Privacy policy
Last updated: 13 July 2026.
Who we are
Webvigor is the trading name of Peter Trevelyan-Johnson, a sole trader based in the United Kingdom. For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), Peter Trevelyan-Johnson trading as Webvigor is the data controller for the personal data described on this page.
What we collect
When you submit a website for a Webvigor audit, we record:
- The URL you submitted and your email address (kept until you delete the audit; see retention).
- A salted hash of your IP address — we never store your IP address in plain form.
- Your browser's user-agent string.
- The audit results themselves: pillar scores, screenshots of your homepage, and structured findings.
We do not collect cookies for analytics. We do not sell or share your data with advertisers. The crawler that fetches your site identifies itself as NovaInsightAudit/2.0 (our audit-infrastructure provider — see sub-processors below) and respects a polite 1-second delay between requests.
How we use it
Your audit data is used to produce the report at /a/<slug> that we email you. Aggregated, de-identified metrics may be used internally to improve the scoring rubric and recommendation library; never published with your URL or email attached.
PII redaction in screenshots
Every screenshot the audit captures runs through an automated PII-redaction pass before storage: email addresses, phone numbers, national IDs, credit card numbers, and authentication-looking strings get blacked out. Authentication-bearing requests (Cookie, Authorization headers, query-string tokens) are stripped from network traces before anything is persisted.
What we won't crawl
The audit will not capture:
- Anything inside
/admin,/wp-admin,/portal,/account,/dashboard, or/my-accountpaths (unless your consultant has explicitly provided test credentials for a paid audit). - Anything served with
Cache-Control: private. - Anything behind a payment-form URL (
/checkout,/cart/checkout,/pay). - Anything inside iframes whose origin is a known third-party PII vendor (Stripe, PayPal).
Retention
Three retention classes apply:
- Free-tool audits: 90 days for the audit row + report, 30 days for screenshots. Hard-deleted nightly thereafter.
- Paid audits: 24 months for everything by default.
- Active monitoring or fix engagements: duration of contract + 24 months.
You can request earlier deletion through the data-subject-rights form below.
Where your data lives, and our sub-processors
Webvigor runs on shared audit infrastructure operated by Nova Insight. Your data is stored and processed by the following sub-processors, each under a data-processing agreement:
- Nova Insight — audit engine and report generation (the platform this service runs on).
- Supabase — database and file storage. Data is hosted in Supabase's cloud region, which is outside the UK; transfers rely on Standard Contractual Clauses.
- Vercel — website hosting and delivery.
- ZeptoMail (Zoho) — transactional email delivery.
- Stripe — card payments. We never see or store your card number.
- Anthropic, OpenAI, Google — AI analysis used in producing audit findings, running in the United States. LLM prompts include audit evidence but never your email address, name, or other intake-form fields; screenshots are sent only after the redaction pass; network traces are summarised to counts, and raw bodies never reach an AI model.
Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum cover each cross-border transfer above.
Your rights
Under the UK GDPR and the Data Protection Act 2018 you can request:
- Access: a copy of all data we hold referencing you or your email.
- Deletion: immediate hard-delete of all rows referencing you, ahead of the standard retention schedule.
- Rectification: correction of inaccurate data.
Submit a data-subject-rights request via /privacy/request. We acknowledge within 7 days and respond fully within 30 days. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
Contact
Questions about this policy: hello@webvigor.co.uk.
Records of every data-subject-rights request are retained for 6 years, per statutory record-keeping requirements.
