Privacy Policy

1. Who We Are

Disavow.ai is operated by Paytia Limited, a company registered in England and Wales. We are the data controller for your personal data.

Email: privacy@disavow.ai
Website: https://www.disavow.ai

2. What This Policy Covers

This Privacy Policy explains how we collect, use, store, and share your personal data when you use Disavow.ai (the “Service”). It applies to all users, whether on a free or paid plan.

3. Data We Collect

3.1 Data You Provide

• Account information: name, email address, and password (or Google OAuth credentials) when you register.
• Payment information: processed by Stripe. We do not store your full card details.
• Domain data: the domain(s) you register for scanning.
• Uploaded files: disavow files you import into the Service.
• Communications: emails or support messages you send us.

3.2 Data We Collect Automatically

• Usage data: pages visited, features used, scan activity, and export history. Collected via PostHog (hosted on EU servers).
• Device and browser data: IP address, browser type, operating system, and referring URL.
• Cookies: see Section 8.

3.3 Data From Third Parties

• Backlink data: we retrieve backlink and domain data from DataForSEO to power our scanning and risk scoring features. This data relates to publicly available website information, not personal data about you.

4. How We Use Your Data

• Providing the Service: running scans, generating risk scores, producing disavow files, and delivering reports.
• Account management: authentication, subscription management, and customer support.
• Billing: processing payments and managing subscriptions via Stripe.
• Communications: sending transactional emails (scan results, weekly reports, toxic alerts) and account notifications. You can manage email preferences in your account settings.
• Analytics: understanding how the Service is used so we can improve it. We use PostHog hosted on EU infrastructure.
• Legal compliance: meeting our obligations under applicable law.

5. Legal Basis for Processing (GDPR)

If you are in the UK or EEA, we process your personal data on the following legal bases:

• Contract: processing necessary to provide the Service you have subscribed to (Article 6(1)(b) GDPR).
• Legitimate interests: analytics, fraud prevention, and improving the Service (Article 6(1)(f) GDPR).
• Consent: where you have opted in to marketing communications (Article 6(1)(a) GDPR). You may withdraw consent at any time.
• Legal obligation: where processing is required by law (Article 6(1)(c) GDPR).

6. Data Sharing

We do not sell your personal data. We share data only with the following categories of recipients, and only to the extent necessary:

We may also disclose data where required by law, regulation, or court order.

7. Sub-Processors

Under GDPR, the third parties listed above act as our sub-processors. Key details:

• Stripe: PCI DSS Level 1 certified. We never see or store your full card number.
• PostHog: EU-hosted cloud instance. Data does not leave the EU.
• Supabase: provides our database and authentication layer.
• DataForSEO: provides backlink data via API. Processes domain-level data, not personal data.
• Resend: handles transactional email delivery.

8. Cookies

• Essential cookies: required for authentication and session management. These cannot be disabled.
• Analytics cookies: PostHog uses cookies to understand how you interact with the Service. You can opt out via the cookie consent banner on first visit.

We do not use advertising or tracking cookies from third-party ad networks.

9. International Data Transfers

Some of our sub-processors are based in the United States. Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including EU-US Data Privacy Framework certification, Standard Contractual Clauses (SCCs), and the UK International Data Transfer Agreement (IDTA) as applicable.

10. Data Retention

• Account data: retained for the duration of your account, plus 12 months after deletion.
• Scan and backlink data: retained while your account is active. Deleted within 30 days of account closure.
• Payment records: retained for 7 years as required by UK tax law.
• Analytics data: retained for 12 months in PostHog, then automatically deleted.

11. Your Rights

If you are in the UK or EEA, you have the following rights under GDPR:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate data.
• Erasure: ask us to delete your data (subject to legal retention requirements).
• Restriction: ask us to limit how we process your data.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email privacy@disavow.ai. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

12. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, row-level security on database tables, separation of development and production environments, and regular review of access controls.

No system is 100% secure. If we become aware of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority as required by law.

13. Children

The Service is not directed at anyone under 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service.

15. Contact Us

Paytia Limited
Email: privacy@disavow.ai
Website: https://www.disavow.ai