SearchProof
LeaderboardHow it worksAdd your site

Privacy Policy

Last updated: June 13, 2026

SearchProof publishes verified Google Search Console metrics that site owners choose to share publicly. This policy explains, in plain terms, what we access, what we store, how we use it, who we share it with, and how you can remove your data or exercise your privacy rights. If you have any questions, email us at admin@search-proof.com.

SearchProof has no accounts and no login. We only know who you are while you are actively completing a Google sign-in to connect or remove a site. The rest of the time, the only personal data we hold is what you chose to make public and the limited records needed to keep it current.

What we access from Google

When you connect your Google account, SearchProof requests read-only access to Google Search Console (the webmasters.readonly scope). We use it only to:

  • List the Search Console properties you own, so you can choose which to add.
  • Read aggregate search performance for the properties you add — clicks, impressions, click-through rate (CTR), and average position.

We never request write access, and we never read query-, page-, country-, or device-level detail. We cannot change anything in your Google account or your Search Console settings.

What we collect and store

  • Your Google account email. Captured during the sign-in flow to identify the Google connection that owns a site and, in our analytics, to recognize a returning connection.
  • An encrypted Google refresh token. Stored encrypted at rest so our daily sync can keep your metrics current without you signing in each time. It is never shown, logged in plain text, or shared.
  • Aggregate daily metrics for the properties you add (clicks, impressions, CTR, average position by date). On first connect we backfill up to roughly 16 months of this history so all time ranges are populated.
  • Usage and device data via analytics. Like most websites, we measure how the site is used: pages viewed, buttons and features used, approximate location derived from IP address, browser and device type, and error/diagnostic events. See Cookies and analytics below.
  • Referral / campaign parameters (e.g. UTM tags in the link you arrived from), used to understand where visitors come from.

We do not collect payment information, and SearchProof is free to use. We do not sell your data or use it for advertising profiling.

How we use your data

  • To provide the service — display the public Site Pages and leaderboard you opted into.
  • To keep your published metrics current through the daily Scheduled Sync.
  • To verify property ownership when you add or remove a site.
  • To understand usage and improve the product (which features are used, where users get stuck).
  • To detect, prevent, and debug errors, abuse, and security issues.
  • To comply with legal obligations where they apply.

Legal bases (for users in the EU / UK)

Where the GDPR or UK GDPR applies, we rely on: your consent and your request to perform a service when you connect Google and choose to publish a property; and our legitimate interests in operating, securing, and improving SearchProof for analytics and diagnostics. You can withdraw consent at any time by removing your sites and revoking access (see Your rights).

What becomes public

Only the properties you explicitly add become public Site Pages and leaderboard entries, showing the aggregate metrics described above and a public site label. Nothing is published until you choose to add it, and you can remove any site at any time, which permanently deletes its stored data.

Cookies and analytics

We use PostHog for product analytics. PostHog sets cookies (or similar local storage) to recognize a browser across page views, and it captures pageviews, interaction events, approximate location from IP, device/browser information, and uncaught errors. Analytics requests are routed through our own domain (a reverse proxy at /ingest). When you sign in with Google, we associate your analytics activity with your Google email so we can understand the connect and removal flows. You can limit this through your browser settings or by using your browser’s “Do Not Track” / tracking-prevention features.

Who we share data with

We do not sell your data. We share data only with the service providers that make SearchProof work:

  • Google — source of the Search Console metrics and the sign-in provider.
  • PostHog — product analytics and error tracking.
  • Our hosting and database provider — to run the application and store data.
  • Legal authorities — only where we are legally required to disclose information.

International data transfers

Some of our providers (including PostHog) may process data in the United States or other countries. Where required, transfers rely on appropriate safeguards such as Standard Contractual Clauses.

Data retention

  • Refresh token and metrics: kept while your site is active and synced. They are permanently deleted when you remove the site, and the token is discarded when you remove your last site or revoke SearchProof’s access in Google.
  • Disconnected properties: if a token is revoked or expires, the property is hidden from the public while its history is preserved in case you re-authorize. You can delete it permanently via the removal flow.
  • Analytics data: retained according to our analytics provider’s standard retention period.

Security

We request only read-only Google access, store refresh tokens encrypted at rest with an environment-held key, and serve all traffic over HTTPS. No system is perfectly secure, but we limit what we collect and what we can do with it by design.

Children

SearchProof is intended for site owners and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact admin@search-proof.com and we will delete it.

Your rights

Depending on where you live (e.g. under the GDPR/UK GDPR or California CCPA/CPRA), you may have the right to access, correct, delete, export, or restrict the processing of your personal data, and to object to certain processing. Because SearchProof has no accounts, you can act on most of these directly:

  • Delete your data: visit /remove, re-authenticate with Google, and remove any site. All stored data for that site is permanently deleted.
  • Revoke access: remove SearchProof at myaccount.google.com/permissions. Your sites are then hidden from the leaderboard.
  • Any other request (access, correction, export, or a complaint): email admin@search-proof.com. You also have the right to lodge a complaint with your local data protection authority.

Google API Services — Limited Use

SearchProof’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We use Google Search Console data only to provide and improve the user-facing features described in this policy, we do not transfer or sell it for advertising or other unrelated purposes, and we do not allow humans to read it except as needed for security, to comply with the law, or with your explicit consent.

Changes to this policy

We may update this policy as the product evolves. We will update the “Last updated” date above, and for material changes we will provide clearer notice on the site.

Contact

Questions or privacy requests? Email admin@search-proof.com.

FAQ

Can other people see my keywords?

No. SearchProof only reads and shows aggregate totals — never the search terms, pages, or countries behind them.

How do I remove my site?

Visit /remove, re-authenticate with Google, and delete any site. All stored data for that site is permanently deleted.

How do I revoke access?

Remove SearchProof from your Google account permissions at myaccount.google.com/permissions. Your sites are then hidden from the leaderboard.