# Privacy Policy > Verity Score privacy policy. Data collected, purposes, recipients, retention and rights for the website, the GEO audit and the MCP server. - Canonical HTML: https://verityscore.io/en/privacy/ - Markdown alternate: https://verityscore.io/en/privacy.md - Language: en - Content type: trust/compliance - Updated: 2026-04-19 - Robots: noindex on HTML; Markdown exists for trust verification and agent ingestion ## 1. Data controller Verity Score is operated by Kamil Kanaoui (independent publisher). Contact: hello@verityscore.io. This policy covers the marketing website verityscore.io, the public GEO audit tool and the MCP server api.verityscore.io/mcp distributed via npm, the official MCP registry and Smithery. ## 2. Data collected Marketing website: no third-party cookies, no advertising pixels and no analytics trackers. Technical server logs may be kept by Cloudflare Pages for security and abuse prevention. Lead / free audit form: store URL to audit, voluntarily provided email, first/last name if filled in, timestamp, IP and User-Agent. GEO audit: public data only from the audited site, including public page HTML, robots.txt, sitemap.xml, llms.txt, /.well-known/agent-card.json, JSON-LD/schema.org and internal diagnostic screenshots. No customer data, account, admin area or cart content is accessed. Verity Score only sees what an anonymous crawler would see. MCP server: tool inputs (domain, topic or vertical) and request metadata (IP, truncated User-Agent, Origin/Referer, timestamp, tool name, response status). No email, name, authentication token or ChatGPT/Claude account access is required. ## 3. MCP outputs MCP tools return only the public GEO score of the domain, audit findings, recommendations, vertical benchmarks or editorial Knowledge Base content. If a domain has not yet been audited, the server returns `not_yet_audited` and queues it for automatic audit within 72 hours. ## 4. Purposes - Provide audit results and GEO recommendations - Prevent abuse: rate-limiting, SSRF protection and automated script detection - Measure aggregate usage by tool, MCP client and vertical - Respond to contact and support requests - Meet legal obligations and retain necessary security logs ## 5. GDPR legal basis - Legitimate interest: audits on public data, security, abuse prevention and service improvement - Contract or pre-contractual steps: delivering the requested audit report - Consent: product communications if the user opts in ## 6. Recipients and sub-processors - Cloudflare Pages: hosting, CDN and TLS termination - Railway: audit server and MCP server hosting - MongoDB Atlas (EU, Frankfurt): audits, MCP logs and leads - Notion: pseudonymized internal MCP usage dashboard - OpenAI: findings generation from public HTML of the audited site, without API data reuse for model training - Resend: transactional audit report emails Data is never sold, rented or shared for third-party marketing. ## 7. Retention - Audit results: 24 months - MCP server logs: rolling 90 days - Lead/contact email: 36 months from last contact - Cloudflare/Railway security logs: 30 days - Aggregated Notion tracker: 12 months ## 8. Security - HTTPS TLS 1.3 - HSTS, CSP, X-Content-Type-Options, Referrer-Policy and Permissions-Policy headers - MCP server: SSRF protection, Zod validation, 10 req/min/IP rate-limit and Ed25519 DNS authentication for the MCP registry - MongoDB restricted by IP allow-list and strong authentication - No payment data stored ## 9. GDPR rights Users have rights of access, rectification, erasure, restriction, portability, objection and consent withdrawal. To exercise these rights: hello@verityscore.io. We reply within 30 days. Complaints may be lodged with the relevant supervisory authority. ## 10. Minors and updates Verity Score is intended for e-commerce professionals and is not designed to knowingly collect data from individuals under 16. This policy may be updated to reflect service or regulatory changes. Material changes are notified.