Legal
Privacy Policy
Last updated: May 7, 2026
Summary
- We do not store raw IP addresses. Every IP is SHA-256 hashed at the moment of ingest and discarded.
- We do not set advertising cookies. Our tracker respects OneTrust, Cookiebot, and Google Consent Mode v2.
- Raw event data is deleted after 90 days. Aggregated insights are retained.
- You can request deletion or export at any time by emailing privacy@webgrade.io.
1. Who we are
WebGrade is a website intelligence platform operated by Greater Sum Ventures. We help website operators (our customers) understand how visitors interact with their sites so they can fix usability, SEO, and conversion issues. This policy covers two groups of people:
- Customers — businesses that sign up for a WebGrade account.
- End visitors — people who visit websites that have installed the WebGrade tracking snippet.
2. What we collect from website visitors
When a website you visit has installed our tracking snippet, we receive a stream of behavioral events about your session. We collect:
- Pages viewed and the order you viewed them in
- Behavioral signals: clicks, scroll depth, hesitation, rage clicks, form focus, exit intent
- Approximate location (country and region) derived from your IP before the IP is hashed
- Device, browser, and operating system as reported by your browser
- A privacy-preserving fingerprint (HMAC-SHA256 of IP + user agent + screen + timezone, with a salt that rotates daily)
- Referrer and UTM/click-ID parameters present in the page URL
We do not collect names, email addresses, phone numbers, payment details, or the contents of forms you fill in, unless a customer's site explicitly chooses to mark a specific event as a conversion that includes a form ID.
3. How we handle IP addresses
IP addresses are sensitive because they can identify individual people. We treat them accordingly:
- Your IP arrives at our ingestion endpoint inside the HTTP request.
- Before any database write, the IP is hashed with SHA-256 combined with the customer's site identifier and a fixed application salt. The result is a 64-character string with no practical reverse path to the original IP.
- The raw IP is discarded. Only the hash, the country, and the region are stored.
- The hashing rule is applied universally — there is no code path in our system that writes a raw IP to long-term storage.
4. Consent
Our tracking snippet is consent-aware. Before initializing, it checks for signals from the consent management platforms installed on the page:
- OneTrust (category C0002 — performance cookies)
- Cookiebot
- Google Consent Mode v2 (analytics_storage)
If consent has not been granted, the snippet runs in anonymous mode: nothing is sent to our servers and no persistent identifiers are written. A best-effort session-only record is held in sessionStorage and discarded when the tab closes.
When consent is granted, we additionally forward a subset of events to PostHog for product analytics. We do not forward events to advertising networks.
5. Cookies and local storage
We use the smallest set of identifiers that lets us correctly attribute events to a session:
- A first-party session ID (placed in
localStoragewhen consent is granted, otherwisesessionStorage) used to group events into one visit - An NextAuth session cookie (HTTP-only, Secure) for customers logged into the WebGrade dashboard
We do not set third-party cookies, advertising cookies, or cross-site tracking cookies.
6. Data retention
Raw behavioral events (the per-event records described in section 2) are deleted automatically after 90 days by a daily background job. Each deletion run is logged for audit.
Aggregated and derived data — site scores, monthly summaries, AI-generated reports, and the totals that appear in customer dashboards — is retained for the life of the customer account so historical comparisons remain meaningful. Derived data does not contain raw IPs or fingerprints.
When a customer cancels their account, all of their raw and derived data is permanently deleted within 30 days, except where we are required by law to retain financial records.
7. Sub-processors
WebGrade relies on the following providers:
| Provider | Purpose | Region |
|---|---|---|
| Vercel | Application hosting | United States |
| Supabase (PostgreSQL) | Primary database | United States |
| Anthropic | AI-generated explanations and reports (no raw visitor data is sent) | United States |
| PostHog | Product analytics for consenting visitors | United States / EU |
| Resend | Transactional and alert email | United States |
| Inngest | Background job orchestration | United States |
| DataForSEO | Keyword and ranking data for the WebOpp module | United States |
8. Your rights
Depending on where you live (GDPR in the EU/UK, CCPA in California, and similar laws elsewhere), you may have the right to:
- Access the personal data we hold about you
- Request correction or deletion
- Object to or restrict certain processing
- Withdraw consent at any time
- Lodge a complaint with your local data protection authority
Because we do not store raw IPs or directly-identifying information about visitors, we may not be able to locate individual records without additional context (such as the session ID assigned by the website you visited). To make a request, email privacy@webgrade.io.
9. Security
All data is transmitted over TLS. Production database access is restricted to application service accounts. Customer passwords are stored as bcrypt hashes; sign-in via Google OAuth never exposes your Google password to us. We rate-limit our public ingestion API and filter known bot traffic before it reaches storage.
10. Children
WebGrade is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has been tracked through one of our customer's sites, contact us and we will work with the customer to remove the data.
11. Changes to this policy
We will update the date at the top of this page whenever we make material changes. For significant changes we will also notify customers by email.
12. Contact us
Questions about this policy or about how your data is handled: