Effective May 22, 2026 · Version v2-2026-05-22 · Terms of Service · Data Processing Addendum
SitePath is a research platform, not a data broker. We do not sell, license, syndicate, or publish what you research on the Platform. Specifically:
If we ever materially change any of the above commitments, we will update this Policy, give active subscribers at least thirty (30) days' email notice, and require an explicit "Accept" before the change applies to your account.
SitePath Intelligence ("SitePath", "we", "us", "our") operates sitepathintel.com and the related research platform (collectively, the "Platform"). This Privacy Policy ("Policy") explains how we collect, use, share, and protect personal data when you visit our website, create an account, subscribe to a paid plan, or otherwise interact with the Platform.
For purposes of the EU General Data Protection Regulation ("GDPR") and the UK GDPR, SitePath acts as a controller of the personal data described in this Policy. To the extent SitePath processes personal data on behalf of a business customer (for example, account records you upload as part of an Enterprise subscription), SitePath acts as a processor, and that processing is governed by the Data Processing Addendum.
For purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), SitePath is a business and, where applicable, a service provider to its customers.
We collect the categories of personal data described below. We collect data directly from you, automatically as you use the Platform, and (in limited cases) from third parties such as our payment processor.
We do not knowingly collect biometric identifiers, government identification numbers, precise geolocation, financial-account numbers, health data, or special-category data under GDPR Article 9 (race, religion, political views, sexual orientation, etc.). Do not submit such data to the Platform.
We use personal data for the following purposes:
We do not use personal data for cross-context behavioral advertising, do not sell personal data, and do not share it with third parties for their own marketing.
If you are in the European Economic Area, the United Kingdom, or Switzerland, the legal bases on which we rely under Article 6 of the GDPR (and the equivalent UK provisions) are:
We retain personal data only as long as necessary for the purposes for which it was collected, plus any period required by applicable law. The principal retention windows are:
| Category | Retention |
|---|---|
| Account data | While the account is active, then 90 days after deletion. After 90 days only minimal records required for legal compliance are kept. |
| Subscription & payment records | 7 years from the last transaction (tax, accounting, and anti-fraud obligations). |
| Usage logs (per-IP rate limits, security events) | Per-IP rate-limit counters: in-memory only, expire within the current rolling window (typically < 1 hour). Security event logs: 90 days. |
| Watchlists, comparisons, exported reports | While the account is active and you keep them. Deleted from our systems within 30 days of account deletion or when you remove them. |
| Support correspondence | 3 years from the last message, then deleted unless retained for an active legal matter. |
| Optional analytics (GA4, Clarity) | Configured to the provider's default retention (typically 14 months for GA4, 30 days for Clarity session data). |
After the applicable retention period expires, we delete or irreversibly anonymize the data, except where continued retention is required by law.
We share personal data only as needed to operate the Platform, comply with law, or with your consent. The recipients are:
| Recipient | Purpose | Data shared |
|---|---|---|
| Netlify, Inc. (US) | Web hosting, serverless functions, and Netlify Identity (account + JWT issuance). | Account data, usage logs, IP address. |
| Stripe, Inc. (US) | Payment processing and subscription billing. | Email, customer ID, subscription ID, payment metadata. Card numbers never reach us. |
| Resend (US) | Transactional email delivery (sign-in, confirmation, billing, digest, password reset). | Email address and message content of the specific transactional email being sent. |
| Anthropic PBC (US) | AI brief generation for Enterprise users only. Prompts contain county research data; they do not include your account identity. | County research fields included in the prompt. Anthropic processes the prompt under its zero-retention API terms — see the DPA. |
| OpenStreetMap & Nominatim (UK/DE) | Map tiles and address geocoding for searches you initiate. | The search query and IP address required to deliver the response. |
| Google Analytics 4 (US/Ireland) | Optional aggregate usage analytics. Loaded only after consent. | Pseudonymized usage events; IP anonymization is enabled. |
| Microsoft Clarity (US) | Optional behavioral analytics (heatmaps, anonymized session replays). Loaded only after consent. | Pseudonymized usage events with input fields masked. |
| Legal and regulatory authorities | When required by valid legal process or to protect rights, property, or safety. | Only what is strictly necessary to respond. |
| Acquirer or successor | In connection with a merger, acquisition, or sale of assets, subject to this Policy. | Account and subscription data necessary to continue the service. |
We do not share personal data with advertising networks, lead-generation firms, or any party for cross-context behavioral advertising. The full sub-processor list, with addresses and contact emails for data-protection inquiries, is maintained in the DPA, Schedule 3.
