Privacy policy

ViCite is an independent service operated by an EU-based developer. Contact: hello@vicite.com.

When you run a scan without signing in we store:

• The website URL you submitted and the resulting report.
• An HMAC-SHA256 hash of a random ID stored in a cookie (vicite_uid), used only to enforce the rolling-30-day anonymous scan limit.
• An HMAC-SHA256 hash of your IP address. The plain IP is never stored. The hash is forensic only and is never linked to a person.

When you sign in with Google we additionally store:

• Your Google account name, email address and avatar URL.
• An OAuth account record linking your Google user ID to ViCite.
• The scans you run, attached to your account.
• If you join the Pro waitlist or answer our in-product pricing survey: your email, the answers you give (e.g. would-pay choice, fair price, features wishlist) and any free-text notes you provide. Used to shape the roadmap and contact you about early access. Deleted when you delete your account.

We do not request access to your Gmail, Drive, contacts or any other Google service. The only OAuth scopes we use are openid, email and profile.

• Run the product: we fetch the homepage of the URL you submit to understand what your site is about, generate your AI Visibility Score, and let you share or revisit the report.
• Rate limiting: one free scan per month for anonymous visitors, five rolling-30-day scans for signed-in users.
• Account features: let you see your past scans in one place.

We do not sell your data, run ad networks, or use behavioural tracking. There is no third-party advertising pixel on this site.

To produce your report we send the URL you submitted, a snapshot of its homepage and the buyer-intent queries we generate from it to third-party AI engines:

• OpenAI (USA)
• Google Gemini (USA)

These providers process the data under their own privacy policies. We do not send them your email, name or any account metadata — only the public URL you typed in, a snapshot of that homepage, and the queries derived from it.

Infrastructure providers we rely on:

• Vercel (USA / EU) — application hosting, privacy-friendly Web Analytics and Speed Insights (no cookies, no personal data, aggregate page and performance metrics only).
• Supabase (EU, Frankfurt) — Postgres database storing accounts and scan results.
• Google — OAuth sign-in only.

All accounts and scan data are stored in a Supabase Postgres database hosted in the EU (Frankfurt, Germany). Backups stay in the same region.

• Signed-in user accounts and scans: retained until you delete them. You can delete your account at any time from your account page; this immediately and permanently removes your profile and every scan tied to it.
• Anonymous scan reports: retained indefinitely so that shared report URLs keep working. Anonymous reports are not linked to any personal identifier.
• Rate-limit counters (hashed cookie/IP): retained for operational purposes. Hashed values are pseudonymous and cannot be reversed.

We use one functional cookie: vicite_uid — a random ID used to enforce the anonymous scan limit. It is not used for advertising, tracking, or fingerprinting. When you sign in, an additional Auth.js session cookie is set; it is required for the sign-in flow.

If you are in the EU/EEA or the UK, you have the right to access, correct, export and delete your data. The fastest way:

• Delete everything: click Delete my account on the account page.
• Access / export: email hello@vicite.com from your account address and we will reply within 30 days.

You also have the right to lodge a complaint with your local data-protection authority.

If we materially change this policy we will update the date at the top and, for signed-in users, surface a notice in-app before the change takes effect.