Privacy Policy

Who this policy covers

• Visitors to websitetherapy.com (our marketing site).
• Practice owners who sign up for an account, connect tools, and publish a website on the platform.
• People who chat with our marketing site assistant.

This policy does not cover visitors to individual practice websites built on WebsiteTherapy. Each practice publishes its own privacy policy, which governs that practice's relationship with its clients.

What we collect

Account information

Your name, email, practice name, and billing details. Payment card numbers are handled by Stripe — we don't see or store them.

Site content

The content you create for your practice site — bios, service pages, blog posts, photos you upload. You own this content; we store it in GitHub and Supabase so we can serve your site.

Data from connected Google services

When you connect Google Search Console or Google Analytics, we receive a refresh token from Google's OAuth flow plus the read-only data your account exposes (search queries on your domain, traffic metrics on your properties). We never receive your Google password. See the Google API Services section below for specifics.

Chat transcripts

Transcripts of conversations with our marketing site assistant and your admin chat. We use these to improve the assistants and to give you a history you can refer back to.

Usage data

Standard server logs (IP address, browser type, requested URL, timestamp) for debugging, security, and abuse prevention.

Google API Services — Limited Use disclosure

WebsiteTherapy's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes practice owners grant from their own Google accounts

• https://www.googleapis.com/auth/webmasters.readonly (Search Console). Used to retrieve the queries, impressions, clicks, and ranking positions for your own verified Search Console properties. The data is displayed in your admin chat and used to drive autonomous SEO recommendations for your site.
• https://www.googleapis.com/auth/analytics.readonly (Analytics). Used to retrieve session, traffic-source, and conversion metrics from the GA4 properties you grant access to. The data is displayed in your admin chat to help you understand how visitors find and use your site.

Scopes only the WebsiteTherapy operations account grants

These scopes are authorized one time from a single internal WebsiteTherapy operations Google account. Practice owners never see them, never grant them, and the platform never touches a practice owner's Drive or Docs.

• https://www.googleapis.com/auth/drive.file (Drive, per-file). Used to create blog post draft documents in the operations account's Drive and share them with the relevant practice owner for review. This scope is limited to files the platform itself creates — it cannot read, modify, or even see any other file in the operations account's Drive.
• https://www.googleapis.com/auth/documents (Google Docs). Used alongside Drive to write formatted content (headings, paragraphs, links, lists) into the blog draft documents the platform creates. Same single-account model — only the operations account ever grants this scope.

What we do not do:

• We do not write data back to Google.
• We do not share your Google data with any third party other than the subprocessors listed below, and only as needed to store or display it to you.
• We do not use your Google data for advertising, do not sell it, and do not allow humans outside WebsiteTherapy to read it.
• We do not use your Google data to train AI models.

You can revoke our access at any time from your Google Account permissions page or by asking your admin chat to disconnect the integration. When you revoke or disconnect, we delete the associated refresh token within 30 days and stop pulling new data immediately.

How we use information

• Operate the platform — publish your site, serve your visitor chat, send the newsletters or social posts you schedule.
• Generate the autonomous SEO and content recommendations that are the core of our product.
• Bill you accurately and prevent fraud.
• Send service emails about your account, billing, and security.
• Send occasional product updates by email. You can opt out from the footer of any of those emails — we'll still send transactional ones.

Subprocessors

We use a small set of infrastructure providers. Each one receives only the data needed for the specific function they perform.

We do not sell your data to anyone, ever.

How long we keep things

• Account data: for the life of your account plus 90 days after cancellation, then deleted.
• Site content: for the life of your account. On cancellation you can request an export of everything you've published.
• Google API data: only while the integration is active. Disconnect or cancel and we delete the refresh token and cached metrics within 30 days.
• Chat transcripts: 12 months.
• Server logs: 30 days.

Your rights

• Access — ask us what we have on you.
• Correction — ask us to fix anything wrong.
• Deletion — ask us to delete your account. We'll honor it within 30 days unless we have a legal obligation to retain something specific (for example, tax records for prior billing).
• Integration disconnect — revoke any connected service (Google, Stripe, etc.) from your admin chat at any time.

To exercise any of these, email hello@websitetherapy.com.

Children

WebsiteTherapy is built for licensed therapists and is not directed to children under 16. We don't knowingly collect information from children.

Changes to this policy

We'll post any changes on this page with a new “last updated” date. Material changes get a separate email to all active accounts.

Contact

Questions about this policy or your data: hello@websitetherapy.com.

Read our Terms of Service →