Privacy Policy

Introduction

This Privacy Policy explains how sitemora (the "Service"), operated by the sitemora operator (the "Operator"), collects, uses, shares, and protects your personal information when you use our website analysis service.

Sitemora is a SaaS tool that automatically analyzes website structure from a URL. By using the Service, you agree to the collection and use of information as described in this Privacy Policy.

We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Japan's Act on the Protection of Personal Information (APPI).

Information We Collect

1. Information You Provide Directly

• Account information: name, email address, and profile picture (via Google Sign-In or email/password registration)
• Authentication credentials: passwords are hashed using bcrypt and never stored in plaintext
• Account preferences: display and notification language (saved on sign-in and applied to subsequent sessions and outgoing emails)
• Contact form submissions: name, email address, and message content
• URLs submitted for analysis: the website addresses you enter for site structure analysis (data collected from analyzed pages — such as page titles, metadata, OGP information, and HTTP status codes — is publicly available information from the target site and does not constitute personal data)
• PDF report settings: company name, author name, and logo image — stored locally in your browser's localStorage and never sent to our servers

2. Information Collected Automatically

• Access logs: IP address, browser type, and access timestamps
• Usage data: number of analyses, pages analyzed, and feature usage frequency
• Device information: operating system, screen resolution, and language settings

3. Information from Third-Party Services

• Firebase Authentication: public profile information from your Google account (name, email, profile picture URL) when signing in with Google
• Stripe: payment processing information (card details are managed directly by Stripe; we do not store card numbers)
• Google Sheets / Drive API: OAuth access token when you use the spreadsheet export feature; we use this token solely for exporting analysis results and do not access or modify your Google Drive content

4. Partner Program Information

• Partner details: name, email address, promotional media URL, and monthly page views
• Referral link clicks: SHA-256 hashed IP address (irreversibly hashed; original IP is not stored), browser User-Agent, and click timestamp
• Conversion data: referring partner, converted plan, and commission amount

How We Use Your Information

We use collected information solely for the following purposes:

1. Providing, operating, and maintaining the Service
2. Managing user accounts and authentication
3. Processing payments and managing billing for paid plans
4. Providing customer support and responding to inquiries
5. Improving the Service, developing new features, and analyzing usage trends
6. Sending important service notifications (policy changes, maintenance, etc.)
7. Sending transactional emails (account verification, password reset and change notifications, trial notifications, support replies, etc.), delivered in Japanese or English according to the user's language preference
8. Operating the partner program (click tracking, conversion management, commission calculation)
9. Detecting and preventing fraudulent or unauthorized use
10. Complying with legal obligations

We do not send marketing emails without your consent.

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

• Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the Service you signed up for, including account management, website analysis, and payment processing
• Consent (Art. 6(1)(a) GDPR): where you have given explicit consent, such as for optional analytics cookies (Google Analytics 4 and Microsoft Clarity) or connecting your Google account for spreadsheet export
• Legitimate interests (Art. 6(1)(f) GDPR): for service improvement, fraud prevention, and security measures, balanced against your rights and freedoms
• Legal obligation (Art. 6(1)(c) GDPR): where processing is required to comply with applicable laws, such as tax and accounting requirements

Data Sharing & Third Parties

We do not sell your personal information. We share data with third parties only in the following circumstances:

1. Service providers:
   • Firebase / Google Cloud (authentication, hosting) — Privacy Policy
   • Stripe (payment processing, partner payouts) — Privacy Policy
   • Cloudflare (CDN, static file delivery, bot protection via Turnstile) — Privacy Policy
   • Google Analytics 4 (GA4) (aggregate usage statistics; IP-anonymized; consent-gated) — Privacy Policy
   • Microsoft Clarity (heatmaps and session recording for UI/UX improvement) — Privacy Statement
   • Railway (server hosting)
   • Resend (transactional email delivery) — Privacy Policy
   • Google Sheets / Drive API (spreadsheet export, based on your explicit permission)

   Each service handles information in accordance with its own privacy policy.

