Privacy Policy

1. Data Controller

The data controller responsible for your personal data is Smart Squad S.r.l. ("Smart Squad"), an Italian limited liability company. You can learn more about the company at Smart Squad.

Registered office: Via Savorgnana 1, 33100 Udine (UD), Italy. Partita IVA / Codice Fiscale: 02898170309. REA: UD-296388. Incorporated on 17 July 2017.

For any privacy-related or formal legal request, you can reach us at [email protected].

2. Data We Collect

We collect only the data we need to provide and secure the Service. Depending on how you use isready.ai, this may include:

• Account data — the email address you sign up with, your user ID, an optional display name, and any GitHub or Google account you choose to connect for sign-in.
• Scan data — the URLs you submit for scanning and the resulting AI-readiness reports, deep-scan results, Smart Agent reports, and scores. Scans run anonymously are not linked to an account.
• Workspace and team data — workspace names, member email addresses, roles, invitations, verified domains, and monitoring schedules.
• Chat data — when you use "Ask your site", the messages you send and the AI responses are stored as conversation threads, together with the scan they are grounded on.
• Usage metering — counts of AI messages, generations, and tokens consumed per billing period, used to enforce plan quotas and fair-use limits.
• Billing data — when you subscribe to a paid plan, your Stripe customer and subscription identifiers, subscription status, billing period, and limited payment-method details (card brand and last four digits). We do not store full card numbers; payment details are handled by Stripe.
• API key data — a prefix and a hash of any API keys you generate (we never store the full key), their scopes, expiry, and last-used time.
• Technical data — for abuse prevention and rate-limiting we store a salted SHA-256 hash of your IP address rather than the raw IP, along with basic request metadata.

3. How and Why We Use Your Data

We use your personal data for the following purposes:

• To provide the Service — running scans, generating reports, powering the Smart Agent and "Ask your site" chat, monitoring domains, and issuing README badges.
• To manage your account, workspaces, team members, and invitations.
• To process subscriptions, payments, renewals, and cancellations through Stripe.
• To enforce plan entitlements, quotas, and fair-use limits.
• To send transactional emails such as scan reports, monitoring alerts, and team invitations.
• To secure the Service, prevent abuse, and protect against fraud, scanning of unauthorized targets, and server-side request forgery (SSRF).
• To comply with our legal obligations.

4. Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)) — to deliver the Service you have requested and signed up for, including running scans, chat, and billing.
• Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, meter usage, and improve reliability, balanced against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)) — to retain billing records and comply with applicable law.
• Consent (Art. 6(1)(a)) — where we ask for it, for example for optional communications; you can withdraw consent at any time.

5. Service Providers and Processors

We share personal data with carefully selected providers who process it on our behalf, under appropriate data processing agreements. Our main processors and partners are:

• Supabase — database, authentication, and storage for accounts, scans, workspaces, chat threads, and usage records (see Supabase’s Data Processing Addendum).
• Stripe — payment processing and subscription management (see Stripe’s privacy policy).
• Resend — delivery of transactional emails such as scan reports, alerts, and team invitations.
• Vercel — hosting, serverless compute, isolated sandbox rendering for Smart Agent scans, and the Vercel AI Gateway used to route requests to AI model providers.
• Cloudflare — Turnstile CAPTCHA and bot protection during sign-up and certain actions.
• GitHub — OAuth sign-in and the isready.ai GitHub Action.

6. AI Model Providers

The Smart Agent and "Ask your site" chat are powered by large language models. By default, your messages and the relevant scan context are sent through the Vercel AI Gateway to a model provider we have selected to generate responses. Depending on configuration, the underlying provider may be one of:

• Anthropic (Claude)
• OpenAI (ChatGPT)
• Google (Gemini)
• xAI (Grok)

7. Bring-Your-Own AI Key (BYO)

If you choose to bring your own AI provider key (BYO), your prompts and the related scan context are sent directly to the AI provider you select, using your own credentials and under that provider’s own terms and privacy policy. In that case we do not route those prompts through our default model provider, and the provider you choose acts as an independent controller or processor for that data. You are responsible for your use of, and compliance with, your chosen provider’s terms.

8. International Transfers

Some of our providers may process data outside the European Economic Area (EEA). Where this happens, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, or transfers to countries recognized as providing an adequate level of protection.

9. Data Retention

We keep personal data only for as long as necessary for the purposes described in this policy.

• Account, workspace, and domain data are kept for as long as your account is active.
• Scan reports and score history are retained according to your plan (for example, a shorter history window on the Free plan and longer windows on paid plans), or until you delete them.
• Chat threads are retained until you delete them or close your account.
• IP-address hashes used for rate-limiting are short-lived and used only for abuse prevention.
• Billing records are retained as required by applicable tax and accounting law.
• When you close your account, we delete or anonymize your personal data within a reasonable period, except where we are legally required to retain it.

10. Your Rights

Subject to applicable law, you have the right to access, rectify, erase, restrict, or object to the processing of your personal data, and the right to data portability. You may also withdraw consent where processing is based on consent.

To exercise any of these rights, contact us at [email protected]. You also have the right to lodge a complaint with your local data protection authority; in Italy this is the Garante per la protezione dei dati personali.

11. Cookies and Essential Storage

isready.ai uses only the cookies and local storage strictly necessary to operate the Service — primarily to keep you signed in and to maintain your session and preferences. We do not use advertising cookies or sell your data. If we introduce any non-essential or analytics cookies in the future, we will ask for your consent where required.

12. Security

We apply technical and organizational measures to protect your data, including encryption in transit, hashing of API keys and IP addresses, access controls, and reliance on reputable infrastructure providers. No method of transmission or storage is completely secure, but we work to protect your data using industry-standard practices.

13. Children

The Service is not directed to children. It is intended for use by professionals and organizations, and you must be at least 16 years old (or the minimum age required in your country) to use it. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact

If you have any questions about this Privacy Policy or how we handle your data, contact Smart Squad S.r.l. at [email protected], or visit smartsquad.io.