Privacy Policy
Last updated: 2026-05-31
This Privacy Policy explains how Probedex (the "Service", "we", "us"), available at probedex.ai, collects, uses, shares, retains, and protects personal information when you use the Service. It is designed to meet the disclosure requirements of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and analogous laws in other jurisdictions. The English version of this Policy is the authoritative version.
If you have any privacy question or wish to exercise a right described in Section 8, contact us at [email protected].
1. Scope
This Policy applies to probedex.ai and its subdomains, and to all features of the Service as defined in our Terms of Service. It does not apply to third-party websites, services, or data providers that we link to or integrate with — their own privacy notices govern your interactions with them.
The Service is operated as an independent developer project under the brand name "Probedex". For the purposes of GDPR, the Operator is the data controller of personal information processed about you as an Account holder. Reports about third-party domains describe public-internet entities (websites and businesses) and do not, in the ordinary case, process personal data about the owners of those domains; where a Report incidentally mentions an identifiable natural person (for example, a public-facing founder), we process such information for the legitimate interest of providing the Service and on the basis that the information is already public.
2. Who We Are & Roles
We are the data controller for your account, billing, and usage data. We are the data processor for the Reports you generate about third-party domains (but the domain owners are not our data subjects — they're public-internet entities; reports cover companies/websites, not natural persons except where public-figure owners are mentioned). No DPO appointed (under GDPR Art. 37 threshold) — [email protected] is the single contact.
3. Categories of Personal Information We Collect
We collect personal information in the following categories. "Source" indicates whether the information comes from you, from a third party (e.g. Google), or is generated automatically by the Service.
| Category | Examples | Source | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Account identifiers | Email address, name, avatar URL, Google account ID (sub) | Google OAuth | Contract (b) |
| Authentication & security | Session cookies, IP address at sign-in, user-agent | Automatic | Contract (b) + Legitimate interest (f) — security |
| Billing | Stripe customer ID, billing country, last-4 of card; full card number is held only by Stripe under PCI scope | Stripe | Contract (b) + Legal obligation (c) — tax recordkeeping |
| Subscription & entitlement | Plan tier, Allowance balance, Top-Up balance, renewal date | Service | Contract (b) |
| Usage data | Queries you run, watchlist entries, Report IDs and cached output, Insights and Action Plans you generate | You + Service | Contract (b) |
| Device & log data | IP address, browser type and locale, page paths, referrers, error logs | Automatic | Legitimate interest (f) — security, debugging |
| Support communications | Email content, headers, attachments you send to [email protected] | You | Legitimate interest (f) — customer support |
| Cookies & analytics | See Section 9 | Browser | Consent (a) for GA4 / advertising; Legitimate interest (f) for cookieless analytics and strictly-necessary cookies |
| Marketing opt-ins | Newsletter or product-update subscriptions (only if and when offered) | You | Consent (a) |
We do not intentionally collect sensitive personal information (CCPA-defined) or special-category data (GDPR Art. 9), and we ask you not to send it to us.
4. Sub-Processors and Third-Party Recipients
We use the following sub-processors and service providers to operate the Service. We have data-processing agreements (or rely on standard published terms) with each, and we transfer personal data outside the EEA/UK only under safeguards described in Section 7.
| Recipient | Purpose | Data shared | Region |
|---|---|---|---|
| Google LLC | OAuth sign-in | Receipt of your Google profile (email, name, avatar, sub) | United States |
| Stripe, Inc. | Payment processing, subscription billing, tax calculation, fraud screening | Email, name, billing country, payment-method token, transaction history | United States + EU |
| Vercel Inc. | Application hosting and edge delivery | All request traffic and server logs | United States (primary) + global edge |
| Neon | Application database (PostgreSQL) and read-only data warehouse | Account, subscription, usage, Report metadata, AI Insight records | United States (AWS region) |
| Cloudflare, Inc. | CDN, DDoS protection, and (where used) R2 object storage for cached assets | Cached static assets, IP addresses, file blobs | Global edge |
| Resend | Transactional email (receipts, security alerts, password-less auth confirmations) | Email address, name, message body | United States |
| Third-party large language model providers | AI generation of Insights and Action Plans | Query text and the relevant data excerpt; we do not send your account identifiers in the prompt | Primarily United States |
| Third-party network intelligence and data aggregation providers | Aggregated Third-Party Data for Reports (traffic estimates, keyword and backlink data, social and video platform signals, SERP samples, public domain registration metadata) | The domain or keyword being looked up; no user-identifying data | Varies by provider |
Beyond these sub-processors, we may share personal information:
- In response to lawful requests — subpoenas, court orders, or government requests, disclosing only what is required and notifying you unless legally prohibited;
- In a business transfer — to an acquirer or successor in connection with a merger, acquisition, or sale of assets, with notice and, where required, opt-out rights;
- In aggregated, de-identified form — for product analytics, research, or marketing of the Service (e.g., "top trending domains this week").
