Back to home

Privacy Policy

Last updated: March 2026

1. What We Collect

When you sign in with Google, we receive your email address, name, and an OAuth access token scoped to Google Search Console (read-only) and basic profile information. When you sign in with GitHub, we receive your email and an OAuth token scoped to repository access.

We also collect Search Console performance data (clicks, impressions, CTR, position) for the properties you connect, and metadata about the pages we crawl (titles, meta descriptions, headings, schema markup).

2. How We Use Your Data

  • Run SEO scans by crawling public pages and comparing them to your Search Console data.
  • Generate SEO recommendations using AI (Google Gemini) based on crawl results and GSC metrics.
  • Create pull requests or direct commits to your GitHub repository when you approve a suggestion.
  • Measure the impact of shipped changes by comparing pre- and post-change GSC metrics.
  • Send notifications to search engines (via IndexNow) when content is updated.

3. Data Storage & Security

Your OAuth tokens are encrypted at rest using AES-256-GCM before being stored. We use Supabase (hosted on AWS) for our database and authentication. Your data is never sold or shared with third parties for marketing purposes.

If you are on the Lifetime plan and provide your own Gemini API key, it is encrypted with the same standard before storage.

4. Third-Party Services

  • Google Search Console API — to read your search performance data.
  • GitHub API — to read repository files and create pull requests.
  • Google Gemini — to generate AI-powered SEO recommendations.
  • Vercel — hosting and serverless functions.
  • Supabase — database and authentication.

5. Data Retention

We retain your Search Console snapshots and scan results for as long as your account is active. If you delete a site from your dashboard, all associated data (snapshots, suggestions, tracked changes) is permanently deleted. If you delete your account, all data is removed.

6. Your Rights

You can disconnect any site at any time from the dashboard, which stops data collection for that property. You can request full account deletion by contacting us. You can revoke GSCPilot's access to your Google or GitHub account at any time via their respective security settings.

7. Cookies

We use essential cookies for authentication (Supabase session cookies). We do not use tracking cookies, analytics pixels, or third-party advertising cookies.

8. Contact

For privacy-related questions, contact us at hello@gscpilot.com.