Get Started
Legal

Privacy Policy

Last updated: 25 May 2026

Plain-English version: we audit URLs you give us, cache results for 24 hours, then drop them. We never train models on your content and we don't sell data. Full details below.

1. Introduction

FAQAudit ("we", "our", "the service") is operated by Lumen Star LLC, registered in Wyoming, United States. This policy explains what personal data we collect when you use the service at faqaudit.com, why we collect it, how we use and store it, and the rights you have over it.

By using the service you agree to this policy. If you don't agree with anything here, don't use the service — and let us know what we got wrong so we can either explain it better or change it.

2. Information we collect

We collect only what we need to run the audit, bill the right account, and follow up on issues.

Account data

When you sign up: your name, email address, and a hashed password. We never store passwords in plain text. Emails are used to send transactional messages (verification, score-drop alerts) and product announcements you've opted into.

Authentication via Google (optional)

If you sign in with Google, we receive your email address, full name, and profile picture URL from Google. We don't receive your Google password or any other Google account data. You can revoke FAQAudit's access at any time from your Google account permissions page.

Audit data

Each time you submit a URL we fetch and analyse the page. We store: the URL, the scores we computed, the issues and rewrites we generated, and the fetch metadata (HTTP status, byte size, fetch duration). The audited page's HTML is held in memory during scoring and is not persisted to disk.

Billing data

If you upgrade to Pro, our payment processor Stripe handles your card data. We never see or store your full card number. Stripe returns us a customer ID and the last four digits of your card — that's it.

Technical data

Standard server logs: IP address, user-agent, request path and timestamp. We use these for rate-limiting and abuse prevention. Logs are rotated and discarded after 30 days.

3. How we use your information

  • Run audits — fetch the URL you submit, score it, generate the report.
  • Show you your history — the dashboard surfaces audits you've run.
  • Continuous monitoring (Pro) — re-audit watched URLs on your chosen cadence and email you when scores drop.
  • Bill you — for the Pro tier only.
  • Stop abuse — rate-limit anonymous traffic, detect automated scraping of our service.
  • Improve the product — aggregate, anonymised metrics about audit volumes, score distributions, and which URL types perform best.

We do not use your content to train AI models. The LLM judge we use (Anthropic Claude) operates under Anthropic's no-training-on-API-input policy.

4. Sharing and disclosure

We don't sell your data. We share specific pieces with the following service providers, only as needed to deliver the product:

Provider What they receive Purpose
Anthropic (Claude)Audit page content (Q&A text), in transit onlyLLM scoring; not retained or trained on (per Anthropic API terms)
GoogleOAuth sign-in request, our app's client IDAuthentication for "Sign in with Google" (only if you choose this option)
FirecrawlAudited URLPage fetch with JS rendering
StripePayment + billing detailsSubscription billing for Pro tier
ResendEmail address, message bodyTransactional email delivery
CloudflareIP address, request metadataCDN, DDoS protection, R2 object storage for shareable PDFs
Cloudflare TurnstileIP address, browser/device signals, interaction telemetry (issued by Cloudflare in your browser)Invisible bot challenge on signup, signin and audit forms. Governed by the Cloudflare Turnstile Privacy Addendum.
Laravel CloudAll app data (Postgres + Redis)Application hosting

We may also disclose data when required by law (subpoena, court order) or to protect the safety of our users or the public.

5. Data security

All traffic is served over TLS. Passwords are hashed with bcrypt. Database backups are encrypted at rest. Stripe and Resend manage their own PCI / SOC 2 compliance for the data we send them.

We don't claim to be impervious to breaches — nobody is. If we discover one, we'll notify affected users within 72 hours, in line with GDPR Article 33.

6. Data retention

  • Audit cache: 24 hours then automatically dropped from Redis.
  • Audit history: kept indefinitely while your account is active so you can review past scores.
  • Account data: kept while your account is active. Deleted within 30 days of account deletion.
  • Server logs: rotated and discarded after 30 days.
  • Billing records: retained for 7 years to comply with tax law.

7. Your rights and choices

You can:

  • Access a copy of the personal data we hold about you
  • Correct anything inaccurate (most fields are editable from your dashboard)
  • Delete your account and the personal data attached to it
  • Export your audit history as JSON
  • Restrict or object to processing in specific cases
  • Withdraw consent for marketing emails (every email has an unsubscribe link)

To exercise any of these rights, email info@faqaudit.com. We respond within 30 days.

8. Cookies and tracking

We use the minimum number of cookies needed to keep you logged in and protect against CSRF attacks:

  • laravel_session — session identifier, expires when your browser closes
  • XSRF-TOKEN — anti-forgery token, expires with the session
  • theme (localStorage) — your light/dark preference, never sent to our servers

We do not currently use third-party analytics, ad-tech pixels, or cross-site trackers. If we ever add them, this section will be updated and you'll be asked to consent first.

Bot protection (Cloudflare Turnstile)

We use Cloudflare Turnstile in invisible mode on our signup, signin and audit-submission forms to verify that requests come from real browsers rather than abusive bots. In invisible mode there is no CAPTCHA puzzle to solve — Turnstile runs silently in the background and may set short-lived first-party cookies (e.g. cf_clearance, __cf_bm) and read browser/device signals to score the request.

Turnstile data is processed by Cloudflare, Inc. and is governed by the Cloudflare Turnstile Privacy Addendum, which forms part of this policy by reference. Cloudflare states that Turnstile does not collect personally identifiable information and the signals it gathers are used only to distinguish humans from bots.

9. International data transfers

Some of our service providers (Anthropic, Stripe, Cloudflare) are based in the United States. Data sent to them transits the EU-US Data Privacy Framework or equivalent Standard Contractual Clauses where applicable.

10. Children's privacy

FAQAudit is intended for use by SEO professionals, content owners, and developers. It is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, contact us and we'll delete the account.

11. Third-party links

Audited URLs are submitted by you and may link to or load resources from third parties. We are not responsible for the privacy practices of pages you choose to audit, nor of any external site we link to from our marketing pages.

12. Changes to this policy

We update this policy when our practices change. The "Last updated" date at the top reflects the most recent change. For material changes (e.g., new categories of data, new third-party processors), we'll email account holders at least 14 days before the new policy takes effect.

13. Contact us

For privacy questions, data requests, or to report a concern, email info@faqaudit.com. Postal mail can be addressed to Lumen Star LLC, 15703 Hwy 99, Lynnwood, WA 98087, United States.

14. Regional rights (GDPR, CCPA)

EEA / UK residents: The legal basis for processing your data is contract performance (running the audits you request) and legitimate interest (preventing abuse, improving the product). You can lodge a complaint with your local Data Protection Authority.

California residents: Under the CCPA you have the right to know what personal information we collect, the right to delete it, and the right to opt out of any "sale" of personal information — though we don't sell or share for cross-context behavioural advertising.