Privacy policy

StormCloud AI is the data controller for personal data you provide to us when using the Service. Contact us at privacy@stormcloudai.com for any data protection matter.

• Account data — name, email address, hashed password, plan.
• Site data — domains you register and the public content of pages we crawl.
• Business profile — answers you provide in the questionnaire (services, keywords, GBP details).
• Credentials — when you choose to connect a platform (WordPress, Shopify, Cloudflare, GitHub, Google Search Console). Stored encrypted at rest and used only to perform actions you request.
• Payment data — handled directly by Stripe; we store only the subscription/customer IDs returned to us.
• Usage data — server logs (IP, timestamps, endpoints) to operate and secure the Service.

• Contract — to deliver the Service you signed up for.
• Legitimate interest — to keep the platform secure, prevent abuse, debug issues, and improve the product.
• Legal obligation — to retain financial records for the period required by UK law.
• Consent — when you connect Google Search Console and other third-party accounts.

We share data only with third parties needed to run the Service:

• Stripe — payment processing.
• Anthropic (Claude AI) — to generate plain-English explanations and plans. Your business profile and site issues are sent for analysis; Anthropic does not train on this data per their API terms.
• Google APIs — PageSpeed Insights and Search Console, when you connect them.
• AWS — hosting and email delivery (eu-west-1).

We do not sell your data. We do not share it with advertisers. We do not use third-party analytics on the customer dashboard.

Data is primarily processed in the UK and the EU. Some sub-processors (Anthropic, parts of Stripe) operate servers in the US — we rely on appropriate safeguards (Standard Contractual Clauses and the UK Addendum) for those transfers.

• Active account data — for as long as your account exists.
• Deleted accounts — removed from active systems within 30 days; logs are retained for up to 90 days.
• Financial records — 6 years, as required by UK accounting rules.

Under UK GDPR you have the right to:

• Access the personal data we hold about you (use the export button in your account).
• Correct inaccurate data (update your profile in your account).
• Delete your account and associated data (use the delete control in your account).
• Restrict or object to certain processing — contact us.
• Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

We use a single first-party authentication cookie (your sign-in token, stored in localStorage rather than a cookie) — strictly necessary to keep you signed in. We do not use third-party tracking cookies or analytics cookies on the customer dashboard. The marketing site may use minimal cookies; see its own notice.

Passwords are hashed with bcrypt. Connected credentials are encrypted at rest. Traffic is HTTPS only. We review access regularly and follow the principle of least privilege. No system is ever 100% secure — if you suspect a breach involving your account, tell us immediately at security@stormcloudai.com.

We may update this policy as the Service evolves. Material changes will be flagged on this page and, where appropriate, notified by email.