Skip to main content
WhyIQ: AI-powered conversion rate optimisation tool

whyiq / legal

Privacy Policy

Last updated: April 2026

1. Information We Collect

We collect the minimum information needed to provide the service:

  • Email address: collected when you sign in via magic link. Used solely for authentication and transactional emails.
  • URLs you submit: when you run a scan, the URL you provide is sent to the Anthropic Claude API for analysis. We store the URL alongside your scan results.
  • IP address: logged temporarily for rate limiting and abuse prevention. Not linked to your account or stored beyond that purpose.
  • Payment information: billing is handled entirely by Stripe. We do not store or have access to your card number, CVV, or full payment details. We retain only your Stripe customer ID and subscription status.
  • Scan results: the visitor simulation output generated for each URL you submit is stored in our database and associated with your account. For Pro and Agency plans, this includes accessibility audit data: DOM structure analysis, colour contrast measurements, form field accessibility metadata, and interactive element properties used for WCAG compliance checking. All data is derived from the publicly accessible page you submit.
  • Product analytics: we collect anonymous usage data to improve the product. This includes pages visited, buttons clicked, scroll depth, and feature usage. For signed-in users, this data is linked to your account so we can understand how different customer segments use the tool. We also record browsing sessions (mouse movements, clicks, and page content) to diagnose usability issues. Session recordings mask password fields. All analytics are processed by PostHog (EU servers) using cookieless, in-memory tracking. No data is stored on your device for analytics purposes.

2. How We Use Your Information

  • To provide and operate the whyiq service.
  • To send magic link sign-in emails via Resend (transactional only; no marketing without explicit opt-in).
  • To enforce rate limits and prevent automated abuse of the scanning engine.
  • To process payments and manage your subscription through Stripe.
  • To improve the product. We may review aggregated, anonymised usage patterns to understand how the tool is used.

3. Data Sharing

We share data only with the third-party services required to operate whyiq. We do not sell your data.

  • Anthropic: URLs you submit and their associated content are processed by the Claude API to generate visitor simulations. Anthropic's privacy policy applies to data sent to their API.
  • Stripe: payment processing. Stripe receives your email address and billing information to manage subscriptions. Their privacy policy applies.
  • Resend: we use Resend to deliver magic link emails. Your email address is passed to Resend for this purpose only.
  • PostHog: product analytics and session recording. PostHog receives anonymised usage events and, for signed-in users, your user ID and email to link activity to your account. Data is processed on PostHog's EU servers. Their privacy policy applies.
  • Railway: our infrastructure is hosted on Railway. Application data, including your scan results, resides on Railway-managed servers.

4. Data Retention

  • Scan results are retained for 90 days from the date of the scan, then permanently deleted.
  • Email address is retained while your account is active. Deleting your account removes it.
  • Magic links expire 15 minutes after they are issued and cannot be reused.

5. Your Rights

You have the right to:

  • Request deletion: email hello@whyiq.ai and we will delete your account and all associated data within 30 days.
  • Export your data: request a copy of your scan history by emailing us.
  • Unsubscribe: all transactional emails include an unsubscribe link. You can also contact us directly to opt out.

6. Cookies and Browser Storage

We use only strictly necessary storage. No advertising cookies are set. Product analytics (PostHog) run in cookieless mode using in-memory storage only, so no analytics data is persisted on your device.

  • Session cookie (whyiq_session): set server-side when you sign in. HttpOnly (not accessible to JavaScript), Secure in production, 30-day TTL. Used exclusively to keep you authenticated. Deleted on sign-out.
  • Device ID (whyiq_device_id, localStorage): a randomly generated token stored in your browser's localStorage. Used solely to enforce the one free scan limit for signed-out visitors and prevent abuse of the scanning engine. It is never linked to your identity, never sent to third parties, and contains no personal information. You can clear it by clearing your browser's site data.
  • Upload temp data (sessionStorage): if you upload an HTML file for analysis, the file contents are held in sessionStorage only for the duration of the browser tab session and cleared immediately after the scan is submitted. Nothing is persisted beyond the tab.
  • Cookie notice (whyiq_cookie_notice_v1, localStorage): a single flag stored when you dismiss the cookie notice, so it is not shown again on repeat visits.

7. Contact

Questions about this policy or your data? Email us at hello@whyiq.ai. We aim to respond within 5 business days.

Questions about your data? hello@whyiq.ai