2. Legal requirements: when required by law, court order, or lawful request from government authorities
3. Protection of rights: when necessary to protect the rights, safety, or property of the Operator, users, or the public
4. Business transfers: in connection with a merger, acquisition, or sale of assets (we will notify you in advance)
5. With your consent: when you have given explicit permission

International Data Transfers

Our servers may be located outside your country of residence, including in the United States and Japan. Your personal data may be transferred to and processed in countries that may not provide the same level of data protection as your home country.

For transfers from the EEA/UK, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding contractual obligations with our service providers

By using the Service, you consent to such data transfers. We take appropriate measures to ensure your data remains protected in accordance with this Privacy Policy.

Data Retention

1. Account information is retained for as long as your account remains active.
2. Analysis data is retained until you delete the data or your account.
3. After account deletion, personal information is deleted within 30 days, except where retention is required by law (e.g., accounting records).
4. Contact form submissions are retained for up to one year after resolution.
5. Partner program data (click records, conversion records, commission payment records) may be retained for up to 5 years from the last transaction for commission settlement and tax purposes.

Your Rights

All Users

Regardless of your location, you have the right to:

• Request access to your personal information
• Request correction of inaccurate personal information
• Request deletion of your account and data
• Request information about how your data is used
• Revoke Google Sheets / Drive API access permissions at any time

Additional Rights for EEA/UK Residents (GDPR)

Under the General Data Protection Regulation, you also have the right to:

• Right of access (Art. 15): obtain a copy of all personal data we hold about you
• Right to rectification (Art. 16): correct inaccurate or incomplete personal data
• Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten")
• Right to restriction (Art. 18): restrict processing of your personal data in certain circumstances
• Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent
• Right to lodge a complaint: file a complaint with your local data protection authority

Additional Rights for California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the right to:

• Right to know: request disclosure of the categories and specific pieces of personal information collected in the past 12 months
• Right to delete: request deletion of collected personal information
• Right to correct: request correction of inaccurate personal information
• Right to opt-out: opt out of the "sale" or "sharing" of personal information (note: we do not sell your personal information)
• Right to non-discrimination: not be discriminated against for exercising your privacy rights

Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws may have similar rights under their respective state laws.

Children's Privacy

The Service is not directed at children under the age of 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages, in compliance with the U.S. Children's Online Privacy Protection Act (COPPA) and GDPR requirements. If we become aware that we have collected personal information from a child under the applicable age limit, we will promptly delete such information.

Cookie Policy

For detailed information about our use of cookies and similar technologies, please see our Cookie Policy.

In summary, we use:

• Cloudflare Turnstile: bot protection cookies (essential)
• localStorage: authentication tokens and partner referral information (retained for 60 days)
• Google Analytics 4 (GA4): aggregate usage statistics — pageviews, traffic sources, conversions. IP addresses are anonymized; no personally identifiable information is recorded.
• Microsoft Clarity: heatmaps and session replays for UI/UX improvement. Does not collect personally identifiable information.

Both GA4 and Clarity are classified as analytics cookies and only activate when you select "Accept all" in the cookie consent banner.

Security Measures

1. We implement appropriate technical and organizational security measures to protect your personal information.
2. All data is transmitted over encrypted connections (HTTPS/TLS).
3. Passwords are hashed using bcrypt and never stored in plaintext. Credit card information is managed by Stripe and is not stored on our servers.
4. IP addresses used for partner click tracking are irreversibly hashed using SHA-256; original IP addresses are not retained.
5. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

Do Not Track Signal

Some browsers offer a "Do Not Track" (DNT) feature. As there is currently no universally accepted standard for DNT signals, the Service does not respond to DNT signals at this time.

Changes to This Policy

1. We may update this Privacy Policy from time to time due to changes in law, service features, or other reasons.
2. If we make material changes, we will notify you via in-app notification or email.
3. The updated policy takes effect upon publication on this page.

Contact Information

If you have questions about this Privacy Policy, wish to make a data access request, or have any privacy concerns, please contact us using the methods below.

Data Protection Officer / EU Representative

As a small-scale operator, we have not appointed a formal Data Protection Officer (DPO) or EU representative at this time. For all privacy-related inquiries, including GDPR requests, please contact us at support@sitemora.app.

We are committed to responding promptly to all data protection inquiries and cooperating with data protection authorities.