Privacy policy

Who we are

SpeedAudit is operated by Novator Technologies (SMC-Private) Limited, a single-member private limited company registered in Karachi, Pakistan. When you use SpeedAudit you're entering a relationship with Novator Technologies. You can reach us at privacy@novator.co.

What we collect

SpeedAudit doesn't have user accounts, so there's no signup form to ask for your name or email. What we do collect, narrowly:

• Lighthouse audit results. Every time someone runs a Lighthouse audit, we store the URL audited, the device type (mobile/desktop), the resulting Lighthouse scores, the lab and field performance metrics, the originating IP address, and a timestamp. This is what powers the History page.
• Edge-cached responses. Results from the other tools (DNS lookup, SPF check, WHOIS, etc.) are cached at Cloudflare's edge for between 30 seconds and 24 hours depending on the tool, keyed on the query. The cache isn't tied to your identity; it's how we keep things fast and stay under our API credit limits.
• Rate-limit counters. To prevent abuse, we track per-IP request counts in a Cloudflare KV store with a one-hour rolling window. These counters are not tied to any account and expire automatically.

What we send to third parties (the big one)

This is the most important disclosure in this document. SpeedAudit is largely an interface onto upstream services — meaning the queries you make get forwarded to other organizations. By using each tool, you're providing the query data to that upstream:

• Lighthouse audit — the URL you audit is sent to Google PageSpeed Insights
• WHOIS & IP geolocation — the domain or IP you query is sent to WhoisXML API
• SSL check — the domain is sent to SSLMate Cert Spotter
• DNS lookup & propagation — the domain is sent to one or more public DNS-over-HTTPS resolvers: Cloudflare, Google, Quad9, AdGuard, NextDNS, OpenDNS
• Blacklist check — the IP is queried against six DNSBLs (SpamCop, SORBS, CBL, Mailspike, PSBL, s5h.net) via reverse-IP DNS lookups
• Security headers — we issue an HTTP GET to the URL you submit, which means the target web server sees a request from SpeedAudit's IP in its access logs
• IP geolocation map — when results render in your browser, map tiles are loaded from OpenStreetMap, which receives your browser's IP

None of these providers know who you are (we don't share your IP), but they do see the query content. Each provider has its own privacy practices, linked above.

What we don't collect

• Account information. There are no accounts, so we don't collect names, emails, or passwords.
• Payment information. SpeedAudit is currently free. When and if we introduce a paid tier, payment will be processed by a PCI-compliant provider (such as Stripe), and we won't see your card details.
• Third-party analytics. No Google Analytics, no Facebook Pixel, no Mixpanel, no Hotjar, no Segment. Nothing.
• Advertising or tracking cookies. We don't run ads and we don't set tracking cookies.
• Cross-site tracking. We don't share data with marketing platforms and we don't participate in identity-graph services.

Server logs

SpeedAudit runs on Cloudflare Workers. Cloudflare collects standard server-side request logs (IP address, request path, response status, timestamp) for the purpose of operating the service and detecting abuse. We do not enrich these logs, correlate them with the audit-history database, or use them for advertising or profiling.

We do not use Google Analytics, Facebook Pixel, Mixpanel, Hotjar, Segment, or any other third-party analytics product. We may eventually enable Cloudflare Web Analytics (Cloudflare's privacy-respecting, cookieless aggregate stats) to understand traffic patterns; if we do, this page will be updated and the analytics will set no tracking cookies.

Audit history and your IP

The Lighthouse audit tool stores results in our database with the originating IP address attached. The History page filters audits to the IP you're currently visiting from, so you see your own past audits and not anyone else's.

This means: if you audit URLs from one IP (home Wi-Fi) and then visit History from a different IP (mobile data, office network, VPN), you'll see a different history. We don't try to stitch these together, and we can't, because we don't have any other identifier for you.

Audit rows are retained indefinitely by default so that re-running an audit returns instantly from cache instead of burning a Google PageSpeed Insights quota. We may introduce a retention limit (e.g. 90 days) in the future; if we do, this page will be updated.

Deleting your data

To delete audit history rows associated with your IP address, email privacy@novator.co from any email address (we don't have one tied to your IP). Mention the IP and we'll delete the matching rows within 30 days. The IP itself shows up in our server logs separately; those follow Cloudflare's retention policy, which we don't control.

For the other tools (DNS, WHOIS, SSL, etc.) there is nothing to delete on our side — the edge-cached responses expire automatically within 24 hours and are not tied to your IP.

Children

SpeedAudit is not directed at children. The product is for site owners, developers, and IT professionals. We don't knowingly collect information from anyone under 13.

Where data lives

Our database is hosted in Cloudflare's network (the D1 database is currently in the EU West region). Edge cache entries live wherever Cloudflare's nearest data center to you is. Pakistan does not currently have a comprehensive data-protection law equivalent to GDPR, but we treat all user data as if it were covered by GDPR's principles: minimal collection, purpose limitation, right of access, right of erasure.

Changes to this policy

If we make material changes — for example, if we add a feature that involves processing new categories of data — we'll update the "Last updated" date at the top. The current version always lives at speedaudit.org/privacy.html.

Contact

Questions about this policy, requests to access or delete data, or any other privacy concern: privacy@novator.co.