Legal

Privacy Policy

Last updated: 2026-05-27

This Privacy Policy describes how ByTheIndex ("BTI," "we," "our," or "us") collects, uses, protects, and shares information when you visit bytheindex.com, create an account, or use the BTI platform (collectively, the "Service"). This policy applies to all users of the Service, including operators who connect Google Search Console, Google Analytics 4, and Google Ads data sources to their sites.

We've written this policy to be clear and specific about what we actually do with your data, not to use legal boilerplate. If anything is unclear, contact us at hello@bytheindex.com.

1. Information we collect

1.1 Account information

When you create a BTI account, we collect:

• Email address (used to identify your account and send transactional notifications)
• OAuth identity from your sign-in provider (e.g., Google) — we receive a verified email and a unique provider identifier; we do not receive your password
• Account creation timestamp and last-activity timestamp

1.2 Site connection data

When you connect a website to BTI, we collect:

• The website's domain name and sitemap URL
• OAuth refresh tokens for Google Search Console, Google Analytics 4, and Google Ads — these are encrypted at rest using application-managed encryption keys
• Configuration you provide about the site: display name, platform (Astro, WordPress, etc.), growth model, brand tokens, focus keywords, focus geographies, and historical site events (consolidations, migrations, redesigns)

1.3 Data we receive from Google services on your behalf

With your explicit OAuth authorization for each site, we receive data from Google APIs on your behalf. This data describes the search and analytics performance of your websites — we do not receive data about websites you do not own or have not connected.

Specifically, we receive:

• From Google Search Console: per-query and per-page impressions, clicks, average position, click-through rate; URL Inspection coverage state; sitemap submission status
• From Google Analytics 4: sessions, engaged sessions, conversions, channel mix, landing-page engagement, source/medium attribution — all scoped to the GA4 property you connect
• From Google Ads: account hierarchy, accessible customers list, customer-level spend and CPC data when you grant access

1.4 Audit and structural data

We crawl public pages of your connected sites to read structural metadata — page titles, meta descriptions, canonical tags, JSON-LD, H1 elements, internal link structure. We do not read content behind authentication or paywalls. Our crawler identifies itself as ByTheIndex sitemap fetcher (+https://bytheindex.com) and respects robots.txt.

1.5 Outcome events

When you mark a recommendation as applied in BTI, we record the recommendation, the baseline metrics at that time, and follow-up snapshots of those metrics over the subsequent 7, 14, 30, 60, and 90 days. This allows the platform to learn whether the recommendation produced the expected improvement.

1.6 Information we do not collect

For clarity, we explicitly do not collect:

• Tracking cookies for advertising purposes
• Cross-site tracking pixels
• Browser fingerprints
• Data about visitors to your websites (we receive aggregate metrics from your GSC/GA4, not individual visitor records beyond what GA4 itself exposes to you)
• Payment card information (we do not currently process payments)

2. How we use information

We use the information we collect exclusively to:

• Provide the Service. Compute diagnoses, surface recommendations, render the per-page command center, score the ranked work queue, and execute the actions you authorize.
• Improve the Service for your own portfolio. Outcome events you generate are used to inform future recommendations for your own sites.
• Train the cross-customer Brain — only with explicit opt-in. If you opt in, anonymized outcome events (without your domain, URLs, or queries) contribute to platform-wide learnings about which recommendations work for which kinds of sites. See Section 4 below for details on what is and isn't shared.
• Send transactional notifications. Account-state notifications, security alerts, and platform announcements you've subscribed to.
• Maintain security and integrity of the Service. Detect and respond to abuse, fraud, or security incidents.
• Comply with legal obligations. Respond to lawful government requests, enforce our terms, and protect our rights.

3. Google API Services — Limited Use disclosure

BTI's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We do not use Google user data to serve advertisements. Data we receive from Google APIs is used solely to provide the functionality you've requested — analyzing your site's search and analytics performance and surfacing recommendations to you.
• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets (with notice to you).
• We do not allow humans to read your Google user data unless: (a) we have your explicit affirmative consent for the specific data being read, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized such that it is no longer identifiable.
• We do not use Google user data to train generalized AI/ML models. When we use AI for content generation (e.g., drafting recommendation prose), we pass only the minimum context needed for that specific task, and our AI provider (Anthropic) does not retain or train on the data we send per their API terms.

