XenonFlare ("we", "us") provides SEO software for website operators. This policy explains what we collect, why we collect it, and your choices.

Information we collect

Account data — when you sign in with Google we receive your email, name, and profile image to operate app.xenonflare.com.
Website crawl data — URLs, page content, and SEO signals from sites you add for auditing.
Usage & logs — job history, scan results, and technical logs for reliability and abuse prevention.

Google user data (OAuth APIs)

When you connect Google services in the web app, you authorize XenonFlare through Google's OAuth consent screen. We request only the narrow read-only scopes needed for the Connectors features you enable. We do not modify your Google Search Console or Google Analytics properties through these integrations.

Google Sign-In

Used to authenticate you at app.xenonflare.com. We receive your Google account email, display name, and profile picture. We use this solely to create and operate your XenonFlare account.

Google Search Console (read-only)

Scope: https://www.googleapis.com/auth/webmasters.readonly. You choose which Search Console property to link per website. With your authorization we may access and store:

Search performance metrics (queries, pages, clicks, impressions, CTR, average position)
URL inspection and index coverage status for URLs on sites you manage in XenonFlare
Sitemap submission status where available
OAuth refresh tokens and short-lived access tokens needed to sync this data on your behalf

We use Search Console data to show performance and indexation insights in the Connectors workspace, correlate findings with crawl and SEO audit results, and surface recommendations for sites you have added. We do not use this data for advertising or sell it.

Google Analytics 4 (read-only)

Scope: https://www.googleapis.com/auth/analytics.readonly. You choose which GA4 property to link per website. With your authorization we may access and store:

Aggregated traffic metrics (sessions, users, page views, bounce rate, average session duration)
Daily traffic trends and top page paths for the linked property
GA4 property and account names shown in the property picker
OAuth refresh tokens and short-lived access tokens needed to sync this data on your behalf

We use GA4 data to display traffic summaries alongside SEO and Search Console context in the Connectors workspace. We do not use this data for advertising or sell it.

How we access, store, and retain Google user data

Access — only after you start the OAuth flow and approve the requested scopes. Sync jobs run when you request a refresh or on scheduled syncs for linked properties.
Storage — OAuth tokens and synced API responses are stored in our application database (MongoDB) on infrastructure we control. Tokens are used only to provide the connected features for your workspace.
Sharing — we do not sell Google user data. We share it only with subprocessors that host or operate the service (for example cloud hosting and database providers) under contractual obligations consistent with this policy.
Retention — synced Search Console and GA4 snapshots are kept while the property remains linked and according to your plan's data retention limits. Disconnecting a property or organization stops new syncs; linked tokens can be revoked from Connectors settings or your Google Account permissions page.
Deletion — unlink connectors in the app, delete the website or organization, or contact [email protected]. We will remove associated tokens and stored API snapshots as part of those deletion flows.

Data protection for sensitive Google user data

Search Console and GA4 connector data, including OAuth tokens and synced API responses, is sensitive. We protect it with the following mechanisms:

Encryption in transit — all traffic between your browser and XenonFlare, between our API and Google APIs, and between internal services is encrypted with HTTPS (TLS).
Encryption at rest — application data, including Google OAuth tokens and synced API snapshots, is stored on encrypted storage volumes on infrastructure we operate.
Access controls — synced Google user data is visible only to authenticated members of your XenonFlare workspace. Production databases and servers are accessible only to authorized personnel on a need-to-know basis (for example operations, support, security, or legal compliance).
Credential handling — OAuth refresh tokens are stored in our application database and used solely to perform connector syncs you authorize. Selected other credentials use application-level AES-256-GCM encryption.
Security monitoring — we apply rate limiting, logging, and monitoring to help detect and respond to unauthorized access attempts.

Google API Services User Data Policy

XenonFlare's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In summary, we use Google user data only to provide and improve user-facing features you request, we do not use it to serve ads, and we do not sell it. Human review of Google user data is limited to support, security, or legal needs with appropriate safeguards.

How we use information

We use collected data to provide and improve the service, including:

Running SEO scans, AI suggestions, and fix workflows you request
Processing subscriptions through Stripe, including billing emails (welcome, trial reminders, payment issues)
Monitoring system health and preventing abuse of public tools
Responding to support requests at [email protected]

Sharing

We do not sell personal information. We share data with subprocessors needed to operate the product (e.g. hosting, MongoDB, OpenAI for AI features, Google PageSpeed Insights, Google OAuth APIs for Sign-In and optional Connectors, Stripe) under appropriate agreements.

Retention & deletion

You may delete websites, organizations, or your entire account from the web app settings. Contact [email protected] for additional requests.

