Privacy Policy

We hold ourselves accountable — publicly

Most privacy policies are static documents nobody checks. Ours is backed by the same monitoring engine that powers every Scavo dashboard — our scanner periodically runs privacy and legal checks on this site, compares them to what the policy promises, and publishes the results below. If something drifts, visitors see the mismatch directly.

Monitored · auto-updated

Operational privacy snapshot

This panel shows current privacy-related product defaults and the latest linked privacy/legal self-check where available. It supplements the formal policy below; it does not replace it.

A 100/100 privacy & legal checks only 7 passed Based on privacy/legal checks from the latest linked self-check only. Excludes performance, SEO, uptime, and other non-privacy checks.

March 5, 2026 Formal document Legal policy date

Consent-gated Analytics mode Optional analytics stays off until consent

8 items First-party storage 6 cookies + 2 local storage keys

1h ago Last checked

scavo.ai Observed domain

Linked self-check + runtime defaults Evidence source

Linked self-check active scavo.ai

What the policy says vs what the site last did What the formal policy says, next to the latest linked technical observation. Verified by scheduled scan — not hand-written

Signal	What we say	What the scanner found
Consent choices	Optional analytics should stay off until visitors can clearly accept, reject, or reopen cookie choices.	Observed consent interface baseline passed. For this scan context, a consent surface plus reject/manage controls were detected.
Privacy disclosures	The policy should clearly explain tracking, cookie categories, and how people can manage those choices later.	Policy disclosures detected. Privacy and cookie disclosure surfaces were detected for the scanned scope.
California / GPC rights	Where California sale or sharing rights apply, people should have a clear opt-out path and GPC handling should be explained.	California opt-out signals detected. California rights links, privacy-signal disclosure text, and live GPC runtime controls were detected.
Policy ↔ runtime alignment	Privacy wording and live site behavior should not drift apart on key consent and disclosure controls.	Disclosure and runtime signals are broadly aligned. No major disclosure/runtime contradictions were detected in this scan scope.

Current data-handling defaults These are runtime defaults in the product today, separate from the legal wording below.

Optional analytics stays off until consent Interaction analytics is gated behind the cookie choice and does not start by default.

Cookie controls stay reachable after first visit Visitors can reopen cookie settings using the persistent footer control.

Analytics stores only coarse technical dimensions We keep high-level path, country, device, browser, and event outcome data rather than page content.

Sensitive payloads are blocked from analytics Tool inputs, page HTML, passwords, tokens, and cookie values are excluded from analytics metadata.

Baseline retention windows Operational data stays for different lengths depending on what it is needed for.

365 days Scan history Score history and scan-level summaries

180 days Raw analytics Event-level product analytics retention

90 days Email and webhook logs Operational delivery evidence

7 days Demo results Short-lived demo scan storage

What analytics collects vs blocks

Stores

Page path · Coarse country · Device type · Browser family · Consent state · Journey or tool outcome

Never collected

Full form field values · Passwords, tokens, and cookie values · Page HTML or page content · Raw tool inputs and fetched payloads · Full referrers or unbounded URLs

Machine-readable scanner identity How Scavo identifies itself when a user asks us to scan a site.

User-Agent ScavoBot

From header [email protected]

Scanner info URL https://scavo.ai/legal/privacy

Signature-Agent https://scavo.ai/.well-known/http-message-signatures-directory#scavobot-v1

Key directory https://scavo.ai/.well-known/http-message-signatures-directory

Key id TRvc62U4tBmDHfhzl1-3VuPXmbz6gAZJ-mT7zNPysgM

Formal privacy policy text starts immediately below this snapshot.

Formal policy document. The live transparency snapshot above is an operational companion, not a replacement for the legal wording below.

1. Information We Collect

When you use Scavo, we collect the following information:

Account Information: Name, email address, and password when you create an account
Website Data: URLs you submit for scanning and the technical data we collect during scans
Payment Information: Processed securely through Stripe (we don't store your card details)
Contact Requests: Name, email, company, website, and message details you submit via our contact form
Usage Data: How you interact with the service, including page views, journey steps, CTA clicks, and tool interaction events (when optional analytics is enabled)
Technical Data: IP address, browser type, coarse device/browser family, consent state, and cookies

2. How We Use Your Information

We use your information to:

Provide and improve our website scanning and monitoring services
Send you scan reports and alerts about your website's health
Process your payments and manage your subscription
Communicate with you about service updates and support
Respond to contact inquiries, plan questions, and technical support requests
Prevent fraud and ensure the security of our service
Analyze usage patterns to improve our product
Generate automated technical and compliance signals about scanned websites
Generate prioritized fix guidance based on observed scan evidence

3. Data Sharing and Disclosure

We do not sell your personal data. We may share your information with:

Service Providers: Stripe for payment processing, Postmark for app-generated email delivery, hosting and infrastructure providers, and other processors that help us operate support and security workflows
Legal Requirements: When required by law or to protect our rights and safety
Business Transfers: In the event of a merger, acquisition, or sale of assets

4. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption of data in transit (HTTPS/SSL)
Secure password hashing
Regular security audits and updates
Access controls and authentication measures

However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

5. Your Rights and Privacy Choices

If you are in the UK, European Economic Area, or another jurisdiction with similar privacy rights, you may have the right to:

Right to Access: Request a copy of your personal data
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion of your personal data
Right to Restriction: Limit how we use your data
Right to Data Portability: Receive your data in a structured format
Right to Object: Object to our processing of your data
Right to Withdraw Consent: Withdraw consent at any time

We do not sell personal data, and optional analytics on our public pages stays off unless you explicitly accept it. If your browser sends a privacy preference signal such as Global Privacy Control (GPC), our public pages still begin in that no-optional-analytics state; strictly necessary storage remains unaffected.