We do not sell personal information (as defined under the CCPA) and we do not engage in "sharing" for cross-context behavioral advertising. We do not currently use targeting or retargeting cookies.
5. How We Use Personal Information
We use the information described above for the following purposes:
- Provide the Service — create and maintain your Account, authenticate you, process queries, generate and serve Reports and Insights, deliver email receipts and service notices (Contract).
- Process payments — charge subscriptions and one-time purchases via Stripe, refund where applicable, handle chargebacks (Contract; Legal obligation for tax records).
- AI processing — pass your query and the relevant data context to third-party large language model providers for the limited purpose of generating Insights and Action Plans (Contract performance under your instruction).
- Improve the Service — analyze aggregated usage patterns, error rates, and feature performance to fix bugs and ship improvements (Legitimate interest).
- Security and fraud prevention — detect suspicious activity, enforce rate limits, prevent abuse, investigate chargebacks (Legitimate interest).
- Communicate — send transactional emails, security alerts, billing notices, and material changes to these notices (Contract); send product updates only where you opt in (Consent).
- Comply with law — respond to lawful requests, retain billing records for tax-law periods, enforce our Terms (Legal obligation).
We do not engage in automated decision-making that produces legal or similarly significant effects on you (GDPR Art. 22).
6. Data Retention
| Data category | Retention period |
|---|---|
| Account profile | Until you delete your Account, plus a 30-day grace period |
| Authentication session tokens | 30 days from last activity |
| Billing records and invoices | 7 years from the transaction (tax-law requirement) |
| Search and query history | 24 months, then aggregated and de-identified |
| Watchlist entries | Until you delete them or your Account is deleted |
| Generated Reports and cached output | Until you delete the Report or your Account; orphaned cache purged after 90 days |
| Support email correspondence | 3 years from the last message in the thread |
| Server and application logs (including IP) | 90 days |
| Marketing opt-in / withdrawal records | Until withdrawal plus 3 years (proof of consent) |
| Aggregated, de-identified usage statistics | Indefinitely (no longer personal information) |
When an Account is deleted, we purge personal information within 30 days except where retention is required by law. Where complete deletion is technically infeasible (for example, in encrypted backups), we isolate the data, stop active use, and delete it on the next backup-rotation cycle.
7. International Data Transfers
The sub-processors listed in Section 4 are primarily based in the United States. Where we transfer personal data of EEA, UK, or Swiss residents outside their region, we rely on:
- the EU Standard Contractual Clauses (2021) in combination with supplementary measures (encryption in transit using TLS 1.2 or higher, encryption at rest, role-based access controls);
- the UK International Data Transfer Addendum (where the data originates in the UK);
- the EU–U.S. Data Privacy Framework ("DPF") adequacy decision, where the recipient is DPF-certified (Stripe, Google, and certain other vendors are currently certified; we monitor this and update as it changes); and
- where neither Standard Contractual Clauses nor an adequacy decision is available, we obtain your explicit consent or rely on another lawful basis under GDPR Art. 49.
A list of current sub-processor regions is maintained in Section 4 above. Material changes are announced via an in-product notice.
8. Your Rights
8.1 EEA, UK, and Swiss residents (GDPR / UK GDPR)
You have the right to:
- Access the personal information we hold about you (Art. 15);
- Rectify inaccurate or incomplete information (Art. 16);
- Erase your personal information ("right to be forgotten") (Art. 17);
- Restrict processing in certain circumstances (Art. 18);
- Receive your personal information in a portable format (Art. 20);
- Object to processing based on legitimate interest (Art. 21);
- Withdraw consent for processing that relies on it, without affecting the lawfulness of past processing (Art. 7(3));
- Lodge a complaint with your national data-protection authority (e.g., CNIL in France, ICO in the UK, BfDI in Germany).
