What exactly does Indexora generate?

Indexora generates three critical technical SEO assets: a clean XML Sitemap, an AI-optimized Robots.txt file, and Rich JSON-LD Schema markup tailored for Local Business and FAQ discovery.

Will this help me rank on ChatGPT and Perplexity?

Yes. Our assets are specifically formatted to be machine-readable. We generate Entity Schema which helps Large Language Models understand the relationship between your brand, products, and location.

How is the Deep Cloud Scan different from the free version?

The free version relies on data Google has already indexed. The Deep Cloud Scan uses real-time crawlers to visit every page of your site, rendering JavaScript to find content that search engines might be missing.

Is the generated code safe for my website?

Absolutely. We generate static HTML, XML, and JSON code. We do not require database access or install plugins. You simply copy-paste the files we provide.

Do you store my website data?

We process your data transiently to generate the assets. We do not use your private content to train public AI models, and we do not store your site's body content permanently.

Should I use Organization or LocalBusiness schema?

If you have a physical location customers visit, use LocalBusiness. If you are an online-only entity or SaaS, use Organization. Indexora handles both automatically.

Is the Free Forever plan really free?

Yes. You can generate a standard sitemap and robots.txt as many times as you like without paying. We only charge for the advanced AI Schema and Deep Crawl features.

How do I contact support?

You can reach our team directly at support@indexora.app.

Privacy Policy

Last updated: May 2026 · Waripixel · Arlington, Texas, United States

Indexora is operated by Waripixel ("we", "our", or "us"), a business based in Arlington, Texas, United States. This Privacy Policy explains how we collect, use, store, and share your personal information when you visit our website or use our SEO and discoverability services.

We serve users worldwide, including in the European Union (EU) and European Economic Area (EEA). Where applicable, we comply with the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Information We Collect

A. Information You Provide Directly

Account registration: When you create an account, we collect your email address and password (stored as a salted hash — we never see your plaintext password).
Scan inputs: When you use the generator tool, you provide us with a target website URL, business name, business type, location, and optionally a phone number, email address, and description.
Payment information: For premium purchases, you provide billing details (name, billing address, card number) directly to Stripe. We receive only a payment confirmation token and payment intent ID — we never store raw card data on our servers.
Agency branding data: If you enable the white-label feature, we collect the agency name, logo image, and brand color you provide. This data is used solely to apply your branding to generated PDFs and is not shared with third parties.
Communications: If you contact us by email, we retain that correspondence.

B. Information Collected Automatically

Usage data: IP address, browser type and version, operating system, pages visited, time spent on pages, and referring URLs.
Device data: Device type, screen resolution, and locale settings.
Analytics events: We use Amplitude and Google Analytics 4 (GA4) to track product usage events — for example, when a GEO Score scan is submitted, when a report is viewed, or when a payment flow is initiated. These events are associated with an anonymous device ID, not your name or email.
Cookies and local storage: See Section 8 (Cookies) below.
Security challenges: Cloudflare Turnstile collects minimal interaction data (mouse movements, timing) to verify you are human. No personal data is stored by Turnstile beyond the session.

C. Information From Third Parties

Stripe: We receive payment status, billing country, and a partial card identifier (last 4 digits) to display on receipts.
Supabase Auth: If you sign in via a social OAuth provider in a future release, we will receive your name and email from that provider.

2. AI Processing and Website Scanning

Indexora offers two types of website scanning. By submitting a URL, you confirm you own that website or have permission to scan it.

GEO Score Analyzer (free): When you submit a URL for a free GEO Score scan, we send that URL to Google's PageSpeed Insights API to retrieve Core Web Vitals and performance data. For new or low-traffic sites, we may also route the request through our own Lighthouse auditing service (hosted on Google Cloud Run) to generate lab-based performance metrics. The URL you submit is processed by these services subject to Google's Privacy Policy.
Deep Scan / AI Visibility Kit (paid): Our Deep Scan feature uses automated crawling and AI models to analyze publicly accessible pages on the URL you submit. Scraped page content is processed in memory to generate your SEO assets. We do not permanently store the raw text of your scanned website.
AI providers: Scraped content from paid scans is sent to OpenAI's API (GPT-4o-mini) to generate FAQs, meta descriptions, and other assets. OpenAI processes this data subject to their Privacy Policy. We have a data processing agreement in place with OpenAI.
No model training: We do not use your scan data to train our own AI models or share it with third parties for training purposes.
Generated asset storage: Files from one-time purchases are backed up to Cloudflare R2 (object storage) for 7 days to allow download, then automatically deleted. Files from active Hosted Files subscriptions are retained on R2 for the duration of the subscription and deleted within 30 days of cancellation.

3. Legal Basis for Processing (GDPR)

For users in the EU/EEA and UK, we process your personal data under the following legal bases (Article 6 of the GDPR):

Performance of a contract (Art. 6(1)(b)): Processing your scan inputs, managing your account, and delivering the assets you paid for.
Legitimate interests (Art. 6(1)(f)): Fraud prevention, security monitoring, and improving the reliability of our service. We have balanced these interests against your rights and concluded they do not override your privacy interests.
Legal obligation (Art. 6(1)(c)): Retaining transaction records for tax and accounting compliance as required by U.S. and Texas law.
Consent (Art. 6(1)(a)): For non-essential cookies and marketing communications, where we obtain your consent separately.

