Legal

Privacy Policy

Your privacy matters. Here's exactly what we collect, why, and how we protect it.

Effective Date: February 14, 2026

Last Updated: February 14, 2026

Social Traffic Inc. ("we", "us", "our") operates the website socialtraffic.ca and the SiteTacks dashboard application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our tools, or engage with our services.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address, name, and optionally your business type, website URL, and timezone. If you sign in with Google, we receive your name, email, and profile picture URL from Google's OAuth service.

1.2 Contact Form & Lead Capture

When you submit our contact form, we collect your name, email, phone number, and message. We also record your IP address, user agent, referrer URL, and UTM parameters to understand how you found us.

1.3 Free SEO Audit Tool

When you use our free SEO scanner, we collect the URL you submit for analysis along with your IP address, user agent, and referrer. The scan analyzes the publicly available content of the submitted URL. If you optionally provide your email for a PDF report, that email is stored separately.

1.4 AI Voice Demo

When you use our AI demo, we collect the website URL you submit and your IP address. If you proceed to receive a demo call, we additionally collect your name, email, phone number, and explicit consent to be contacted. Call metadata (start time, end time, duration) is recorded. Call audio is processed by our voice AI provider and is not stored permanently by us.

1.5 Chat Widget

Our AI chat widget collects the messages you send, the page URL where the conversation occurred, your IP address, user agent, and UTM/referrer data. If you voluntarily share your name, email, or phone number during conversation, that information is captured for follow-up.

1.6 Google Search Console Integration

If you connect your Google Search Console account, we store an encrypted OAuth refresh token to access your GSC data on your behalf. We sync search keyword performance data (queries, clicks, impressions, position) and index coverage status. Access tokens are never stored permanently. You can disconnect at any time, which deletes all stored tokens and synced data.

1.7 Payment Information

Payments are processed by Stripe. We store Stripe identifiers (customer ID, subscription ID) and billing period dates. We never store your credit card numbers, CVV, or full payment details — these are handled entirely by Stripe in compliance with PCI DSS.

1.8 Automatically Collected Data

We use Google Analytics 4, Google Tag Manager, and Facebook Pixel to collect usage analytics including pages visited, time on site, device type, browser, and geographic region. We use reCAPTCHA v3 for bot protection, which may collect device and browser data. We use session cookies for authentication (2-week duration, HTTP-only, secure).

2. How We Use Your Information

We use collected information to:

Provide and maintain our services, including SEO scans, AI demos, and dashboard features
Respond to your inquiries and provide customer support
Process payments and manage subscriptions
Send transactional emails (scan results, password resets, account notifications)
Generate personalized SEO recommendations based on your business type
Sync your data with connected third-party services (GSC, CRM) at your request
Detect and prevent fraud, abuse, and security threats
Analyze usage patterns to improve our services
Comply with legal obligations

3. Third-Party Services

We share data with third-party service providers strictly as necessary to operate our services:

ServicePurposeData Shared

StripePayment processingEmail, billing info

Google OAuthAuthenticationEmail, name, profile picture

Google Search ConsoleSEO data syncOAuth token (encrypted)

Google Analytics / GTMUsage analyticsAnonymous usage data

Facebook PixelAdvertising analyticsAnonymous page events

VapiAI voice calls (demo)Phone number, call audio

Anthropic / OpenAIAI features (chat, content)Chat messages, content prompts

ResendEmail deliveryEmail address, email content

AWS S3File storageUploaded media files

Google reCAPTCHABot protectionDevice/browser signals

Google PageSpeedSEO scan performance dataURL being scanned

4. Cookies & Tracking

We use the following cookies:

Session cookie (essential) — Maintains your login session. HTTP-only, secure. Expires after 2 weeks.
CSRF cookie (essential) — Prevents cross-site request forgery attacks. HTTP-only.
Google Analytics cookies (analytics) — Tracks anonymous site usage. Set by Google.
Facebook Pixel cookie (advertising) — Tracks conversion events. Set by Facebook.
reCAPTCHA cookie (essential) — Bot detection. Set by Google.

5. Data Security

We implement the following security measures:

Passwords are hashed using Argon2 (industry-leading algorithm)
OAuth refresh tokens are encrypted at rest using Fernet symmetric encryption
All data transmitted over HTTPS/TLS
HTTP-only, secure session cookies to prevent XSS token theft
Content Security Policy (CSP) headers enforced
Brute force protection with automatic account lockout after 5 failed attempts
API rate limiting (100 requests/hour for anonymous, 1000/hour for authenticated users)
CSRF protection on all forms and state-changing endpoints
X-Frame-Options: DENY to prevent clickjacking
Daily automated database backups

6. Data Retention

User accounts — Retained until you delete your account
SEO scan data — Retained indefinitely for historical comparison. Old data is periodically cleaned
AI demo sessions — Automatically expire and are cleaned up after 30 minutes
Chat conversations — Retained for support and service improvement
GSC keyword data — 16 months (matching Google's own retention period)
Lead/contact data — Retained until deleted by an administrator
Payment records — Retained as required by tax and accounting law
Login attempt logs — Failed login attempts are retained for security and cleared after 1 hour

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access — Request a copy of the personal data we hold about you
Correction — Request correction of inaccurate personal data
Deletion — Request deletion of your personal data
Portability — Request your data in a machine-readable format
Withdraw consent — Withdraw consent for data processing at any time
Object — Object to processing of your data for marketing purposes
Disconnect — Disconnect third-party integrations (e.g., GSC) at any time from your dashboard, which deletes associated tokens and synced data

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately and we will promptly delete it.

9. International Data Transfers

Social Traffic Inc. is based in Canada. Your data may be processed in Canada, the United States, and other jurisdictions where our service providers operate. By using our Service, you consent to the transfer of your data to these jurisdictions, which may have different data protection laws than your country of residence.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

Social Traffic Inc.

Email: [email protected]

Phone: (855) 576-0406

Questions about your data?

We're transparent about how we handle your information. Reach out anytime.