Last updated: May 5, 2026 · Effective: May 5, 2026
Plain-English summary: We collect your email and audit URLs to provide the service. We don't sell your data. We use industry-standard third-party tools to process payments, send emails, and run AI analysis. You can request deletion of your data at any time by emailing privacy@quivra.io.
1. Who We Are
Quivra.io ("Quivra," "we," "our," or "us") is an SEO analysis platform that helps website owners audit their search engine and AI search visibility. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our website at quivra.io and related services (collectively, the "Service").
Account information: Email address and password (stored as a one-way bcrypt hash) when you register.
Audit URLs: Website URLs you submit for SEO analysis.
Lead capture: Name and email address if you use our free audit gate before creating an account.
Payment information: Billing details entered during checkout. We do not store card numbers — all payment data is handled by Stripe.
Alert preferences: Email notification thresholds and digest schedule you configure.
Keywords: Search keywords you add for rank tracking.
Information collected automatically:
Usage data: Pages visited, features used, audit frequency, and error events for debugging.
Technical data: IP address, browser type, operating system, and referrer URL when you access the Service.
Cookies: Authentication tokens stored as httpOnly cookies. See Section 5 for details.
Information about third-party websites:
When you submit a URL for auditing, our servers fetch publicly available data from that URL (HTML, robots.txt, sitemap.xml). We do not access any private or authenticated pages of third-party sites.
3. How We Use Your Data
We use the information we collect to:
Provide, maintain, and improve the Service
Authenticate you and secure your account
Process payments and manage your subscription
Send transactional emails (password resets, audit alerts, weekly digests) that you opt into
Notify you of significant SEO score changes on your tracked sites
Generate audit reports and keyword ranking data
Respond to your support requests
Detect and prevent fraud, abuse, or security incidents
Comply with applicable legal obligations
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
4. Third-Party Services
We share data with the following service providers solely to operate the Service. Each is bound by their own privacy practices:
Stripe
Payment processing & subscription management. Stripe handles all card data under PCI-DSS compliance.
AI-powered SEO fix recommendations. Audit data is sent to Claude's API for analysis.
Railway
Cloud hosting and PostgreSQL database. Data is stored on Railway-managed infrastructure.
Google Custom Search
Keyword position tracking. Keywords are sent to Google's API to check search rankings.
We may also disclose your information if required by law, court order, or government request, or to protect the rights, property, or safety of Quivra.io, our users, or others.
5. Cookies & Tracking
We use a minimal set of cookies:
Authentication cookie: A signed, httpOnly, secure JWT token set when you log in. Required for the Service to function. Expires after 7 days.
Local storage: We store a short-lived audit token (24-hour TTL) in your browser's localStorage after completing the free audit gate, so you don't have to re-enter your email within the same session.
We do not use third-party advertising cookies, cross-site tracking pixels, or behavioral profiling.
You can clear cookies and localStorage at any time through your browser settings. Clearing the auth cookie will log you out.
6. Data Retention
Account data: Retained as long as your account is active. Deleted within 30 days of account deletion request.
Audit results: Stored indefinitely while your account is active. Deleted with your account.
Keyword rankings: Up to 30 historical data points per keyword. Deleted when you remove a keyword or your account.
Lead capture records: Retained for up to 12 months for conversion analysis, then deleted or anonymized.
Payment records: Stripe retains transaction records per their legal obligations (typically 7 years for financial records).
7. Your Rights
Regardless of your location, you have the right to:
Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate data.
Deletion: Request deletion of your account and associated data.
Portability: Request your data in a machine-readable format.
Opt-out: Unsubscribe from alert emails and weekly digests via the unsubscribe link in any email or through your account settings.
To exercise any of these rights, email privacy@quivra.io. We respond within 30 days.
8. GDPR — EU/EEA Users
If you are located in the European Union or European Economic Area, the following applies under the General Data Protection Regulation (GDPR):
Legal bases for processing:
Contract performance: Processing necessary to deliver the Service you signed up for (audits, account management, payments).
Legitimate interests: Fraud prevention, security monitoring, and service improvement.
Consent: Marketing emails and weekly digest (you opt in; you may withdraw at any time).
Legal obligation: Financial record-keeping and regulatory compliance.
Data transfers: Your data may be processed in the United States (Railway, Stripe, Anthropic). We rely on standard contractual clauses and the EU-U.S. Data Privacy Framework where applicable.
Data Protection Officer: We do not currently have a formal DPO. Privacy inquiries go to privacy@quivra.io.
Right to lodge a complaint: You may file a complaint with your local data protection supervisory authority.
9. CCPA — California Users
If you are a California resident, the California Consumer Privacy Act (CCPA) and its amendment (CPRA) grant you additional rights:
Right to Know: Request disclosure of personal information we collect, use, or share.
Right to Delete: Request deletion of your personal information (subject to certain exceptions).
Right to Opt-Out: We do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of in this regard.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To submit a CCPA request, email privacy@quivra.io with "CCPA Request" in the subject line. We will verify your identity before fulfilling the request.
10. Security
We take reasonable technical and organizational measures to protect your data, including:
Passwords hashed with bcrypt (10 rounds) — we never store plaintext passwords
Authentication tokens stored as httpOnly, secure, sameSite cookies
HTTPS enforced across all pages and API endpoints
Database access restricted to application servers via private network
Security headers (HSTS, CSP, X-Frame-Options) applied via Helmet.js
Rate limiting on all authentication and audit endpoints
No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please report it responsibly to security@quivra.io.
11. Children's Privacy
The Service is not directed to children under 13 (or under 16 for EU users). We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us at privacy@quivra.io and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by law, notify you by email or prominent notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
13. Contact Us
For privacy-related questions, data access requests, or complaints: