Privacy Policy
Effective Date: 10 February 2026 Last Updated: 20 February 2026
DiscoverWorthy ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our platform ("Service").
This policy applies to all users of the Service, regardless of location. Additional jurisdiction-specific disclosures may apply—see our UK GDPR Data Processing Addendum, CCPA/CPRA Privacy Notice, US State Privacy Addendum, and AU Privacy Collection Notice for details.
1. Data Controller
DiscoverWorthy is the data controller responsible for your personal information.
- Email: dpo@discoverworthy.com
- Address: 140 Keller Road, ESSENDON NORTH, VIC 3041
2. Information We Collect
2.1. Information You Provide Directly
| Data | When Collected | Purpose |
|---|---|---|
| Email address | Account registration | Authentication, communications |
| Full name | Profile setup (optional) | Display name, attribution |
| Organization name and type | Organization creation | Workspace identification |
| Website domain | Organization setup | Blog publishing, crawler |
| Billing email | Subscription setup | Invoice delivery |
| Blog post content | Content creation | Publishing, AI processing |
| Brand voice guidelines | Brand settings | AI content tone matching |
| Products/services information | Organization settings | AI content context |
| Team member details (name, role, specialties, email, photo) | Team setup | Author attribution, AI matching |
| Customer story data (name, email, company, project, conversation) | Story submission | Case study generation |
| Referral data (name, email, title, company, LinkedIn, photo) | Referral submission | Profile recommendations |
| Competitor names (blocklist) | "Never Mention" settings | AI content filtering |
2.2. Information Collected Automatically
| Data | How Collected | Purpose |
|---|---|---|
| IP address | Server logs | Security, geographic location |
| User agent string | HTTP headers | Device/browser identification |
| Session tokens | Authentication cookie | Session management |
| Page views (path, title, referrer, UTM params) | Analytics tracking | Usage analytics |
| Device info (type, browser, OS, screen size) | Analytics tracking | Usage analytics |
| Geographic location (country, region) | IP-based lookup | Analytics, regional pricing |
2.3. Information from Third Parties
| Source | Data | Purpose |
|---|---|---|
| Stripe | Card last 4 digits, brand, expiry | Payment display |
| Brave Search | SERP keyword rankings | Keyword tracking |
2.3.1. Google Search Console
When you connect Google Search Console, we access the following data using the webmasters.readonly scope (read-only—we do not modify your Search Console settings):
| Data | Purpose |
|---|---|
| Site URLs and permission levels | Identify which sites you can connect |
| Search queries driving traffic to your site | SEO analytics and content optimization |
| Page-level click and impression data | Blog performance analysis |
| Click-through rate (CTR) and average position | Keyword opportunity identification |
| Device breakdown (desktop, mobile, tablet) | Audience analytics |
| Daily search performance time series | Trend analysis |
2.3.2. Google Business Profile
When you connect Google Business Profile, we access the following data using the business.manage scope:
Data we read:
| Data | Purpose |
|---|---|
| Account ID, name, and type | Identify which business accounts you manage |
| Location details (business name, address, phone, website, category, hours) | Display your business information |
| Google Maps URI and Place ID | Link to your Google listing, enable review request campaigns |
| Customer reviews (reviewer name, profile photo, star rating, comment, timestamps) | Review management and response |
| Existing review replies | Display reply history |
| Local posts (content, type, media, call-to-action, status) | Post management |
| Performance metrics (search and Maps impressions, direction requests, phone call clicks, website clicks) | Business performance analytics |
| Search keyword impressions | Understand how customers find your business |
Data we write:
| Action | Purpose |
|---|---|
| Post replies to customer reviews | Help you respond to reviews (with your approval) |
| Delete review replies | Allow you to remove replies |
| Create local posts (text, media, events, offers) | Help you publish updates to your Google listing |
| Delete local posts | Allow you to remove posts |
We do not:
- Modify your business information (name, address, phone, hours, etc.)