SitePath is based in the United States. Personal data is stored and processed primarily in the United States. If you access the Platform from outside the United States, your data is transferred to and processed in the United States, and may also be processed in any country where our sub-processors operate.
Where we transfer personal data from the EEA, the UK, or Switzerland to the United States or another third country, we rely on one or more of the following safeguards:
You may request a copy of the relevant transfer mechanism by emailing Support@sitepathintel.com.
We use two categories of cookies and similar technologies:
These are required for the Platform to function — authentication session cookies, the GoTrue JWT, security tokens (CSRF), and consent preferences. They cannot be disabled while you are signed in.
These are loaded only after you accept analytics cookies in the consent banner. They include cookies set by Google Analytics 4 and Microsoft Clarity. You may withdraw consent at any time by clicking "Essential only" in the cookie banner (which reappears after clearing your local storage) or by emailing Support@sitepathintel.com.
We do not use cookies for cross-context behavioral advertising and do not allow third parties to set advertising identifiers on our domain.
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to your personal data:
To exercise these rights, email Support@sitepathintel.com. We respond within thirty (30) days (extendable by an additional sixty (60) days for complex requests, with notice). We may need to verify your identity before acting on a request.
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
Identifiers (email, account ID, IP address); commercial information (subscription and payment records); internet activity (usage data); inferences (account-state inferences for security and rate-limiting). We do not collect biometric, geolocation, or sensitive personal information beyond IP-derived approximate location.
Email Support@sitepathintel.com with the subject line "California Privacy Request". We respond within forty-five (45) days. You may designate an authorized agent to submit a request on your behalf with proof of authorization.
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comparable laws have rights to access, correct, delete, and (where applicable) appeal denials. We honor these rights on the same timeline as the corresponding California rights. To exercise any state right, email Support@sitepathintel.com with the subject line "Privacy Request" and identify your state of residence.
We honor the Global Privacy Control (GPC) signal as a request to opt out of sale or sharing under U.S. state privacy laws. Because we do not sell or share personal information for cross-context behavioral advertising in the first place, the practical effect is that we treat the signal as a confirmation of your existing protections.
We do not separately respond to traditional Do Not Track headers because no industry standard for their interpretation exists; the GPC signal supersedes it.
We send transactional emails (sign-in confirmation, billing receipts, security alerts, password resets, watchlist digests you have opted into) as part of providing the service. You cannot opt out of strictly transactional messages while your account is active.
If we ever send promotional or marketing emails, they will include a one-click unsubscribe link. You can also email Support@sitepathintel.com with the subject "Unsubscribe" to opt out of all promotional communications.
The Platform is intended for business and professional use by individuals 18 years of age or older. We do not knowingly collect personal data from children under 18, and the Platform is not directed to children. If we become aware that we have collected personal data from a child under 18, we will delete it. If you believe a child has provided personal data to us, please contact Support@sitepathintel.com.
We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, and destruction. These measures include:
A more detailed description of the technical and organizational measures we apply when processing personal data on behalf of business customers is in Schedule 2 of the DPA.
If you become aware of a security issue, please report it to Support@sitepathintel.com. We acknowledge security reports within two business days.
SitePath does not make decisions about you that produce legal effects or similarly significant effects through automated means.
Enterprise subscribers can request an "AI brief" — a generated summary of a county's research data. Generation works as follows: we send the relevant county research fields, with no account identifiers, to Anthropic's API for the purpose of producing the brief; Anthropic processes the prompt under its zero-retention API terms and does not use it to train models; the response is returned to you and is not retained by SitePath beyond your own session. You are not the subject of profiling.
We may update this Policy from time to time. The effective date and version string above will be updated. For material changes — for example, changes to the categories of personal data we collect or how we use them — we will notify active subscribers by email at least thirty (30) days before the change takes effect. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.
For privacy questions, to exercise any right described above, or to send a complaint or breach report:
EEA / UK residents have the right to lodge a complaint with their local data-protection authority. We encourage you to contact us first so we can try to resolve any issue directly.