure (GDPR Art. 6(1)(f)).
- To understand aggregate usage via privacy-friendly, cookieless analytics. Legal basis: our legitimate interest in improving the Service (GDPR Art. 6(1)(f)). See our Cookie Policy.
- To comply with legal obligations, such as keeping records required by accounting and tax law. Legal basis: legal obligation (GDPR Art. 6(1)(c)).
Processors and sub-processors
We rely on a small set of carefully chosen service providers who process personal data on our behalf, under data-processing agreements. The current list is:
- Supabase — authentication and our PostgreSQL database (account email, scan history, subscriptions, monitoring configs and alerts). Our database is hosted in the EU region eu-central-2 for EU data residency.
- Vercel — application hosting, serverless functions and global content delivery, plus the AI Gateway used to route deep-audit requests. Vercel runs serverless functions on EU and global edge infrastructure.
- Stripe — payment processing for the Pro plan. Stripe handles all card data directly as an independent controller for payment purposes; Legible never receives your full card number.
- Infomaniak — a Swiss provider used for transactional email (SMTP), delivering magic-link sign-in messages and alerts from hello@legibleindex.com.
- Vercel Analytics — privacy-friendly, aggregate web analytics that does not use tracking cookies.
- AI model providers — OpenAI, Anthropic, Google and Perplexity, reached through the Vercel AI Gateway. We send them extracted text from the public page you scan so their models can run the deep-audit modules (see below).
EU data residency
Your account and saved data live in our Supabase database in the EU region eu-central-2. We design the Service so that your stored personal data remains within the EU/EEA. Some processing necessarily involves the providers listed above; where that happens, we use the safeguards described under “International transfers”.
AI processing of scanned content and international transfers
The deep-audit modules require analysis by large language models. When you run a scan, the text we extract from the public URL you submitted — together with limited technical context — may be sent to one or more of OpenAI, Anthropic, Google or Perplexity via the Vercel AI Gateway. Some of these providers process data outside the EU/EEA and Switzerland, including in the United States.
Where personal data is transferred outside the EU/EEA or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (with the Swiss addendum where relevant) and, where applicable, adequacy decisions. You should avoid submitting URLs that you do not want fetched and analysed, and you should not scan pages whose content you are not entitled to share.
How long we keep your data
- Account and scan history — kept while your account is active. If you delete your account, we delete or anonymise the associated personal data within a reasonable period, except where we must retain certain records by law.
- Billing records — retained for the period required by applicable accounting and tax law.
- IP addresses for rate-limiting — processed transiently and not retained long-term.
- Aggregate analytics — retained in non-identifying, aggregated form.
Your rights
Under the GDPR and the Swiss nFADP you have the right to access your personal data; to rectify inaccurate data; to erasure; to restrict or object to certain processing; to data portability; and, where processing is based on consent, to withdraw that consent at any time without affecting prior processing. You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
To exercise any of these rights, email hello@legibleindex.com. You may also lodge a complaint with a supervisory authority: in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); in the EU/EEA, your local data protection authority.
Security
We use technical and organisational measures appropriate to the risk, including encryption in transit, access controls, EU-hosted storage and a payment flow in which card data never touches our systems. No method of transmission or storage is completely secure, but we work to protect your data and to notify you and the relevant authorities of any qualifying breach as required by law.
Children
The Service is intended for businesses and professionals and is not directed to children. We do not knowingly collect personal data from children.
Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, take reasonable steps to inform you.
Contact
Questions about this policy or your data? Email hello@legibleindex.com, or write to [Legal entity name], [registered address]. See also our Cookie Policy, Terms of Service and Imprint.