← Home

Privacy Policy

Privacy Policy

Last updated: 19 April 2026

This Privacy Policy explains how Fletcher Digital Limited ("we", "us", "our") collects, uses, stores and protects your personal data when you use JourneyScore (the "Service") at journeyscore.io.

Fletcher Digital Limited is a company registered in Scotland, United Kingdom. We are the data controller for personal data processed through the Service.

If you have any questions about this policy or your data, contact us at [email protected].

1. What this policy covers

This policy applies to personal data we process when you:

  • Create a JourneyScore account
  • Use any feature of the Service, including free scans, paid plans, and connected integrations
  • Visit journeyscore.io
  • Contact us by email or through the Service

2. Information we collect

2.1 Information you provide

  • Account data: name, email address, and password (hashed, never stored in plain text)
  • Billing data: we use Stripe to process payments. We do not store your full card number or CVC. Stripe provides us with a customer ID, the last four digits of your card, the card brand, and your subscription status
  • Website and SEO data you submit: URLs, domains, and page content you ask the Service to scan or analyse
  • Communications: any messages you send us

2.2 Information collected automatically

  • Usage data: pages viewed, features used, scan counts, and credit consumption
  • Technical data: IP address, browser type, device type, operating system, and referring URL
  • Cookies: we use strictly necessary cookies for authentication and session management. We also use analytics cookies to understand how the Service is used (see Section 7)

2.3 Information from connected Google services

If you connect your Google Search Console account to JourneyScore, we access the following data via Google APIs, with your explicit consent:

  • Your Google account email address and profile name, used to identify which Google account is connected
  • Google Search Console performance data for properties you select: clicks, impressions, click-through rate, average position, query data, page data, and sitemap data
  • Property and site lists from your Search Console account

We request the read-only scope (webmasters.readonly). We do not and cannot write, modify, submit, or delete anything in your Search Console account.

Use of Google user data (Limited Use compliance): JourneyScore's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google Search Console data to provide and improve the user-facing SEO analysis features inside JourneyScore, including keyword cannibalisation detection, quick-wins reporting, branded and non-branded traffic splits, commercial intent scoring, click-through rate anomaly detection, content gap analysis, and declining keyword alerts
  • We do not transfer Google user data to third parties except as necessary to provide or improve these features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with prior user notice
  • We do not use Google user data for serving advertisements, including retargeting, personalised advertising, or interest-based advertising
  • We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, we need to for security purposes, to comply with law, or the data is aggregated and used for internal operations in accordance with the Limited Use policy
  • We do not use Google user data to train generalised or third-party AI or machine learning models

3. How we use your data

We use your data to:

  • Provide the Service, including running scans, generating reports, and storing historical data for trend analysis
  • Authenticate you and keep your account secure
  • Process payments and manage your subscription
  • Send transactional emails (account confirmations, billing notifications, security alerts)
  • Send product updates and marketing emails, where you have consented (you can unsubscribe at any time)
  • Respond to support requests
  • Improve the Service by analysing aggregated usage patterns
  • Detect, prevent, and investigate fraud, abuse, and security incidents
  • Comply with our legal obligations

4. Legal basis for processing (UK GDPR)

We process your personal data under the following legal bases:

  • Contract: to provide the Service you have signed up for
  • Legitimate interests: to keep the Service secure, prevent fraud, improve the Service, and communicate with existing customers about similar products
  • Consent: for marketing emails to non-customers, non-essential cookies, and connecting optional third-party services such as Google Search Console
  • Legal obligation: to comply with accounting, tax, and other legal requirements

5. How we share your data

We do not sell your personal data. We share it only with the following categories of recipient:

  • Stripe, Inc. and its group companies, for payment processing. Stripe's privacy policy is at stripe.com/privacy
  • MailerLite Limited, for sending transactional and marketing emails. MailerLite's privacy policy is at mailerlite.com/legal/privacy-policy
  • Google LLC, where you choose to connect Google Search Console. Google's privacy policy is at policies.google.com/privacy
  • Our analytics provider, for understanding aggregated site usage. This processes technical data such as IP address and browser type
  • Professional advisers (accountants, lawyers), where legally required
  • Authorities, where required by law, court order, or to protect our rights or the rights of others

6. International transfers

Some of our service providers are based outside the UK and EEA, including in the United States. Where data is transferred outside the UK or EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or the UK Extension to the EU-US Data Privacy Framework where applicable.

7. Cookies and analytics

We use cookies and similar technologies for:

  • Strictly necessary: authentication, session management, and security. These cannot be disabled
  • Analytics: to understand how visitors use the Service. We use this data in aggregated form only

You can control non-essential cookies through the cookie banner shown on your first visit, and you can change your choice at any time through your browser settings.

8. Data retention

We keep your data for as long as your account is active, plus:

  • Account and billing data: retained for 7 years after account closure, for tax and accounting purposes
  • Google Search Console data: retained while your account is active and your Google connection is authorised. If you disconnect Google Search Console or close your account, we delete the associated GSC data within 30 days
  • Marketing data: until you unsubscribe, then deleted within 30 days
  • Support correspondence: 3 years after the last contact
  • Backups: may persist for up to 90 days beyond the primary deletion

9. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (subject to legal retention requirements)
  • Restrict or object to processing
  • Data portability (receive your data in a machine-readable format)
  • Withdraw consent at any time
  • Disconnect any connected Google account, which you can do at any time from your account settings or by visiting myaccount.google.com/permissions
  • Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk)

To exercise any of these rights, email us at [email protected]. We will respond within one month.

10. Security

We protect your data using:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive data
  • Hashed and salted passwords (bcrypt)
  • OAuth 2.0 for all Google account connections (we never see or store your Google password)
  • Access controls limiting staff access to production data
  • Regular security patching and monitoring

No system is perfectly secure. If we become aware of a data breach affecting your personal data, we will notify you and the relevant regulator in accordance with UK GDPR.

11. Hosting

JourneyScore is self-hosted on Coolify infrastructure located in the United Kingdom.

12. Children

JourneyScore is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or through the Service before the changes take effect. The "Last updated" date at the top of this page shows the most recent revision.

14. Contact us

Fletcher Digital Limited Email: [email protected] Website: journeyscore.io

Questions about this policy? Contact us. · Terms of Service