Privacy Policy

mtool is a marketing toolkit for SEO, AI traffic analysis, and content quality grading. This policy explains what data mtool collects, how it is used, and how long it is kept.

mtool is operated by the individual / team running the deployment you are signing in to. The deployment operator is the data controller for your data. If you are evaluating a copy of mtool hosted by your company, your company is the controller.

1. Account data

When you sign up, mtool stores your email address and (if you chose email + password) a bcrypt-hashed password. These are held by Supabase Auth on the operator's Supabase project, encrypted at rest.

If you sign in with Google, mtool stores your Google email plus the unique Google user ID returned by Google's OAuth. No password is stored in that case.

2. Google account integration data

When you click "Connect Google" on a site, you authorize mtool to access your Google data via OAuth 2.0. The scopes requested are:

• webmasters.readonly: read-only access to your Google Search Console properties, clicks, impressions, top queries, and sitemap data.
• analytics.readonly: read-only access to your Google Analytics 4 properties, sessions, events, key events, and dimensions.
• adwords: the Google Ads API only offers one scope (no read-only variant). mtool only ever reads from this scope: Keyword Planner volume + competition, accessible customer IDs. mtool does NOT create, modify, or delete campaigns, ad groups, ads, or any other Ads entity. A code-level facade in lib/integrations/google-ads/client.ts enforces this by exposing only the read services.
• openid email: your Google email address.

mtool persists the OAuth refresh token in the operator's Supabase database, encrypted at rest with Supabase's project encryption key. The refresh token lets mtool re-derive short-lived access tokens for as long as you remain connected. You can revoke this access at any time at myaccount.google.com/permissions; revocation also invalidates any cached access token within minutes.

mtool does NOT request, store, or access: Gmail, Google Drive, Calendar, Contacts, Photos, YouTube, or any other Google service outside the scopes listed above.

3. Data mtool reads about your sites

For every site you add, mtool fetches the URL on a recurring schedule (sitemap walk + per-page HTTP fetch) to:

• Crawl your sitemap and discover URLs.
• Fetch each page's HTML to evaluate technical signals (status code, headers, robots tags, schema markup, headings, image alt attributes, etc.).
• Optionally fetch a page's content for LLM content-quality grading (Anthropic Claude), only when you explicitly trigger grading on a page or a bulk selection.

The crawler identifies itself as mtool-crawler/0.1 in the User-Agent header. It respects standard HTTP semantics; it does not bypass robots.txt restrictions, login walls, or paywalls.

4. AI / LLM grading

When you click "Grade this page" or run a bulk grade, mtool sends the main content of the page (HTML chrome stripped, max ~24,000 characters) plus the page URL and language to Anthropic's Claude API. Anthropic processes the content to score it 0-15 and return a short reason paragraph. Your content is not used to train Anthropic models per Anthropic's API terms.

mtool stores the LLM's grade, reason, model name, and a SHA-256 hash of the graded content in your operator's Supabase database. The grade is re-used (no second LLM call) for as long as the content hash matches the page's current content.

5. Sub-processors

mtool relies on the following service providers to operate:

• Supabase (database + auth, EU or US region depending on operator's project).
• Vercel (hosting + serverless functions, edge cache).
• Google Cloud (Search Console, Analytics, Ads, PageSpeed Insights APIs).
• Anthropic (Claude API, used only when you trigger LLM grading).
• Microsoft Bing Webmaster Tools (read-only Bing search analytics).

6. Retention and deletion

Your account data, OAuth tokens, site configuration, and scoring history are retained for as long as your account exists. If you delete your account or your operator deletes you from the org, all associated rows are deleted via cascade in the database.

To request deletion or export, contact the deployment operator (your team admin, or the person who shared mtool with you). For deployments under mtool.amer.ing, contact hola@rastrolab.com.

7. Cookies and tracking

mtool uses one functional cookie set by Supabase Auth (sb-*-auth-token) to keep you signed in. mtool does not use third-party analytics, advertising trackers, or any cookie that profiles you across sites.

8. GDPR and your rights

If you are in the EU, EEA, or UK, you have the right to access, correct, delete, or export your personal data, and to object to processing or restrict it. To exercise these rights, contact the deployment operator. mtool does not transfer your personal data outside the controller-chosen Supabase region.

9. Changes to this policy

We will update the "Last updated" date above when this policy changes materially. For non-material changes (typo fixes, wording clarification) the date may not change.