SiteAudit is built and operated by Next Level HTML. This page explains exactly what we collect when you use the auditor, how we use it, who has access to it, and what we will never do with it. Written in plain English on purpose.
Effective May 12, 2026 // Last updated May 12, 2026
// At a glance
The short version
We collect the URL you submit, your IP address, your browser user agent, and the audit results we generate. That's it.
Audit content (HTML, CSS, screenshots) is sent to AI providers solely to generate your findings. We list the providers below.
Audit records expire automatically: 24 hours for the raw capture, 30 days for shared report links.
We do not sell your data. Not anonymized. Not aggregated. Not ever.
We do not share your data for marketing or advertising. No ad-tech, no data brokers, no audience-modeling partners.
We do not log into your website. The auditor only sees what a public visitor sees.
01
Who we are
SiteAudit (the "Service") is operated by Next Level HTML, a web design and development agency based in Arlington, Texas, United States. We're the data controller for any information processed through audit.nextlevelhtml.com. When this policy says "we," "us," or "our," we mean Next Level HTML.
SiteAudit is a small team's product. Access to the live server, audit records, and any contact information you provide is restricted to the operator (the senior developer at Next Level HTML). No third-party staff have access to your data on our infrastructure.
02
What we collect
When you run an audit
The URL you submit. Required to run the audit.
Your IP address and browser user agent. Used for rate limiting and abuse prevention. Stored only as a salted HMAC hash in our rate-limit and abuse logs — we can compare an incoming request against past records, but we cannot recover the original IP from a stored hash.
The captured page itself. HTML, computed CSS, executed JavaScript, network resource list, and a full-page screenshot of the target URL at audit time.
The audit results we generate. Scores, findings, build-origin classification, performance measurements, and the AI-written explanations.
Action flags. Whether you generated a PDF, requested a quote, created a share link, emailed the report to yourself, or sent it to a developer.
When you contact us (quote requests, developer reports, share links)
Name, email address, optional phone number, optional message. Whatever you put in the form.
If you create a share link, the public report page stores text-only findings. Screenshots, raw HTML, and raw CSS are not stored in shared reports.
Automatically, while you use the site
Theme preference. Stored in your browser's localStorage, never sent to our server.
Analytics events. Page views and basic interaction events via Google Analytics. We do not store advertising identifiers.
In plain English
We collect what we need to run the audit and follow up if you ask us to. We don't collect personal details you didn't enter yourself.
03
How we use it
We use your data for these specific purposes, and nothing else:
To run the audit you requested. Capture, analyze, score, and produce the report.
To rate-limit and prevent abuse. Hashed IP records let us catch flooding or automated attacks.
To deliver the report. Email the PDF when you ask, generate the share link when you ask, build the contact-form payload when you send a quote request.
To follow up on your inquiry. If you contact us through a quote request or developer-report form, we reply to that inquiry. We do not add you to a marketing list.
To improve the auditor. Aggregate, non-identifying patterns (which build platforms are detected, which findings appear most often) help us tune the analysis. We never review individual audits for product development without explicit user invitation.
To meet legal obligations. If we receive a lawful subpoena, court order, or other valid legal process, we comply with what's required and nothing more.
Legal basis for processing (GDPR). Where applicable, we rely on legitimate interest (running the service you requested, preventing fraud and abuse), contract (delivering reports you asked for), and consent (analytics cookies, which you can opt out of via your browser).
04
Who has access
We use a small set of trusted infrastructure and AI providers to operate the service. Every provider listed below has a published privacy policy and standard data-processing terms. We do not share data with anyone outside this list, and we do not use any data broker, ad network, or audience-modeling partner.
Provider
What it sees
Why
Anthropic / OpenAI
The captured page content (HTML, CSS, screenshot context, structural facts) and the prompt to analyze it
To generate the AI-written explanations attached to each finding. Provider terms prohibit them from training models on our API requests.
SendGrid (Twilio)
Your email address and the report content, when you ask us to email it
Transactional email delivery only.
Cloudflare
Your IP, user agent, and the basic request envelope for any page load
DDoS protection, TLS termination, edge caching.
Google Analytics
Page views and anonymized interaction events
Understanding which parts of the auditor get used and where the experience breaks.
Our hosting provider
Encrypted server storage of audit records and logs
Running the application server itself.
In plain English
The captured webpage goes to the AI provider to generate the report text. Your email goes to SendGrid if you ask us to email you a copy. That's it. No one buys, rents, or borrows data from us.
05
What we never do
This list is exhaustive of common practices we explicitly reject:
✗We never sell your data. Not anonymized, not aggregated, not in any form.
✗We never share your data with advertising partners, audience-modeling firms, or data brokers.
✗We never use audit content to train AI models, ours or anyone else's.
✗We never add you to a marketing list because you ran an audit.
✗We never log into the website you audit. We only see what a public visitor sees.
✗We never read individual audit reports for fun or curiosity. Operations work only.