- Delete or modify customer reviews themselves
- Access your Google Ads data
- Access data from any Google service beyond Search Console and Business Profile
3. How We Use Your Information
We use your personal information for the following purposes:
- Service delivery: Account management, content generation, blog publishing
- AI content generation: Your content, brand voice, team info, and customer data are sent to Azure OpenAI (GPT-4o) to generate blog posts, social posts, case studies, and other content
- Cover photo generation: Blog titles and keywords are sent to Azure DALL-E 3
- Google Business Profile management: Displaying your reviews, publishing posts, and showing performance insights within our dashboard
- SEO analytics: Combining Google Search Console data with our content tools to identify keyword opportunities and track blog performance
- Payment processing: Subscription billing via Stripe
- Communications: Account verification, billing notifications, feature updates, story invitations, reminders
- Analytics: Understanding how the Service is used to improve it
- Security: Fraud prevention, rate limiting, abuse detection
- Legal compliance: Tax records, responding to legal requests
4. Legal Basis for Processing (UK/EU Users)
| Legal Basis | Processing Activities |
|---|---|
| Contract (Art. 6(1)(b)) | Account management, billing, service delivery, AI content generation |
| Legitimate Interest (Art. 6(1)(f)) | Analytics, security, product improvement |
| Consent (Art. 6(1)(a)) | Customer stories, referrals, marketing emails, Google integrations |
| Legal Obligation (Art. 6(1)(c)) | Tax records, fraud prevention |
5. Who We Share Your Data With
We share personal information with the following categories of service providers:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Azure OpenAI (GPT-4o) | AI content generation | Blog content, customer names, conversation transcripts, brand voice data, team info | United States |
| Azure DALL-E 3 | Cover photo generation | Blog titles, keywords, excerpts | United States |
| Stripe | Payment processing | Email, payment method details | United States |
| Stripe Connect | Freelancer payouts | Bank details (handled by Stripe) | United States |
| Google Search Console API | SEO analytics | OAuth tokens; we receive search queries, clicks, impressions, and page performance data | United States |
| Google Business Profile API | Review and post management | OAuth tokens; we receive reviews, business info, performance metrics, and search keywords; we send review replies and local posts on your behalf | United States |
| Brave Search | SERP keyword tracking | Keywords, locale | United States |
| Twilio | SMS delivery (team OTP) | Phone numbers | United States |
| Azure Communication Services | Email delivery | Email addresses, message content | United States |
| Azure SQL Database | Data storage | All data (encrypted at rest via TDE) | Australia East |
Important: Customer names, company names, and full conversation transcripts are sent to Azure OpenAI without anonymization for content generation purposes. Azure OpenAI processes data under Microsoft's data protection terms and does not use customer data for model training.
We do not sell your personal information to third parties.
6. Cookies and Tracking
We use a single authentication cookie and a self-hosted analytics system. See our Cookie & Tracking Policy for full details.
- Session cookie (session_token): httpOnly, secure, SameSite=lax, 30-day expiry. Required for authentication.
- Analytics: Self-hosted, privacy-focused. Uses hashed daily visitor IDs (reset each day—no cross-day tracking). No third-party tracking cookies (no Google Analytics, no Facebook Pixel).
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Blog content | Until deleted by user or account closure |
| Billing records | 7 years (legal/tax requirement) |
| Analytics data | 24 months, then aggregated |
| Session tokens | 30 days from creation |
| Customer story transcripts | Until story is deleted by org owner |
| Google OAuth tokens | Until integration is disconnected |
| Google Business Profile data (reviews, posts, metrics) | Refreshed on each sync; not retained after integration is disconnected |
| Google Search Console data | Refreshed on each sync; not retained after integration is disconnected |
| AI-generated content | Until deleted by user |
8. Your Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information
- Portability: Request your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interest
- Restriction: Request restricted processing in certain circumstances
- Withdraw Consent: Where processing is based on consent, withdraw it at any time
To exercise your rights, contact us at dpo@discoverworthy.com. We will respond within 30 days (or as required by applicable law).
9. Google API Services - Limited Use Disclosure
DiscoverWorthy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only use Google data to provide and improve user-facing features that are visible to you in our dashboard.
- We do not transfer Google data to third parties except as necessary to provide the Service (e.g., displaying your data in our interface), as required by law, or with your explicit consent.
- We do not use Google data for serving advertisements.
- We do not allow humans to read your Google data unless: (a) we have your explicit consent, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.
10. International Data Transfers
Your data may be transferred to and processed in the United States, where our primary service providers are located. We implement appropriate safeguards for international transfers:
- UK/EU Users: Standard Contractual Clauses (SCCs) or adequacy decisions
- Australian Users: Reasonable steps to ensure overseas recipients comply with the Australian Privacy Principles (see AU Privacy Collection Notice)
11. Data Security
We implement appropriate technical and organizational measures to protect your information:
- Encryption at rest (Azure SQL Transparent Data Encryption)
- Encryption in transit (HTTPS/TLS)
- httpOnly, secure session cookies
- Rate limiting on authentication and API endpoints
- Input validation and parameterized queries
- Regular security reviews
- Role-based access controls
- Google OAuth tokens encrypted at rest in our database
12. Children's Privacy
The Service is not directed to children under the age of 16 (or 13 in the US). We do not knowingly collect personal information from children. If you believe we have collected data from a child, contact us immediately at dpo@discoverworthy.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Platform at least 30 days before the changes take effect. The "Last Updated" date at the top will be revised accordingly.
14. Contact Us
For privacy-related questions, complaints, or to exercise your rights:
- Email: dpo@discoverworthy.com
- Address: 140 Keller Road, ESSENDON NORTH, VIC 3041
UK Users: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Australian Users: You have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
California Users: See our CCPA/CPRA Privacy Notice for California-specific rights.