Position4
Back to home

Privacy Policy

Last updated: 21 June 2026

Position4 ("we", "us") helps you turn Google Search Console data into a prioritized weekly SEO todo list. This policy explains what we collect, why, and what your rights are.

1. What we collect

  • Account data: the email address you use to sign in (and a hashed identifier from your auth provider). No password is stored.
  • Search Console connection: after you click Connect GSCand grant consent, we store the OAuth tokens (access & refresh) Google issues to us so we can read your Search Console data on your behalf. Scope: webmasters.readonly — read-only.
  • GSC snapshots: the pages, queries and aggregated stats we pull from your Search Console property, refreshed weekly and cached in our database to display your dashboard.
  • Task state:which Position4 todos you've marked as done and when.

2. What we don't collect

  • We do not collect, store or sell visitor data from your website.
  • We do not access any Google service other than Search Console (read-only).
  • We do not share your data with advertisers or third-party data brokers.

3. Why we collect it

Strictly to run the product: render your dashboard, generate your weekly todos, and email you when the list is ready. Aggregated, anonymous metrics may be used to improve the product (e.g. error monitoring, usage funnels).

4. Sub-processors

  • Vercel(United States) — hosting & serverless compute.
  • Supabase (United States / EU) — authentication and database.
  • Google (United States) — Search Console API (source of your SEO data).

5. Your rights

You can at any time, from your Settings page:

  • Disconnect Google Search Console — we delete your tokens and cached snapshots.
  • Delete your account — we permanently remove your account and all associated data.

For other GDPR/CCPA requests (export, rectification, restriction): email hello@position4.comand we'll respond within 30 days.

6. Cookies

We use first-party cookies strictly necessary for authentication (session cookie set by Supabase). We do not use marketing or tracking cookies on the marketing site.

7. Retention

We keep your account & snapshots as long as your account is active. After deletion, backups are purged within 30 days. Anonymized aggregate metrics may be retained indefinitely.

8. Security

Data in transit is encrypted (HTTPS). Data at rest is encrypted by our infrastructure providers. Access to OAuth tokens is restricted to the server processes that need them.

9. Changes

We'll update this page if the policy changes. Material changes will be notified by email at least 14 days before they take effect.

10. Contact

hello@position4.com