Skip to main content

Privacy Policy

Last updated: April 19, 2026

1. Data controller

Verity Score is operated by Kamil Kanaoui (independent publisher). Contact: [email protected]. This policy covers all Verity Score services: the marketing website (verityscore.io), the public GEO audit tool, and the MCP server (api.verityscore.io/mcp) distributed via npm, the official MCP registry and Smithery.

2. Data we collect

2.1 Marketing website (verityscore.io)

  • No third-party cookies, no advertising pixels, no analytics trackers
  • Technical server logs (IP address, User-Agent, requested URL, timestamp) kept by Cloudflare Pages for security and abuse prevention

2.2 Lead / free audit form

  • URL of the store to audit (public information)
  • Email address you voluntarily provide to receive the report
  • First and last name if you fill them in
  • Submission timestamp, IP, User-Agent

2.3 GEO audit (execution)

When an audit runs, we fetch public data only from the audited site:

  • HTML of public pages (homepage, PDPs, collections, policy pages)
  • Publicly exposed files: robots.txt, sitemap.xml, llms.txt, /.well-known/agent-card.json, JSON-LD / schema.org
  • Technical screenshots (main PDP) used internally for diagnostics

No customer data, no account, no admin area and no cart content is ever accessed. Verity Score only sees what an anonymous crawler would see.

2.4 MCP server (api.verityscore.io) : connections from ChatGPT, Claude, Cursor, etc.

When an MCP client (OpenAI Platform, Claude Desktop, Cursor, Smithery…) invokes one of our 5 MCP tools, we collect:

  • Tool inputs (the only parameter you provide):
    • get_geo_score, check_ai_readiness, get_recommendations: a domain name (e.g. mybrand.com)
    • explain_topic: a GEO keyword (e.g. schema.org, llms.txt)
    • get_vertical_info: a vertical name (e.g. beauty)
  • Request metadata: IP address, User-Agent (truncated to 200 characters), Origin or Referer header (to identify the MCP client used), timestamp, tool name, response status (success, queued, not_found, error).
  • No personally identifiable information is required by our MCP tools. We never ask for email, name, authentication tokens, or access to your ChatGPT / Claude account.

2.5 Outputs returned by the MCP server

MCP tools return only: the public GEO score of the domain, audit findings (issues and recommendations), vertical benchmarks, or editorial content from our Knowledge Base. No personal data is returned. If a domain has not been audited yet, the server returns a not_yet_audited status and queues the domain for automatic audit within 72 hours.

3. Purposes of processing

  • Provide audit results and the GEO recommendations requested by the user or MCP client
  • Abuse prevention: rate-limiting (10 requests/minute per IP on the MCP server), SSRF protection, automated script detection
  • Aggregated usage metrics: request counts per tool, per MCP client (Claude Desktop vs Cursor vs OpenAI), per vertical : to prioritize tool improvements
  • Respond to your requests (contact form, support)
  • Legal obligations (security log retention)

4. Legal basis (GDPR)

  • Legitimate interest (Art. 6.1.f GDPR): running audits on public data, security, abuse prevention, service improvement
  • Contract / pre-contractual steps (Art. 6.1.b): delivering the audit report following an explicit request via the form
  • Consent (Art. 6.1.a): product communications (if you opt in)

5. Recipients and sub-processors

Your data is never sold, rented, or shared for third-party marketing. It is processed only by the following technical sub-processors, strictly necessary to operate the service:

  • Cloudflare Pages (United States / global edge network) : marketing site hosting, CDN, TLS termination
  • Railway (United States) : audit server and MCP server hosting
  • MongoDB Atlas (European Union, Frankfurt region) : storage of audits, MCP logs (mcp_requests) and leads
  • Notion (United States) : internal dashboard for MCP usage tracking (audited domain, tool name, status) : pseudonymized, no email or IP address
  • OpenAI : used solely for findings generation during a GEO audit (API calls with the public HTML of the site); OpenAI contractually commits to not reusing this data for model training (API Data Usage Policy)
  • Resend (European Union) : transactional emails (audit report delivery)

Data transfers outside the EU are covered by the European Commission's Standard Contractual Clauses.

6. Retention periods

DataRetention
Audit results (full report)24 months from the audit date
MCP server logs (IP, UA, tool, domain)Rolling 90 days
Lead / contact email36 months from last contact
Cloudflare / Railway security logs30 days
Notion usage tracker (aggregated)12 months

7. Security

  • All communications are encrypted with HTTPS (TLS 1.3)
  • Security headers: HSTS, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • MCP server: SSRF protection (private / link-local IPs blocked), Zod input validation, 10 req/min/IP rate-limit, Ed25519 DNS authentication for the MCP registry
  • MongoDB access restricted by IP allow-list and strong authentication
  • No payment data is stored (not applicable to our service)

8. Your rights (GDPR)

You have the following rights regarding your personal data:

  • Right of access: obtain a copy of all data we hold about you
  • Right to rectification: correct inaccurate data
  • Right to erasure: permanently delete your data (audit, email, MCP logs tied to your IP)
  • Right to restriction: temporarily limit processing
  • Right to portability: receive your data in structured JSON format
  • Right to object: object to processing based on legitimate interest
  • Right to withdraw consent at any time (marketing emails)

To exercise these rights, email [email protected] with your request. We reply within 30 days. You also have the right to lodge a complaint with your local supervisory authority (in France: cnil.fr).

9. Minors

Verity Score is intended for e-commerce professionals. It is not designed to knowingly collect data from individuals under 16.

10. Policy updates

This policy may be updated to reflect changes to the service or regulations. The last update date is shown at the top of this page. Material changes are notified (website banner, email to active users).