If you are in California and want to exercise an access, deletion, or opt-out style request, or want us to review a specific privacy concern, contact us at [email protected] and we will handle the request through the appropriate process.

For the live public-page control path, see Your Privacy Choices below.

Your Privacy Choices

Optional cookies stay off unless you allow them: public-page analytics and other optional storage stay disabled until you choose Accept Optional.
You can change your choice any time: use the persistent Cookie Settings control in the footer to reject, withdraw, or review optional-cookie choices.
We honor Global Privacy Control on public pages: when a supported browser sends GPC, we treat that as a request to keep optional cookies and optional analytics off.
We do not sell or share personal data for cross-context behavioral advertising on our public pages. If that ever changes for a specific flow, we will add a clearer opt-out path and explain it here.

6. Cookies, Local Storage, and Tracking

We use essential cookies for core site operation. Optional cookies are only set after you choose Accept Optional in the cookie banner.

You can change or withdraw optional-cookie consent at any time using the Cookie Settings link in our footer. If you reject optional cookies, we clear optional first-party cookies and optional local-storage keys that power analytics, preference memory, and prompt suppression.

Our optional analytics is privacy-limited: we track page visits, coarse country (via edge headers), coarse device/browser family, and aggregate tool usage outcomes. We do not record keystrokes, form field values, page content, or full tool-input payloads.

For example, tool telemetry can include a tool slug, action type, and success/failure outcome, but not the submitted domain content or fetched robots.txt body.

Essential

Needed for security, routing, and core platform behavior.

scavo_session (Scavo) : Maintains secure authenticated session state and CSRF/session continuity. Duration: Up to session timeout or browser close.
scavo_remember (Scavo) : Keeps you signed in on a trusted device when you explicitly choose remember me. Duration: 7 days.
scavo_cookie_consent (Scavo) : Stores your cookie preference (accept/reject) and consent version timestamp. Duration: 180 days (configurable).

Preferences

Stores choices such as currency display for faster repeat visits.

scavo_currency (Scavo) : Remembers your preferred currency across pages and sessions. Duration: 1 year.

Engagement

Helps us avoid repeating prompts and improve high-intent journeys.

scavo_exit_shown (Scavo) : Prevents repeatedly showing the same exit-intent prompt. Duration: 7 days.

Analytics

Measures useful interactions so we can improve product decisions.

scavo_analytics_id (Scavo) : Anonymous visit/session identifier for pageview, funnel, and country/device analytics. Duration: 30-minute rolling inactivity window.

When optional features are enabled, we may also write local-storage keys in your browser: scavo_currency , scavo_analytics_sid .

This list covers first-party cookies set directly by Scavo. Third-party providers may set additional cookies when embedded services load.

7. Data Retention

We use retention windows that vary by data type and operational need. Current baseline windows include:

Scan history and detail: up to 365 and 365 days
Analytics: raw events up to 180 days and session rollups up to 120 days
Email/webhook operational logs: typically up to 90 / 90 days
Demo scan results: up to 7 days
Contact inquiries, demo leads, and support messages: stored in our support/admin systems for follow-up and abuse prevention, then removed when no longer needed
Post-cancellation account records: up to 90 days where needed for service operations

When you delete your account, we remove account-linked monitoring, scan, analytics, settings, and website data from our primary application systems. Some transaction or provider-side records may still be retained by payment processors, email processors, or where required by law.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction. We ensure appropriate safeguards are in place to protect your data in accordance with GDPR requirements.

9. Children's Privacy

Scavo is not intended for users under 18 years of age. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through our service. Continued use after changes constitutes acceptance.

11. Automated Compliance Signals

Scavo provides automated technical compliance signals across selected frameworks, does not cover every legal obligation or jurisdiction, and does not provide legal advice. Compliance-related outputs are automated technical indicators based on observed website behavior, not a comprehensive legal audit.

Our checks cover a broad set of practical requirements and common frameworks, but they do not cover every obligation in every jurisdiction. You should validate high-impact decisions with qualified legal counsel.

12. Automated Scanning Identity

Scavo performs user-initiated technical scans for URLs submitted by users. We do not run broad internet crawling.

For transparency, scanner requests identify as:

User-Agent: ScavoBot
From header: [email protected]
Scanner info: https://scavo.ai/legal/privacy
Web Bot Auth Signature-Agent: https://scavo.ai/.well-known/http-message-signatures-directory#scavobot-v1
Web Bot Auth key directory: https://scavo.ai/.well-known/http-message-signatures-directory
Web Bot Auth key id: TRvc62U4tBmDHfhzl1-3VuPXmbz6gAZJ-mT7zNPysgM

If you want us to stop scanning your site, contact [email protected] with your domain and request details.

13. Contact Us

If you have questions about this privacy policy or wish to exercise your rights, contact us:

Email: [email protected]
Contact page: https://scavo.ai/contact

1. Information We Collect

2. How We Use Your Information

3. Data Sharing and Disclosure

4. Data Security

5. Your Rights and Privacy Choices

Your Privacy Choices

6. Cookies, Local Storage, and Tracking

Essential

Preferences

Engagement

Analytics

7. Data Retention

8. International Data Transfers

9. Children's Privacy

10. Changes to This Policy

11. Automated Compliance Signals

12. Automated Scanning Identity

13. Contact Us

Can we use optional cookies?

Essential

Preferences

Engagement

Analytics

Optional browser storage