You can revoke BTI's access to your Google services at any time from your Google Account permissions page at https://myaccount.google.com/permissions. Revoking access stops BTI from making future API calls on your behalf and triggers deletion of associated OAuth tokens within 30 days. Data previously retrieved and stored in your BTI account will remain until you also delete the connected site or your account.

4. Data sharing and third parties

We share data only as follows:

4.1 Infrastructure service providers

To operate the Service, we use cloud infrastructure providers who act as data processors on our behalf. These providers are contractually bound to handle data only as we direct:

• Cloudflare — application hosting, network delivery, and edge compute (Cloudflare Workers)
• Neon — managed Postgres database for application state

4.2 AI inference

We use Anthropic (the Claude API) to generate natural-language descriptions of recommendations and to draft operator-facing content within the platform. Only the specific context needed for each generation is sent; Anthropic does not retain or train on the data we send per their API terms.

4.3 Anonymized cross-customer learnings

If you opt in (this is not the default for paid accounts; beta accounts are opted in with disclosure), anonymized outcome events from your account contribute to platform-wide learnings about which recommendations work for sites with similar growth models. The anonymization strips:

• Site identifier and domain
• Specific URLs (replaced with collection-level patterns like /guides/*)
• Literal query strings (replaced with classified intent categories)
• Account identifier
• Any free-text fields

Preserved metadata includes the diagnosis category, the position/impression bucket the recommendation targeted, and the observed outcome class. The cross-customer learning layer activates only after a statistical floor is reached (currently 30+ events per category) to prevent any single account from being inferable from the aggregate.

4.4 What we do not do

We do not sell your personal information or data received from Google APIs. We do not share data with advertising networks. We do not allow third parties to use your data for their own purposes.

5. Data security

We employ industry-standard security measures including:

• HTTPS/TLS encryption for all data in transit
• Encryption at rest for sensitive credentials (OAuth tokens) using application-managed encryption keys
• Row-level access controls in our application logic, scoped to your account
• Principle of least privilege for internal access — operations personnel access account data only when required for support, security investigation, or with your explicit consent
• Regular dependency updates and security patches

No method of transmission or storage is 100% secure. We work to protect your information but cannot guarantee absolute security. If we become aware of a security incident affecting your data, we will notify you without undue delay.

6. Data retention

• Account data: Retained while your account is active. Deleted within 30 days of account closure.
• OAuth tokens: Retained while the connection is active. Deleted within 30 days of disconnection.
• Site telemetry (GSC, GA4, Google Ads data): Retained up to 400 days from collection (matching the maximum GSC pull window). Older data is automatically pruned.
• Outcome events: Retained 365 days at full weight; time-decayed thereafter for the learning model but the underlying record persists while your account is active.
• Anonymized cross-customer learnings (if you opt in): Aggregated values persist indefinitely since they are no longer attributable to your account.
• Server logs: Retained 90 days for security and operational purposes, then automatically deleted.

7. Your rights and choices

You have the following rights with respect to your data:

• Access: Request a copy of the data we hold about your account.
• Correction: Update or correct inaccurate information directly in your account settings, or by contacting us.
• Deletion: Request deletion of your account and associated data. Some data may be retained for legal compliance.
• Data portability: Request an export of your account data in a machine-readable format.
• Opt-out of cross-customer learnings: Toggle the cross-customer learning contribution in your account settings at any time. Opting out does not affect the learnings already contributed in anonymized form, but stops future contributions.
• Revoke Google authorization: Use Google's permissions page at https://myaccount.google.com/permissions to revoke BTI's access to any Google service.

To exercise any of these rights, contact us at hello@bytheindex.com. We will respond within 30 days.

8. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it promptly. If you believe a child has provided us with personal information, contact us at hello@bytheindex.com.

9. International data transfer

BTI is operated from the United States. If you access the Service from outside the U.S., your information may be transferred to, stored, and processed in the U.S. and other countries where our service providers operate. By using the Service, you consent to this transfer.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify active account holders by email
• Display a notice in the platform for at least 30 days after the change takes effect

11. Contact

Questions about this Privacy Policy or how we handle your data? Reach us at hello@bytheindex.com.

Last updated: 2026-05-27