Legal

Privacy Policy

Last updated: March 23, 2025

Overview

Venet (“we”, “our”, or “us”) operates a website maintenance tracking platform for freelancers and agencies. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and how long we keep it.

By creating an account or using Venet, you agree to the practices described in this policy. If you have questions, contact us at info@venet.dev.

A note on client data:Venet is a tool used by freelancers and agencies to manage their clients’ websites. When you store client names, email addresses, or other information in Venet, you are the data controller for that data and are responsible for your own compliance with applicable privacy laws in relation to your clients.

What we collect

Account & identity information

When you sign up via Google, GitHub, or email magic link, we collect your name, email address, and profile picture URL from your OAuth provider. If you sign in with email, we store your email address.

Optionally, you may add a business name and logo used for branded reports. These are stored in your account profile and only shared as part of reports you explicitly generate and send.

OAuth tokens

When you connect a Google account for Analytics or Search Console integration, we store encrypted Google OAuth access and refresh tokens and the connected Google account email. These tokens are stored using AES-256-GCM encryption and are used solely to fetch data on your behalf from Google’s APIs. You can disconnect your Google account at any time from Settings.

OAuth tokens from your sign-in provider (Google or GitHub) are also stored in our database as part of the standard NextAuth.js session mechanism and deleted when you delete your account.

Client site information

For each site you manage, you may optionally record a client name, client email address, site URL, CMS type, hosting provider, and free-form notes. This information is stored in our database and associated with your account. Client email addresses are used to send reports when you explicitly trigger that action.

Billing information

Paid subscriptions are handled by Stripe. We store your Stripe Customer ID and Subscription ID to link your account to your Stripe billing record. We do not store payment card details — those are held exclusively by Stripe.

For Scale and Enterprise plans, we report your active site count to Stripe for usage-based billing. No site URLs or client names are included in that report — only the count.

Monitoring data

Venet automatically collects the following technical data for sites you add:

  • Uptime ping results — HTTP status code, response time, and check timestamp, collected approximately every 5–30 minutes depending on your plan
  • SSL certificate details — issuer, expiry date, and validity status, checked daily
  • PageSpeed scores— Lighthouse performance, accessibility, best practices, and SEO scores, collected monthly via Google PageSpeed Insights (your site URL is sent to Google’s public API)
  • Google Analytics & Search Console data — if you connect a Google account, we fetch pageviews, sessions, top pages, and Search Console data monthly and store it in our database

Session data

We use database-backed sessions (not JWTs). A session token is stored in a cookie in your browser and linked to your account in our database. Sessions expire automatically and are revoked on sign-out.

During OAuth sign-in, a short-lived CSRF state cookie (expires after 10 minutes) is set and then deleted after the OAuth callback completes. We do not set any tracking or advertising cookies.

Usage logs

Like most web services, our hosting infrastructure (Vercel) may log standard request metadata such as IP address, user agent, and timestamps. These logs are managed by Vercel under their own privacy policy and are not stored in our application database.

How we use your data

We use the data we collect to:

  • Create and maintain your account and authenticate your sessions
  • Provide the core maintenance tracking, uptime monitoring, SSL checking, and reporting features
  • Send transactional emails: magic sign-in links, site down/recovered alerts, SSL expiry warnings, cycle reminders, follow-up reminders, and maintenance reports
  • Apply your branding (business name, logo, primary color) to reports you generate
  • Process your subscription, track plan limits, and calculate usage-based billing
  • Fetch Google Analytics and Search Console data on your behalf when you connect a Google account
  • Deliver automated features you enable: auto-cycle creation, auto SSL/PageSpeed checks on cycle start, auto-archive, and auto-report sending

We do not use your data for advertising, sell it to third parties, or use it to train AI models.

Data sharing & third-party processors

We share data with the following third-party processors to operate the service. All processors are contractually bound to handle data in accordance with applicable privacy law.

Stripe
Payment processing & subscription management

Your email address, name, and billing details are shared with Stripe to create a customer record and manage your subscription. For metered plans, your active site count is reported to Stripe daily. Stripe may store and process this data in the United States.

Resend
Transactional email delivery

All emails sent by Venet — including sign-in magic links, site alerts, report deliveries, and cycle reminders — are delivered via Resend. Recipient email addresses and email content are transmitted to Resend. Resend may retain delivery logs per their own retention policy.

Cloudflare R2
File storage (PDF reports & screenshots)

Generated PDF reports and task screenshots are stored in Cloudflare’s R2 object storage. PDFs for shared reports are accessible via a unique token URL. Screenshots are only accessible to your authenticated account.

