Skip to main content
← Back to Roasted

Privacy Policy

Last updated: April 15, 2026 · v1.3

1. Information We Collect

When you use Roasted, we collect:

  • URLs you submit — to perform the website analysis
  • Email address — if you sign up, join the waitlist, or subscribe
  • Usage data — pages visited, features used, analysis history (via Supabase)
  • Payment information — processed securely by Stripe; we do not store card details
  • Log data — IP address, browser type, referring URLs, timestamps

2. How We Use Your Information

We use collected information to:

  • Perform website analysis and deliver results
  • Send product updates, feature announcements, and marketing emails (with your consent)
  • Process payments and manage your subscription
  • Improve the Service through aggregate usage analytics
  • Respond to support requests and communications
  • Comply with legal obligations

3. Marketing Communications and Email Consent

We only send marketing emails — product updates, feature announcements, tips — to users who have explicitly opted in. Each email collection point in the Service presents a clear, optional checkbox:

  • Waitlist form — "Send me a launch notification and occasional product updates from Roasted"
  • Account signup — "Send me product updates and feature announcements from Roasted"
  • Pro early-bird notification — "Email me launch updates and product news"

Declining the checkbox does not affect your ability to join the waitlist, create an account, or use any feature of the Service.

Consent is stored and audited. When you opt in (or out), we record your email address, the source surface (e.g., waitlist form, signup form, pricing page), a timestamp, and your IP address in an append-only audit log. This log is retained as a compliance audit trail and is the authoritative record that gates all campaign sends — we never send marketing email to addresses that have not granted consent or that have since unsubscribed.

Transactional emails (account confirmation, password reset, subscription receipts) are sent to all registered users regardless of marketing consent, as they are necessary to operate the Service.

Unsubscribe. Every marketing email contains a unique, tokenized unsubscribe link. Clicking it immediately revokes your marketing consent and logs a revoke event to our audit trail. You can also withdraw consent by emailing hello@getroastedby.ai. We will never sell your email address to third parties.

4. Information Sharing

We do not sell your personal information. We may share data with:

  • Supabase — our database and consent-state provider; the authoritative source of truth for all user data, email consent records, unsubscribe tokens, and permission state
  • Resend — our transactional and marketing email delivery provider; receives only the email address and template content for permitted sends. Resend checks consent state in Supabase before dispatching any campaign email
  • Stripe — for payment processing
  • Anthropic/OpenAI — for AI analysis (URLs and scraped content are processed by AI models)
  • Vercel — our hosting provider
  • Law enforcement — when required by applicable law

5. Website Analysis and Scraping

When you submit a URL, we access and analyze its publicly available content. This includes visible text, images, metadata, and technical attributes. We do not store the full scraped content of third-party websites beyond what is needed to generate the analysis. Analysis results associated with your account are stored and accessible to you through your account history.

Aggregate roast activity. Roasted may display aggregate, non-identifying statistics about a URL when another user enters that URL — for example, the total number of public roasts performed on that domain and the most recent public score. These statistics are derived only from roasts that were already public and shareable, and they never disclose the identity of anyone who submitted a roast. You can suppress a specific roast from appearing in these aggregates by making the roast private (Plus only) or deleting it.

6. Domain Claiming & Alert Notifications

What we collect:

  • Domain verification data (domain name, verification method, verification token)
  • Claimed domain list associated with your account
  • Alert delivery preferences (frequency, email address)

How we use it:

  • To verify domain ownership via DNS or HTML verification
  • To deliver roast alert notifications to verified domain owners
  • To display roast history for claimed domains in your dashboard

Key protections:

  • Alert emails are only sent to users who have actively completed domain verification (explicit opt-in through the verification action)
  • We do NOT send unsolicited emails to domain owners who have not completed verification
  • The identity of users who submit roasts is never shared with domain owners
  • Users can unclaim domains, disable alerts, or delete claim data at any time

When a roast is performed on a claimed domain, analysis results are shared with the verified domain owner: score and grade for free accounts, full findings for Plus accounts. The identity of the person who submitted the roast is never shared.

7. Data Retention

We retain your account data for as long as your account is active. Analysis results are retained for 12 months by default. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.

8. Cookies and Tracking

We use essential cookies for authentication, session management, and security. If you choose to accept analytics cookies, we enable Mixpanel to measure aggregate product usage such as page views, roast starts, roast completions, upgrade clicks, and downloads. If you decline, Mixpanel stays off. We log the banner choice itself to Supabase so we can keep an audit trail of consent decisions. We do not use advertising cookies or sell behavioral data to ad networks.

9. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Opt out of marketing emails at any time
  • Data portability (export your analysis history)
  • Unclaim domains and immediately stop receiving alert notifications
  • Change alert frequency or disable alerts while maintaining a domain claim
  • Request deletion of all domain verification and claim data

To exercise these rights, email privacy@getroastedby.ai

10. Security

We implement industry-standard security measures including HTTPS encryption, secure database storage via Supabase, and Stripe for PCI-compliant payment processing. No system is 100% secure; we encourage you to use a strong, unique password.

11. Children's Privacy

Roasted is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on the Service. Continued use after changes constitutes acceptance of the updated policy.

13. Contact

Privacy questions? Email privacy@getroastedby.ai

Terms of ServiceBack to Roasted