KWScanner
Sign in Get Extension
Legal

Privacy Policy

How we collect, use, and protect your information.

Last updated: 20 May 2026

This policy explains what data KWScanner ("we", "us") collects, how we use it, and the choices you have. We've kept it short and direct — if anything is unclear, email us at [email protected].

1. Who we are

KWScanner is operated as a software-as-a-service. The service is available at kwscanner.com, the dashboard at app.kwscanner.com, and via our browser extension. References to "the Service" in this policy mean any of those surfaces.

2. What we collect

Account data

  • Email address and authentication identifiers, provided through our sign-in partner.
  • Account preferences: notification settings, auto top-up configuration, and any other preferences you set in your account.
  • Browser extension tokens: when you generate a token to authenticate the extension, we store its hash (not the plaintext token) plus a short prefix for display purposes.

Payment data

We use Stripe to process payments. We never see or store your full card number — Stripe handles the card data directly. We retain the Stripe customer ID, payment method ID (for auto top-up), and transaction metadata required to issue receipts and refunds.

Account activity

  • Credit ledger: every purchase, charge, refund, and adjustment is recorded as an immutable ledger entry tied to your account so we can show you accurate balances and history.
  • Sign-in events: timestamps and approximate location of recent sign-ins, used for security alerts.

Technical data

  • Standard server logs (IP address, user agent, request path, response status) retained for up to 30 days for security and abuse prevention.
  • Error reports from your browser when something breaks. We do not attach these to your identity unless you choose to email us about a specific issue.

Google Ads integration (optional)

If you choose to connect a Google Ads account to push researched keyword lists into your own ad groups, the following additional data is involved:

  • Google account email of the account you authorise — stored so you can identify which connection is which.
  • OAuth refresh token issued by Google for the Ads scope (https://www.googleapis.com/auth/adwords). The token is encrypted at rest using AES-256-GCM and is used only to act on the Google Ads accounts you explicitly chose.
  • Google Ads account metadata we read on your behalf — customer ID, descriptive name, currency, time zone, and the list of your campaigns and ad groups — so the dashboard can render the Campaigns page. We do not store campaign performance metrics, conversion data, or billing data from your Ads account.
  • Keywords you push: when you click "Push Keywords to Ad Group", we send the selected keywords, match type, and bid you chose to the Google Ads API on your behalf. From that point on, those keywords are part of your Google Ads account and are subject to Google's own privacy policy and your own Google Ads account controls.

You can disconnect any Google Ads account from the Campaigns page at any time. Disconnecting deletes the encrypted refresh token from our database and revokes our ability to call the Google Ads API on your behalf. It does not remove keywords already pushed into your ad groups — those live in your Google Ads account and must be managed from there.

3. How we use it

  • To deliver the service you signed up for: authenticating you, applying credit charges, sending receipts, processing refunds.
  • To prevent abuse: rate limiting, fraud detection, account-takeover protection.
  • To improve the product: aggregate analytics on which features are used and what error rates look like. Always done on aggregated, anonymised data — never on individual users.
  • To communicate with you: transactional emails (purchase receipts, low-balance alerts, refund notifications). You can opt out of non-essential email in your account settings.

We do not sell your data. We do not use your account activity to advertise to you on other platforms. We do not share your data with anyone except the processors listed below.

4. Sub-processors

We share account data with these processors to operate the service:

  • Authentication provider — sign-in and session management.
  • Stripe — payment processing.
  • Email delivery provider — transactional email (receipts, account alerts).
  • Cloud hosting providers — compute, database storage, and backups.
  • Google LLC (Google Ads API) — only if you connect a Google Ads account. We send your selected keywords, match type, and bids to Google to push into ad groups you choose, and we read campaign / ad-group metadata from the accounts you authorised. Use is governed by Google's own Privacy Policy and the Google Ads API policies.

Each sub-processor has a data processing agreement in place that limits how they may use the data we share with them. We do not share your email address or account identity with any third party for marketing purposes.

5. Your rights

Wherever you live, you have the right to:

  • Access the personal data we hold about you.
  • Correct data that is wrong.
  • Delete your account and the data attached to it. Deletion is irreversible — your account record and transaction history are removed within 30 days, except where we are legally required to retain certain records (such as tax invoices).
  • Export your data in a portable format.
  • Object to processing for analytics or marketing.

To exercise any of these, email [email protected]. We respond within 30 days.

If you're in the EU/EEA, GDPR applies. The lawful bases we rely on are: contract (delivering the service you signed up for), legitimate interest (preventing abuse, improving the product), and consent (where required, such as marketing email).

If you're in California, CCPA applies. We do not sell personal information as defined by the CCPA.

6. Security

  • All traffic is encrypted in transit (TLS 1.2+).
  • Sensitive secrets (API keys, refresh tokens) are stored in a managed secrets store, not in code or version control.
  • Production database access is restricted to a small set of operator accounts and audited.
  • Browser extension tokens are stored as SHA-256 hashes; the plaintext is shown to you exactly once.
  • Google Ads OAuth refresh tokens are encrypted at rest with AES-256-GCM under a key held outside the database; they are decrypted only in memory to make API calls on your behalf.

No system is perfect. If we ever discover a breach affecting your data, we will notify affected users within 72 hours and explain what happened, what we're doing, and what you should do.

7. Cookies

We use a small number of essential cookies (authentication session, CSRF protection) without which the service cannot function. We do not use third-party advertising cookies. We may use privacy-friendly analytics (e.g. Plausible) that do not set persistent identifiers.

8. Children

KWScanner is not intended for use by anyone under 16. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we'll delete the account.

9. International transfers

Our infrastructure is hosted in regions that may include the United States and Europe. When data crosses borders, we rely on the relevant standard contractual clauses approved by the EU Commission.

10. Changes to this policy

We update this policy when our practices change. The "last updated" date at the top reflects the most recent revision. For material changes, we'll email you and post a banner on the dashboard at least 14 days before the change takes effect.

11. Contact

Email us at [email protected] for anything related to this policy or your data.

One-line summary We collect what's needed to run the service, share it only with processors that help us deliver it, never sell it, and let you delete it whenever you want.