8.2 California residents (CCPA / CPRA)
You have the right to:
- Know what categories of personal information we collect, the sources, the purposes, and the categories of recipients;
- Access the specific pieces of personal information we hold about you;
- Delete your personal information;
- Correct inaccurate personal information;
- Opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising — we do not sell or share personal information, so this right is moot for us, but we state it for transparency;
- Limit the use of sensitive personal information — we do not collect sensitive personal information;
- Be free from discrimination for exercising any of these rights.
8.3 Other regions
If you reside in another jurisdiction (Brazil — LGPD; Canada — PIPEDA; South Africa — POPIA; mainland China — PIPL; Australia — Privacy Act; and others) and the applicable law grants you equivalent rights, we honor those rights on the same channels described below.
8.4 How to exercise your rights
- Self-service — most rights can be exercised from Settings → Data & Privacy (export, delete, change consent).
- Email — [email protected]. We respond within 30 days (extendable to 60 with notice under GDPR Art. 12(3); 45 days with up to a 45-day extension under CCPA).
- Identity verification — to protect your data we may ask you to confirm your request via the Google account associated with your Account before we act.
You may also authorize an agent to exercise rights on your behalf in jurisdictions that permit it; we will verify the authorization.
9. Cookies and Tracking Technologies
We use a minimal set of cookies and similar technologies:
- Strictly necessary — session cookies and CSRF tokens required for sign-in and security. These are always on; no consent is required because the Service cannot function without them.
- Analytics — Google Analytics 4 (consent-gated). We may use Google Analytics 4 to understand aggregate usage patterns and measure advertising effectiveness. In the EEA, UK, and Switzerland (and wherever your region cannot be reliably determined), GA4 and any Google advertising cookies load only after you grant consent via our cookie banner; we operate Google Consent Mode v2 and enable ad-data redaction. You can change or withdraw consent at any time by clicking "Cookie Settings" in the footer. The page address we send to GA4 is reduced to a fixed page template and never includes your search terms, query strings, or the specific domain you looked up.
- Analytics — self-hosted Plausible (cookieless). We also run a self-hosted instance of Plausible Analytics. It sets no cookies, uses no cross-site or device identifier, and records only aggregate, non-identifying metrics (page views, referrer and campaign/UTM parameters, approximate country, and browser/device type). Because it stores no personal identifier and builds no profile of you, it runs without a consent banner on the basis of our legitimate interest in understanding aggregate traffic. This data stays on our own infrastructure and is not shared with any third party (including Plausible the company).
- No advertising cookies. We do not run advertising, retargeting, or third-party advertising cookies on the Service.
You can also control cookies through your browser settings (block, delete, or be prompted). Blocking strictly-necessary cookies will prevent the Service from working.
10. Security
We protect personal information with administrative, technical, and physical safeguards appropriate to the risk, including:
- TLS 1.2+ encryption in transit and at-rest encryption on Neon, Vercel, Stripe, and Cloudflare;
- Authentication via Google OAuth — we do not store passwords;
- PCI-DSS scope offloaded to Stripe — we never see full card numbers;
- Role-based access controls on administrative tooling;
- Logging and monitoring for anomalous activity.
We do not currently hold formal certifications (SOC 2, ISO 27001). Where a personal-data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours (GDPR Art. 33). Where the breach is likely to result in a high risk, we will notify affected users without undue delay (Art. 34).
11. Children's Privacy
The Service is not directed to children under 13 (under 16 in the EEA, in line with GDPR Art. 8). We do not knowingly collect personal information from such individuals. If we learn we have collected personal information from a child, we will delete it. Parents or guardians who believe a child has provided personal information should contact [email protected].
12. EU / UK Representative
The Service is operated by an individual developer outside the European Union and the United Kingdom. We are evaluating the need to appoint a Representative under GDPR Art. 27 and UK GDPR equivalent provisions, and will appoint one if and when our EU or UK user base warrants it. In the meantime, EEA and UK users may contact us directly at [email protected] and exercise all GDPR rights described in Section 8.
13. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will notify you by email and via an in-product banner at least 14 days before they take effect. Non-material changes (clarifications, typos, formatting) take effect on posting. The "Last updated" date at the top of this page reflects the latest revision. Previous versions are available on request to [email protected].
14. Contact
All inquiries — privacy, support, refund, security — [email protected]
We operate without a postal office; correspondence is electronic.