Google PageSpeed Insights
Performance auditing

When Venet runs a PageSpeed audit for a site, the site’s URL is sent to Google’s public PageSpeed Insights API. Google may log this request per their own policies. No user-identifying information is included.

Google APIs (Analytics & Search Console)
Integration data fetching

If you connect a Google account, Venet uses your stored OAuth tokens to read GA4 and Search Console data from Google’s APIs on your behalf. We store your access and refresh tokens encrypted in our database. We do not write data to Google’s systems. You can revoke access at any time.

Neon (PostgreSQL)
Primary database

All application data described in this policy is stored in a PostgreSQL database hosted by Neon. Data is encrypted at rest. Neon is located in the United States.

Vercel
Application hosting & infrastructure

Venet is hosted on Vercel. Request logs including IP addresses and user agents may be collected by Vercel’s infrastructure. Vercel is located in the United States.

Public report sharing

When you generate a report and share the public link with a client, that report becomes accessible to anyone who has the link. Public reports include site name, maintenance task details, task notes, screenshots, performance scores, and your business branding. The link does not expire by default. You should treat the public report URL as a shared secret — do not post it publicly.

We record a “viewed at” timestamp the first time a public report link is accessed, which is visible to you in your account. No other tracking occurs on public report pages.

No sale of personal data

We do not sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes.

Data retention

Account data

Your account data — including your profile, sites, templates, cycles, tasks, reports, and monitoring history — is retained for as long as your account is active. Deleting your account immediately and permanently deletes all associated data from our database through cascading deletes. This action is irreversible.

Uptime monitoring data

Uptime ping records are automatically deleted after 13 months by a weekly automated cleanup process. This allows year-over-year comparisons while preventing unbounded data growth. SSL check history and PageSpeed audit history are retained for the life of your account.

Session tokens

Database sessions expire automatically. Sign-out immediately invalidates the session token.

Email verification tokens

Magic link tokens used for email sign-in expire after 10 minutes and are not reusable.

Subscription cancellation & grace period

When you cancel a paid subscription, your plan downgrades to Free at the end of your billing period. If your account exceeds Free plan limits at that point (e.g. you have more sites than the Free tier allows), we store a scheduled deletion date 180 days after your subscription ends. During this grace period, you can either reduce your sites to fit the Free tier or reactivate a subscription to prevent deletion. If you take either action, the scheduled deletion is cancelled. If neither action is taken, your excess data may be removed after the 180-day period.

Files (PDFs & screenshots)

PDF reports and screenshots stored in Cloudflare R2 are associated with your account. When you delete a report or task, the associated file is removed. When you delete your account, files stored in R2 will be removed.

Security

We take reasonable technical and organisational measures to protect your data:

  • All data is transmitted over HTTPS (TLS)
  • Google OAuth tokens (for Analytics/Search Console integration) are stored encrypted using AES-256-GCM
  • Database sessions are used instead of JWTs, making sessions immediately revocable
  • OAuth CSRF state is validated on every callback to prevent token injection
  • Database connections use encrypted channels; data is encrypted at rest by Neon

No method of transmission or storage is 100% secure. If you believe there has been a security incident affecting your data, please contact us immediately at info@venet.dev.

Your rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — update inaccurate information via your account settings
  • Deletion — delete your account and all associated data at any time from Settings → Account. This is immediate and irreversible.
  • Restriction — request that we limit processing of your data in certain circumstances
  • Portability — request your data in a portable format (note: we do not currently have an automated data export tool; contact us and we will assist manually)
  • Objection — object to certain processing activities
  • Withdraw consent — where processing is based on consent, withdraw it at any time (e.g. disconnect your Google account integration from Settings)

To exercise any of these rights, contact us at info@venet.dev. We will respond within 30 days.

California residents (CCPA)

California residents have the right to know what personal information we collect, the right to delete it, the right to opt out of sale (we do not sell personal information), and the right to non-discrimination for exercising these rights.

EEA / UK residents (GDPR / UK GDPR)

Our legal basis for processing your personal data is performance of a contract (providing the service you signed up for) for core functionality, and legitimate interests for security and fraud prevention. Where we rely on legitimate interests, you have the right to object. You also have the right to lodge a complaint with your local supervisory authority.

Children’s privacy

Venet is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page. If changes are significant, we may also notify you by email. Continued use of Venet after changes take effect constitutes acceptance of the updated policy.

Contact us

For privacy-related questions, data requests, or concerns, contact us at:

Venet
Email: info@venet.dev

We aim to respond to all privacy enquiries within 30 days.