1. What do we collect?
We collect information in three categories:
- Information you give us — the website URL you submit to run an audit (no email is required to run the audit or see your score); your email address, which is optional and collected only if, after seeing your score, you ask us to email you the full Gap Report; on purchase, our payment processor collects your email, billing details, and payment information; on delivery, the CMS credentials you provide so we can perform the work.
- Information about your website — our auditor visits the URL you submit and analyzes publicly accessible content (HTML, metadata,
robots.txt,sitemap.xml). We do not log into your site without permission, and we do not crawl beyond a small number of internal pages linked from the homepage. - Automatic information at submission — when you submit the form we automatically record your IP address, browser user-agent string, HTTP referrer, and any UTM parameters in the link you arrived from. We use this strictly for abuse prevention (rate limiting + captcha verification) and traffic-source attribution. We do not build behavioral profiles, and this information is not used for advertising targeting.
- Analytics & advertising measurement — we use Plausible Analytics for cookie-free aggregate traffic statistics (no cookies, no personal data, no per-user tracking). We also use Meta (Facebook) advertising pixels for ad-campaign measurement: a browser-side pixel for standard view/click events and a server-side Conversions API event when you run an audit. The data sent to Meta is limited to: the page URL, the event type, and standard request metadata (IP, user-agent), plus — only if you have given us your email — a one-way SHA-256 hash of that email. We do not send the URL you submitted, your audit results, or your score to Meta. We do not use Google Analytics or other behavioral-tracking platforms. You can opt out of Meta tracking via your Meta Ad Preferences.
2. How do we use your information?
We use what we collect to deliver the audit and the fix; to email you about your engagement; to process payment via Stripe; to improve the Service through anonymized, aggregated benchmarks; and to comply with the law and enforce our Terms. We never sell your information, never market unrelated products to you, and never share your audit results with third parties.
3. How are CMS credentials handled?
Credentials you give us are used only to perform the work you have authorized. We do not store credentials in any database, password manager, or cloud service beyond the engagement. We recommend you change relevant passwords on delivery confirmation. We will not access areas of your systems beyond what is needed to perform the Service.
4. What service providers do we use?
We use a small set of US-based, reputable service providers, each of which receives only what it needs:
- Stripe — payment processing. Stripe receives card details directly from you; we do not see or store full card numbers.
- Resend — transactional email delivery.
- Vercel — site and serverless function hosting; includes an integrated key-value store (Upstash) used for short-lived abuse-prevention counters and audit-result caching.
- Plausible Analytics — privacy-respecting traffic analytics (no cookies, no personal data).
- Cloudflare Turnstile — bot-detection captcha. Cloudflare receives standard browser signals (IP, user-agent, behavior fingerprints) to issue a one-time verification token; no cookies are set on our domain. See Cloudflare's privacy practices for details.
- Browserbase — managed headless-browser infrastructure used to render the URL you submit so we can audit JavaScript-rendered sites. Visits originate from Browserbase IPs; the only data sent is the URL itself.
- Meta (Facebook) — advertising measurement only. We use Meta's Pixel (browser-side) and Conversions API (server-side) to attribute ad performance. Data sent: a one-way SHA-256 hash of your email, the page URL, event type, and standard request metadata. See "What do we collect?" for the full scope.
We do not sell your information to advertising networks, data brokers, or marketing platforms.
5. How long do we keep your information?
We keep information as long as needed to provide the Service, support you afterward, and meet our legal and tax obligations — typically up to 7 years for financial records under US tax law. Deletion requests are honored subject to those retention requirements. For active subscribers, we retain monthly re-audit history for the life of the subscription plus 30 days after cancellation, so we can hand back your last data on request.
6. Your rights
Depending on your jurisdiction, you may request a copy of your data, correction of inaccurate data, deletion (subject to legal retention requirements), or to opt out of marketing emails. After your audit we send at most two short follow-up emails (typically at roughly 24 and 72 hours) related to the audit you requested; each carries a one-click unsubscribe link in both the header (RFC 8058 List-Unsubscribe) and the visible footer. Email support@mainstreetaiaudit.com with any request and we respond within 30 days.
7. Security
We use HTTPS for all traffic, encrypted credential handling, reputable vendors, and internal access controls. No system is perfect; we will notify affected customers of any security breach as legally required.
8. Children
The Service is intended for business owners and is not directed at anyone under the age of 18.
9. How can this Policy change?
We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated by email to active customers.
10. Contact
Impact Development Consulting LLC · Palm Harbor, Florida · USA