4. How We Use Your Information

To create and manage your account.
To provide GEO Score analysis for submitted URLs.
To generate the SEO assets you requested.
To process and verify your payment and send you a receipt.
To send transactional emails (scan completion, receipt, scan failure) via Resend.
To prevent fraud, abuse, and unauthorized access using rate limiting and Cloudflare security features.
To comply with tax obligations (Texas sales tax collection and remittance via Stripe Tax).
To respond to your support inquiries.
To improve our Service based on aggregated, anonymized usage patterns.

We do not use your personal data for advertising, profiling, or selling to third parties.

5. Data Sharing and Third-Party Processors

We do not sell your personal data. We share data only with the following trusted service providers who process data on our behalf under strict contractual obligations:

Stripe — Payment processing and tax calculation. Privacy Policy
Supabase — User authentication and database hosting (PostgreSQL). Data is stored in a U.S.-based region. Privacy Policy
Cloudflare — DDoS protection, bot mitigation (Turnstile), edge network, and R2 object storage for generated files. Privacy Policy
OpenAI — AI-powered content generation (GPT-4o-mini). Website content you submit for scanning may be sent to OpenAI. Privacy Policy
Resend — Transactional email delivery (receipts, scan completion notifications). Privacy Policy
Google Cloud Run — Our crawl engine and Lighthouse performance auditing service run on Google Cloud infrastructure. Scan job metadata and submitted URLs are processed transiently. Privacy Policy
Google PageSpeed Insights API — We send submitted URLs to Google's PageSpeed Insights API to retrieve Core Web Vitals and performance data for the GEO Score. Privacy Policy
Amplitude — Product analytics and event tracking. We track anonymized usage events (e.g., scan submissions, report views) to understand how the product is used. No personally identifiable information is included in tracked events. Privacy Policy
Google Analytics 4 (GA4) — Website analytics for aggregated traffic measurement. Data is anonymized and not linked to individual user accounts. Privacy Policy

We may also disclose your data if required by law, court order, or to protect our legal rights.

6. Data Retention

Account data: Retained for as long as your account is active. If you delete your account, we delete your profile data within 30 days.
Scan job records: Scan metadata (URL, tier, status) is retained for 12 months to support your access to job history.
Generated files (R2 — one-time purchases): Automatically deleted after 7 days.
Hosted Files (R2 — active subscription): Retained for the duration of your Hosted Files subscription. Files are deleted within 30 days of subscription cancellation.
Payment records: Retained for 7 years as required by U.S. tax law.
Server logs: Retained for 30 days for security and debugging purposes, then purged.

7. International Data Transfers

Indexora is operated from the United States. If you are located in the EU/EEA, UK, or another jurisdiction with data transfer restrictions, your personal data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place for these transfers, including:

Standard Contractual Clauses (SCCs) as approved by the European Commission for transfers to our sub-processors.
Data Processing Agreements with all third-party processors listed in Section 5.
Reliance on providers that participate in the EU-U.S. Data Privacy Framework (DPF) where applicable.

8. Cookies and Tracking

We use the following types of cookies and local storage:

Strictly necessary cookies: Authentication session tokens (Supabase Auth), CSRF protection tokens. These cannot be disabled without breaking the Service.
Security cookies: Cloudflare sets cookies (e.g., __cf_bm) for bot detection and DDoS protection.
Preference cookies: We store your dark/light mode preference in localStorage. No personal data is involved.
Analytics cookies and storage: Amplitude and Google Analytics 4 set first-party cookies and use localStorage to maintain anonymous session and device identifiers for usage analytics. These do not contain personally identifiable information. You may opt out of analytics tracking via your browser's Do Not Track signal or by blocking these domains in your browser.

We do not use advertising or behavioral targeting cookies.

9. Your Privacy Rights

EU/EEA and UK Users (GDPR / UK GDPR)

You have the following rights under the GDPR:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
Right to erasure (Art. 17): Ask us to delete your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction of processing (Art. 18): Ask us to temporarily halt processing of your data.
Right to data portability (Art. 20): Request your data in a machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

You also have the right to lodge a complaint with your local supervisory authority. EU residents may contact their national Data Protection Authority; UK residents may contact the Information Commissioner's Office (ICO).

California Users (CCPA / CPRA)

California residents have the right to:

Know what personal data we collect, use, disclose, and sell (we do not sell your data).
Request deletion of your personal data.
Opt out of the sale or sharing of personal information (not applicable — we do not sell data).
Non-discrimination for exercising your privacy rights.

How to Exercise Your Rights

To exercise any of the above rights, email us at ppa.aroxedni@ycavirp with your request. We will respond within 30 days (GDPR) or 45 days (CCPA) of receipt. We may request proof of identity before acting on your request.

10. Children's Privacy

Indexora is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

11. Security

We implement industry-standard technical and organizational measures to protect your data:

All data in transit is encrypted using TLS 1.2 or higher.
Passwords are hashed using bcrypt (managed by Supabase Auth).
Payment data is handled exclusively by Stripe and is PCI-DSS compliant.
Access to production databases is restricted to authorized personnel only.
We conduct periodic security reviews of our infrastructure.

No method of transmission over the Internet is 100% secure. In the event of a data breach that affects your personal data, we will notify you and relevant authorities as required by applicable law.

12. Language

This Privacy Policy is currently available in English. A French version will be made available when the French edition of Indexora launches. In the event of any conflict between translations, the English version shall prevail.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes take effect when posted on this page with an updated "Last updated" date. For material changes, we will notify registered users by email at least 14 days in advance. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

14. Contact and Data Controller

The data controller for your personal data is:

Waripixel (operating as Indexora)
Arlington, Texas, United States
Email: ppa.aroxedni@ycavirp

For all privacy-related questions, data subject requests, or concerns, please contact us at the email above. We aim to respond within 5 business days.