Privacy Policy

This Privacy Policy describes how Slickup LLC, doing business as Kapiway (“Kapiway”, “we”, “us”, or “our”) collects, uses, and shares information when you use our SEO automation platform at kapiway.com (the “Service”). We process personal data on the legal bases set out in this policy, including to perform our Terms of Service with you, our legitimate interests in operating and improving the Service, your consent where required (for example, certain cookies and email tracking), and to comply with our legal obligations.

1. Information we collect

Account information

When you create an account we collect your email address. We sign you in either by emailing you a 6-digit one-time code or, if you choose to continue with Google, by verifying a Google ID token (which gives us your Google account email, profile name, profile picture URL, and a stable Google user identifier we use to recognize the account on subsequent sign-ins). We do not use passwords, so there is no password for us to store.

Project and SEO data

When you add a project we store the website URL, business profile, target keywords, audit results, generated content, competitor data, backlink data, and any notes or files you upload. This data is scoped to your organization and accessible only to members you invite.

Outreach activity

When you use our outreach features we store the prospect lists you build (URLs, domain authority signals, contact names and emails surfaced by our enrichment providers), the email drafts and templates you create, the messages Kapiway sent on your behalf (subject, body, recipient, send timestamp), and email engagement signals (delivery, opens). To measure opens we embed a 1×1 tracking pixel in outgoing HTML emails — see Section 4 below for details.

Billing information

Subscription payments are processed by our payment provider, Dodo Payments, who is the merchant of record. Dodo holds your card details directly under their own privacy practices; we never receive or store your card number, CVV, expiry, or billing address. From Dodo we receive and store only the customer and subscription identifiers (and the resulting plan and status) needed to grant access and manage renewals on your account. Dodo processes the payment-related personal data it collects directly from you (card details, billing address, fraud-screening signals, tax data) as an independent controller under its own privacy notice and Data Processing Agreement; that processing is governed by Dodo’s terms, not ours, and is not covered by our subprocessor list in Section 7.

Activity, device, and log data

We collect server logs (IP address, user agent, request timestamps), an application activity log of significant actions you take in your account (e.g. project created, content approved, email sent — for audit and support), and error and performance telemetry from Sentry. On our public marketing site we also run third-party web analytics and, where enabled, advertising pixels — the live list of tools and the cookies they set is in our Cookie Policy, and you can decline non-essential categories from the consent banner.

2. Connected accounts and OAuth scopes

Several Kapiway features depend on connecting third-party accounts you control. You initiate every connection from inside the Service, you see the standard consent screen of the relevant provider (Google, Microsoft, LinkedIn, Meta), and you can revoke any connection at any time from the relevant Connections or Integrations page inside the project where it was added, or directly from the third-party provider’s account-permissions page. The list below covers every connection we currently support and exactly which permissions we request and why:

Google APIs

• Gmail (send-only): https://www.googleapis.com/auth/gmail.send — used solely to send outreach emails on your behalf when you click “Send” on a draft inside Kapiway. We do not read, list, search, modify, or delete any messages in your Gmail inbox. We store the OAuth refresh token (encrypted at rest) and the metadata of each email Kapiway sent on your behalf.
• Google Search Console (read-only): .../auth/webmasters.readonly — used to fetch keyword rankings, click/impression data, indexing status, and crawl errors for properties you have verified in Search Console. Read-only.
• Google Analytics (read-only): .../auth/analytics.readonly — used to fetch traffic, conversion, and audience metrics for properties you have access to. Read-only.
• Google Ads: .../auth/adwords — used by our optional Ad Engine to read campaign performance and, when you explicitly authorize a change inside Kapiway, to create campaigns, upload creatives, change bids, or pause/enable ads on the accounts you connect. This scope can spend money on your Google Ads account; you remain responsible for all spend (see our Terms of Service, Section 12).
• Profile email: .../auth/userinfo.email — used only to identify which Google account a connection belongs to inside the Kapiway UI.

You can revoke any Google connection from inside Kapiway or from your Google Account permissions page. Revocation immediately deletes the stored refresh token from our systems.

Microsoft (Outlook)

• Mail.Send — send outreach emails through your Outlook/Microsoft 365 mailbox when you click “Send” in Kapiway. Send-only; we never read inbox contents.
• User.Read — identify which Microsoft account is connected.
• MailboxSettings.Read — used only to import your existing email signature when you connect Outlook, so we can prefill it on outgoing drafts. We do not read working hours, automatic-reply settings, or any other mailbox configuration.
• offline_access — receive a refresh token so the connection keeps working without re-prompting you to sign in.

Revoke from account.microsoft.com/privacy/app-access or from inside Kapiway.