Automated retention (web app) — limits depend on your plan; see Plan limits in the dashboard for your workspace. In general: SEO scores and issue counts are kept; full crawl site maps and per-scan logs are removed after 30–180 days (newest scans always kept); job queue logs are capped and purged after 30–180 days; monthly score rollups are kept 24 months; in-app notifications expire after 90 days; keyword rank history after 90 days; public audit share links after 7 days; Search Console and GA4 connector snapshots while linked and subject to the same workspace retention rules.

Cookies & analytics

We use strictly necessary cookies for authentication and product operation. Optional Google Analytics on our marketing site and web app is separate from GA4 Connectors data above — it is disabled until you accept it in our cookie banner or on the cookie policy page. You can withdraw consent at any time from that page.

Contact

Privacy questions: [email protected]

XenonFlare ("we", "us") provides SEO software for website operators. This policy explains what we collect, why we collect it, and your choices.

Information we collect

Account data — when you sign in with Google we receive your email, name, and profile image to operate app.xenonflare.com.
Website crawl data — URLs, page content, and SEO signals from sites you add for auditing.
Usage & logs — job history, scan results, and technical logs for reliability and abuse prevention.

Google user data (OAuth APIs)

Google Sign-In

Used to authenticate you at app.xenonflare.com. We receive your Google account email, display name, and profile picture. We use this solely to create and operate your XenonFlare account.

Google Search Console (read-only)

Scope: https://www.googleapis.com/auth/webmasters.readonly. You choose which Search Console property to link per website. With your authorization we may access and store:

Search performance metrics (queries, pages, clicks, impressions, CTR, average position)
URL inspection and index coverage status for URLs on sites you manage in XenonFlare
Sitemap submission status where available
OAuth refresh tokens and short-lived access tokens needed to sync this data on your behalf

Google Analytics 4 (read-only)

Scope: https://www.googleapis.com/auth/analytics.readonly. You choose which GA4 property to link per website. With your authorization we may access and store:

Aggregated traffic metrics (sessions, users, page views, bounce rate, average session duration)
Daily traffic trends and top page paths for the linked property
GA4 property and account names shown in the property picker
OAuth refresh tokens and short-lived access tokens needed to sync this data on your behalf

We use GA4 data to display traffic summaries alongside SEO and Search Console context in the Connectors workspace. We do not use this data for advertising or sell it.

How we access, store, and retain Google user data

Access — only after you start the OAuth flow and approve the requested scopes. Sync jobs run when you request a refresh or on scheduled syncs for linked properties.
Storage — OAuth tokens and synced API responses are stored in our application database (MongoDB) on infrastructure we control. Tokens are used only to provide the connected features for your workspace.
Sharing — we do not sell Google user data. We share it only with subprocessors that host or operate the service (for example cloud hosting and database providers) under contractual obligations consistent with this policy.
Retention — synced Search Console and GA4 snapshots are kept while the property remains linked and according to your plan's data retention limits. Disconnecting a property or organization stops new syncs; linked tokens can be revoked from Connectors settings or your Google Account permissions page.
Deletion — unlink connectors in the app, delete the website or organization, or contact [email protected]. We will remove associated tokens and stored API snapshots as part of those deletion flows.

Data protection for sensitive Google user data

Search Console and GA4 connector data, including OAuth tokens and synced API responses, is sensitive. We protect it with the following mechanisms:

Encryption in transit — all traffic between your browser and XenonFlare, between our API and Google APIs, and between internal services is encrypted with HTTPS (TLS).
Encryption at rest — application data, including Google OAuth tokens and synced API snapshots, is stored on encrypted storage volumes on infrastructure we operate.
Access controls — synced Google user data is visible only to authenticated members of your XenonFlare workspace. Production databases and servers are accessible only to authorized personnel on a need-to-know basis (for example operations, support, security, or legal compliance).
Credential handling — OAuth refresh tokens are stored in our application database and used solely to perform connector syncs you authorize. Selected other credentials use application-level AES-256-GCM encryption.
Security monitoring — we apply rate limiting, logging, and monitoring to help detect and respond to unauthorized access attempts.

Google API Services User Data Policy

How we use information

We use collected data to provide and improve the service, including:

Running SEO scans, AI suggestions, and fix workflows you request
Processing subscriptions through Stripe, including billing emails (welcome, trial reminders, payment issues)
Monitoring system health and preventing abuse of public tools
Responding to support requests at [email protected]

Sharing

Retention & deletion

You may delete websites, organizations, or your entire account from the web app settings. Contact [email protected] for additional requests.

Cookies & analytics

Contact

Privacy questions: [email protected]

XenonFlare ("we", "us") provides SEO software for website operators. This policy explains what we collect, why we collect it, and your choices.