✗We never store your raw IP address. Only one-way salted hashes for rate limiting.
✗We never collect credit card information. SiteAudit is free.
06
How long we keep it
Different data has different lifespans. The Service is designed to expire records automatically rather than accumulate them indefinitely:
Raw audit captures (HTML, CSS, screenshots): purged 24 hours after the audit completes.
Shared report links (text-only): purged 30 days after creation.
Audit activity records (URLs, hashed IPs, action flags): follow the same 30-day window.
Rate-limit hash records: rolling 30 days.
Contact form submissions (quote requests, developer-report emails): retained as long as needed to respond to your inquiry and conduct any follow-up business, then deleted on request or after 24 months of inactivity.
Analytics data: retained according to Google Analytics' standard 14-month default, which we have not extended.
Backups: server backups may contain copies of recently-purged records for up to 30 additional days before they roll off.
07
How we protect it
SiteAudit was built with security as a first-class concern, not an afterthought:
Encrypted in transit. HTTPS-only with HSTS. All API calls and audit submissions use TLS.
Hashed identifiers. IP addresses in logs and rate-limit stores are HMAC-hashed with a server-side secret, not stored raw.
SSRF protection. Pre-DNS URL validation, in-browser request interception, and post-navigation redirect re-validation. The auditor cannot be tricked into scanning internal IPs, localhost, or cloud metadata endpoints.
Restricted file permissions. Application secrets live outside the app directory in a root-owned file readable only by the service account. Operational JSON stores are 600-mode (owner read/write only).
Server-authoritative records. Shared reports and PDFs are built from the server-side audit record, not from browser-submitted data. Tampering with the browser doesn't affect what other people see.
Restricted-content screening. Sites that appear to contain restricted content (adult content, illegal activity, drugs, etc.) are blocked from the automated public auditor at both the domain and content layer.
Locked JSON writes. Concurrent writes to file-backed stores are serialized to prevent corruption.
Automatic expiration. Cache cleanup runs on startup and hourly, pruning expired audit records and shared reports.
No security program is perfect. If you discover a vulnerability, please report it to the contact address below rather than disclosing publicly. We'll respond promptly and credit you if you'd like.
08
Your rights
Depending on where you live, you have specific rights regarding your personal data. We honor these rights for every user regardless of jurisdiction:
Right to access. Ask us what data we have about you, and we'll tell you.
Right to deletion. Ask us to delete it, and we will (subject to legal-retention requirements, which are rare for our type of service).
Right to rectification. Ask us to correct anything inaccurate.
Right to portability. Get a copy of your data in a structured format.
Right to object. Object to specific kinds of processing.
Right to withdraw consent. Where we rely on consent (analytics cookies), you can withdraw it at any time via your browser settings.
Right to non-discrimination. We won't degrade the Service or charge you differently because you exercised any of the rights above.
For California residents specifically (CCPA/CPRA), the rights above include the right to opt out of "sale" and "sharing" of personal information. As noted, we do not sell or share personal information in any form, so there's nothing to opt out of — but you can confirm this with us at any time using the contact below.
To exercise any right, email the contact address below. We respond within 30 days.
09
Cookies & analytics
We use a minimal set of browser storage. Specifically:
Theme preference (localStorage, key siteaudit-theme): remembers whether you've chosen dark or light mode. Never sent to our server.
Session cookie (HttpOnly, Secure, SameSite=Lax): keeps your audit context coherent within a single visit. Expires when you close the browser tab or after 24 hours of inactivity.
Google Analytics cookies (_ga, _ga_*): page-view analytics. You can block these via your browser's cookie controls or a tracker-blocking extension without losing any audit functionality.
We do not set advertising cookies, retargeting pixels, or social-platform tracking pixels.
10
Children
SiteAudit is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has submitted information to us, contact us and we'll delete it.
11
International transfers
SiteAudit is operated from the United States. If you use the Service from outside the U.S., your data will be transferred to and processed in the U.S. By using the Service, you consent to this transfer.
For users in the European Economic Area, the United Kingdom, or other jurisdictions with cross-border data-transfer requirements: where our third-party processors are based outside your jurisdiction, they have published Standard Contractual Clauses or equivalent transfer mechanisms covering data they receive from us.
12
Changes to this policy
We may update this policy when the underlying practices change. The "Last updated" date at the top of this page always reflects the most recent version. Material changes (new third parties, new categories of data collected, new retention windows) will be highlighted at the top of this page for at least 30 days before taking effect. Trivial changes (typo fixes, clarifications) may be made without notice.
13
Contact
For any privacy question, data-rights request, security disclosure, or general policy inquiry:
We aim to respond to all requests within five business days, and complete data-rights requests within 30 days of receipt.
This policy describes Next Level HTML's actual data practices for SiteAudit. It is not legal advice. If you have specific concerns about how your data is handled in your jurisdiction, contact us using the address above.