LinkedIn (Content Syndication)

Kapiway supports two LinkedIn destinations, each backed by a separate set of OAuth scopes from LinkedIn’s Marketing Developer Platform. You choose which destination to authorize when you click “Connect with LinkedIn” — the consent screen LinkedIn shows you lists exactly what will be granted before you approve.

• Personal profile — uses the openid, profile, email, and w_member_social scopes (UGC Posts API). Kapiway can publish a post (a short summary plus a link back to your article) to your LinkedIn feed and read your basic profile (name, headshot, member URN) so we can label the connection in our UI.
• Company / Organization page — uses the w_organization_social scope and LinkedIn’s Community Management API. Kapiway can publish posts to the specific Company Page(s) you select during connect, and read the page’s metadata (page name, logo, organization URN) so we can show you which page a post will go to. Access to this scope is gated by LinkedIn’s app-review process; if our app is still in review we may surface this option as “Pending” in the UI and disable it until approval.

In both modes we publish content only when you explicitly schedule a post or click “Publish” inside Kapiway. We do not read your LinkedIn feed, your messages, your 1st-degree connections, or any analytics that aren’t about content you published through Kapiway. You can revoke either connection at linkedin.com/psettings/permitted-services or from inside the Kapiway project where it was added.

Meta (Facebook / Instagram Ads)

• ads_management, ads_read, business_management — used by our optional Ad Engine to read Meta ad performance and, when you explicitly authorize a change inside Kapiway, manage campaigns, ad sets, and creatives on Facebook and Instagram. As with Google Ads, this can spend money on the accounts you connect; you remain responsible for all spend.

Revoke from Business Integrations.

Content publishing destinations

Kapiway publishes content for two distinct purposes, and we treat the credentials for each separately. In both cases we publish only at your explicit direction — you click “Publish” or schedule a specific item:

(a) Primary publication — your own website / CMS

When you connect the CMS or storefront that powers your own site, we store the credentials needed to create, update, and (where applicable) configure metadata for the articles or pages you direct us to publish. The destination is your property under your control:

• WordPress (REST API + Application Password) — create/update posts and pages, set Yoast / RankMath SEO metadata if those plugins are installed, manage redirects via the Redirection plugin if installed.
• Webflow CMS (API token + site / collection IDs) — create and update collection items in the blog collection you select.
• Shopify (Admin API access token + shop domain) — create blog articles and pages in the store you connect, scoped to write_content, write_blogs, and write_pages.
• Wix (API key + site / account IDs) — create and update blog posts on the site you connect.
• Ghost (Admin API key + site URL) — create and update posts via the Ghost Admin API.
• Framer (CMS API key) — create and update CMS collection items.
• Notion, Feather (API tokens) — create and update entries in the workspace / publication you connect.
• Generic webhook (URL + optional signing secret) — if you operate a custom CMS, we can POST the rendered article to an endpoint you provide. We send only the article payload itself; we do not call any other endpoint on your domain.

(b) Content syndication — copies on third-party platforms

Separately, you may choose to syndicate articles to third-party platforms with a canonical link back to the original on your site. This is a publicity feature, not your primary publication channel. When you syndicate, a copy of the article (and optionally a summary, tags, and featured image) is transmitted to the destination platform, where it becomes subject to that platform’s own terms of service, content policies, and privacy practices:

• Dev.to, Hashnode (API tokens) — full automated publication of the syndicated copy with a canonical URL pointing back to the original.
• Medium, Substack (integration tokens or post-by-email) — publish a draft or post (Medium) or queue a draft (Substack) using the credentials you provide. You confirm the final publication on the destination platform.
• LinkedIn — described in the LinkedIn section above. Syndicated to a personal profile or, where approved, a Company page.
• Reddit, HackerNews, IndieHackers, Quora — assisted or manual flow only. Kapiway prepares the post and the schedule but does not auto-submit; you click through to the platform to finish the post in your own browser session. We do not store passwords for these platforms.

Stored credentials are encrypted at rest. Removing a connection from inside the project where it was added — or revoking it from the third-party provider’s own account-permissions page — deletes the stored credentials and stops future automated actions.

3. Site crawler

Several Kapiway features rely on a crawler that fetches publicly available web pages on your behalf. There are two distinct uses:

• Site audit of your own site. When you onboard a project, we crawl the URL you submitted to find broken links, missing metadata, schema issues, page-speed signals, and similar on-page issues. The same crawler runs again when you ask for a re-audit.
• Off-site crawling at your direction. When you click “Discover competitors”, “Find more prospects”, scan for backlink opportunities, or trigger similar research features, we fetch the homepages and a small number of relevant pages (about, contact, pricing) of third-party websites — competitors and link-building prospects — so we can extract titles, contact emails, and metadata for use inside Kapiway.

