Smart CRO AgentSmart CRO Agent
Legal

Privacy Policy

How Smart CRO Agent collects, uses, and protects your personal information.

Last updated: June 2026

1. Who We Are

Smart CRO Agent ("we", "us", "our") operates smartcroagent.com — an AI-powered website audit platform. We are the data controller for all personal data collected through this site. For questions, use our .

2. What We Collect

  • Account data: email address, display name, hashed password (or Google OAuth ID if you sign in with Google).
  • Audit data: the URLs you submit, the AI-generated audit results, your overall score, and the date of each audit. Raw HTML is processed temporarily and never stored permanently.
  • Session tokens: a short-lived access token stored in browser memory, and an httpOnly Secure refresh token cookie (7-day TTL). The refresh token cannot be read by JavaScript.
  • Usage data: page views and feature interactions, collected anonymously for product improvement.
  • Contact form data: name, email, and message when you reach out to us.

3. How We Use Your Data

  • To authenticate your account and maintain your session securely.
  • To run AI audits and return results to you.
  • To save your audit history so you can revisit past reports.
  • To send transactional emails (password resets, account confirmations).
  • To improve our AI model prompts, scoring, and feature set (using aggregated, anonymised data only).
  • To respond to support requests submitted via our contact form.

4. Third-Party Services

  • Google Gemini API: cleaned page HTML (no PII) is sent to Google's Gemini 2.5 Flash model for analysis. Subject to Google's Privacy Policy.
  • Google OAuth: if you choose to sign in with Google, your Google account ID and email are used to create or match your account. We do not receive your Google password.
  • Railway (hosting): our infrastructure runs on Railway's cloud platform. Your data is stored in a PostgreSQL database hosted on Railway.
  • Nodemailer / SMTP: used to send transactional emails. No marketing emails are sent without your explicit opt-in.

5. Data Sharing

We do not sell, rent, or share your personal data with third parties for advertising, marketing, or analytics purposes. Data is only shared with the sub-processors listed in Section 4, strictly to operate the service.

6. Data Retention

Account data is retained for as long as your account is active. Audit results are stored for 12 months by default. Prompt cache entries expire after 24 hours. You can delete individual audits or request full account deletion at any time via our contact page.

7. Security

Passwords are hashed with bcrypt (never stored in plain text). Refresh tokens are stored in httpOnly Secure cookies, inaccessible to JavaScript. Access tokens live in browser memory only and are never written to localStorage or cookies. Our database and infrastructure use encrypted connections.

8. Your Rights

You have the right to access, correct, or delete your personal data. You can update your name via the Profile page. To request data export or full deletion, contact us via our . See the GDPR page for EU/UK-specific rights.

9. Changes

We may update this policy. Material changes will be announced on this page with an updated date. Continued use of the service after changes constitutes acceptance.