privacy
privacy policy
last updated 6 june 2026
This notice explains what personal data Schema Theory processes, why, on what legal basis, who we share it with, how long we keep it, and your rights. It is consistent with our terms of service and, for business customers, our data processing addendum.
controller
The data controller is Mikhail Galustov, entrepreneur individuel trading as Schema Theory, 173 rue de Courcelles, 75017 Paris, France — SIREN 994620201. Contact: team@schematheory.org. A statutory DPO is not mandatory; this address is the single contact point for privacy requests.
For personal data we process on behalf of a business customer — data inside the properties and accounts they connect — that customer is the controller and we act as processor under the data processing addendum.
who we collect from
- Visitors to schematheory.org and research.schematheory.org.
- Prospects who run the free audit or leave details for a demo, plus public information about audited domains and the businesses behind them.
- Customers and their authorised personnel.
- Individuals within connected properties — personal data present in customer analytics, ads, email, e-commerce, and DNS sources (processed as processor).
data we collect
- Site and security data: IP, user agent, request path, referrer, timestamp, error and abuse-prevention logs.
- Signup and contact data: name, business email, phone, company, message content, consent state, follow-up history.
- Audit and service data: submitted domains, public website and DNS data, connected-account data, crawl results, screenshots, measurements, scores, embeddings, and the briefs and fixes we generate.
- Client and billing data: contract records, project files, approvals, invoices, payment metadata.
why we use it
Where we rely on legitimate interests we have carried out a balancing test, available on request. You may object at any time.
model development and the corpus
We use data processed through the service to improve and train our rubrics, scoring engines, embeddings, the Corpus, and AI models. By default we anonymise or aggregate before this use. We do not train models on identifiable personal data inside a customer's connected properties except on that customer's instruction or after anonymisation, and we carry out a data protection impact assessment where required. Models and aggregated or anonymised data derived from this work are our property and may be retained and used indefinitely, including after an account closes, because they no longer identify anyone.
processors and recipients
We do not sell personal data. We share it only where needed with vetted providers acting on our instructions — hosting and security (Cloudflare), email (Resend, Google Workspace), scheduling (Cal.com), CRM (Attio), AI and embedding providers, performance and search data sources, and payments (Stripe). A current list is on our sub-processors page. We may also disclose data to advisers, to authorities where legally required, and to an acquirer in a corporate transaction.
international transfers
We host and process personal data in the EU/EEA where feasible. Where a transfer outside the EEA occurs, we rely on an adequacy decision or on the European Commission's Standard Contractual Clauses with supplementary measures. Details are on the sub-processors page.
retention
your rights
Under the GDPR you may request access, rectification, erasure, restriction, portability, objection to legitimate-interest processing and direct marketing, and withdrawal of consent. Email team@schematheory.org; we respond within one month and may verify your identity. You may complain to the French supervisory authority, the CNIL (cnil.fr). Irreversibly anonymised and aggregated data is no longer personal data and is outside the scope of these rights.
cookies
We use strictly necessary storage and, only with your consent, optional analytics, media, or marketing storage. Manage your choice any time on the cookie page. We do not use advertising or remarketing cookies, session replay, or fingerprinting on the public site.
business customers
If we process personal data on your behalf, our data processing addendum applies, including sub-processor terms, security measures, breach notification, and Standard Contractual Clauses for transfers.
security
We use HTTPS, access controls, least-privilege credentials for connected accounts, provider-side controls, EU residency where feasible, and logging appropriate to the risk. No service is perfectly secure; if you think something is wrong, contact us quickly.
changes
We may update this notice and will post the new date here, giving notice of material changes where appropriate.