Information we collect

Account data — when you sign in with Google we receive your email, name, and profile image to operate app.xenonflare.com.
Website crawl data — URLs, page content, and SEO signals from sites you add for auditing.
Usage & logs — job history, scan results, and technical logs for reliability and abuse prevention.

Google user data (OAuth APIs)

Google Sign-In

Used to authenticate you at app.xenonflare.com. We receive your Google account email, display name, and profile picture. We use this solely to create and operate your XenonFlare account.

Google Search Console (read-only)

Scope: https://www.googleapis.com/auth/webmasters.readonly. You choose which Search Console property to link per website. With your authorization we may access and store:

Search performance metrics (queries, pages, clicks, impressions, CTR, average position)
URL inspection and index coverage status for URLs on sites you manage in XenonFlare
Sitemap submission status where available
OAuth refresh tokens and short-lived access tokens needed to sync this data on your behalf

Google Analytics 4 (read-only)

Scope: https://www.googleapis.com/auth/analytics.readonly. You choose which GA4 property to link per website. With your authorization we may access and store:

Aggregated traffic metrics (sessions, users, page views, bounce rate, average session duration)
Daily traffic trends and top page paths for the linked property
GA4 property and account names shown in the property picker
OAuth refresh tokens and short-lived access tokens needed to sync this data on your behalf

We use GA4 data to display traffic summaries alongside SEO and Search Console context in the Connectors workspace. We do not use this data for advertising or sell it.

How we access, store, and retain Google user data

Access — only after you start the OAuth flow and approve the requested scopes. Sync jobs run when you request a refresh or on scheduled syncs for linked properties.
Storage — OAuth tokens and synced API responses are stored in our application database (MongoDB) on infrastructure we control. Tokens are used only to provide the connected features for your workspace.
Sharing — we do not sell Google user data. We share it only with subprocessors that host or operate the service (for example cloud hosting and database providers) under contractual obligations consistent with this policy.
Retention — synced Search Console and GA4 snapshots are kept while the property remains linked and according to your plan's data retention limits. Disconnecting a property or organization stops new syncs; linked tokens can be revoked from Connectors settings or your Google Account permissions page.
Deletion — unlink connectors in the app, delete the website or organization, or contact [email protected]. We will remove associated tokens and stored API snapshots as part of those deletion flows.

Data protection for sensitive Google user data

Search Console and GA4 connector data, including OAuth tokens and synced API responses, is sensitive. We protect it with the following mechanisms:

Encryption in transit — all traffic between your browser and XenonFlare, between our API and Google APIs, and between internal services is encrypted with HTTPS (TLS).
Encryption at rest — application data, including Google OAuth tokens and synced API snapshots, is stored on encrypted storage volumes on infrastructure we operate.
Access controls — synced Google user data is visible only to authenticated members of your XenonFlare workspace. Production databases and servers are accessible only to authorized personnel on a need-to-know basis (for example operations, support, security, or legal compliance).
Credential handling — OAuth refresh tokens are stored in our application database and used solely to perform connector syncs you authorize. Selected other credentials use application-level AES-256-GCM encryption.
Security monitoring — we apply rate limiting, logging, and monitoring to help detect and respond to unauthorized access attempts.

Google API Services User Data Policy

How we use information

We use collected data to provide and improve the service, including:

Running SEO scans, AI suggestions, and fix workflows you request
Processing subscriptions through Stripe, including billing emails (welcome, trial reminders, payment issues)
Monitoring system health and preventing abuse of public tools
Responding to support requests at [email protected]

Sharing

Retention & deletion

You may delete websites, organizations, or your entire account from the web app settings. Contact [email protected] for additional requests.

Cookies & analytics

Contact

Privacy questions: [email protected]

Privacy policy

Information we collect

Google user data (OAuth APIs)

Google Sign-In

Google Search Console (read-only)

Google Analytics 4 (read-only)

How we access, store, and retain Google user data

Data protection for sensitive Google user data

Google API Services User Data Policy

How we use information

Sharing

Retention & deletion

Cookies & analytics

Contact

Privacy policy

Information we collect

Google user data (OAuth APIs)

Google Sign-In

Google Search Console (read-only)

Google Analytics 4 (read-only)

How we access, store, and retain Google user data

Data protection for sensitive Google user data

Google API Services User Data Policy

How we use information

Sharing

Retention & deletion

Cookies & analytics

Contact

Privacy policy

Information we collect

Google user data (OAuth APIs)

Google Sign-In

Google Search Console (read-only)

Google Analytics 4 (read-only)

How we access, store, and retain Google user data

Data protection for sensitive Google user data

Google API Services User Data Policy

How we use information

Sharing

Retention & deletion

Cookies & analytics

Contact