How the crawler behaves:

• It identifies itself honestly. Every request sends an HTTP User-Agent header of Mozilla/5.0 (compatible; KapiwayBot/1.0; +https://kapiway.com/bot). Site administrators can see this in their access logs and block, rate-limit, or allowlist us with their normal robots.txt rules or web-application-firewall tooling.
• It honours robots.txt. Before crawling a host we read its /robots.txt and skip any path that disallows our user-agent.
• It runs only when you trigger it. We do not continuously re-crawl in the background. The audit crawler runs once on onboarding plus whenever you manually re-run it; competitor and prospect crawlers run only when you press the corresponding button in the Kapiway UI.
• It does not execute JavaScript. We fetch raw HTML, response headers, structured data (JSON-LD, OpenGraph, meta tags), and link structure. Sites that render their content client-side may appear partial in our snapshots; that is by design.
• It caps the work. No more than 500 pages per crawl, with concurrency limited so we don’t overwhelm small sites.
• It does not bypass protections. We do not attempt to access content behind authentication, paywalls, CAPTCHAs, or anti-scraping rules. If a page returns 401, 403, 429, or a challenge response, we record the status code and move on.
• It stores what it sees. Fetched HTML, response headers, and the audit findings derived from them are stored against your project. See Section 8 for retention windows.

By onboarding your own site you represent that you own it or are otherwise authorized to have it crawled. By triggering off-site crawls (competitor research, prospect discovery, etc.) you represent that the URLs are publicly accessible and that automated retrieval of public web content is permitted under your local law and the target site’s terms (see Terms § 12).

4. How we use information

We use the information described in Section 1 for the purposes below. Most of what Kapiway does on your behalf is automation work, so the first group is intentionally specific.

To run the automation features you ask for

• Generate audit summaries, content drafts, outreach copy, and ad creatives by sending the relevant project context to Anthropic for AI inference (see Sections 5 and 6).
• Crawl your site to produce the site audit, broken-link list, schema check, and similar findings (see Section 3).
• Crawl competitor and link-building prospect websites you ask us to research, to extract titles, metadata, contact emails, and outreach opportunities (see Section 3).
• Run keyword research, SERP analysis, backlink lookups, and prospect discovery via DataForSEO using the queries you trigger.
• Publish articles, posts, and metadata to the CMS or storefront you connect (your own site) when you click Publish or schedule a publish date.
• Syndicate articles to the third-party platforms you connect (Medium, Dev.to, Hashnode, Substack, LinkedIn, etc.) when you select syndication.
• Send outreach emails through your connected Gmail, Outlook, or SMTP account when you click Send, and record send timestamps and the first open of each email so you can see open rates (see “Email open tracking” below).
• Read your Google Search Console and Google Analytics data, when you connect them, to power keyword-ranking, traffic, and indexing reports inside Kapiway.
• Read and, when you authorize a change, modify campaigns, ad sets, creatives, and bids on the Google Ads or Meta ad accounts you connect.

To operate the Service itself

• Authenticate you via one-time email codes or Google Sign-In, and keep your account secure.
• Process subscription payments and manage your billing through Dodo Payments (the merchant of record).
• Send transactional emails — security alerts, billing receipts, approval-gate notifications, and similar account-level messages.
• Monitor performance, debug errors (see Sentry disclosure in Section 6), detect and prevent abuse, and improve the product.

To meet legal and policy obligations

• Comply with applicable laws, valid legal process, and regulatory requirements.
• Enforce our Terms of Service, including investigating reports of misuse and protecting the rights and safety of Kapiway, our users, and the public.

Email open tracking

Outreach emails sent through Kapiway include a 1×1 transparent tracking pixel in their HTML body. When the recipient’s email client loads images, our server stamps the email record with the time of the first open and marks the email’s status as “Opened”. We do not store the recipient’s IP address or user-agent, and we do not count or store subsequent opens beyond the first. The first-open timestamp is shown against the email in your outreach inbox so you can see open rates. Recipients can prevent open tracking by disabling automatic image loading in their email client (a built-in option in Gmail, Outlook, Apple Mail, and most other clients). As the sender, you are responsible for any disclosure or consent obligations open tracking creates in your jurisdiction (see Terms § 11).

5. Google API Services — Limited Use disclosure

Kapiway’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular, we commit that Google user data is:

• Used only to provide or improve user-facing features that are prominent in the Kapiway interface.
• Never sold, never used for advertising, and never shared with data brokers or for any credit-worthiness purpose.
• Never used to train, develop, or improve generalized machine-learning or AI models. Per-user features that use AI (e.g. drafting outreach copy from a prospect’s website) operate on data that user explicitly provided and are not used to train models that serve other users.
• Read by humans only with your explicit consent for specific support requests, for security investigations, or where required by law.

6. How we share information

We do not sell your personal information. We share it only with the subprocessors and recipients listed in Section 7, and only to the extent needed to operate the Service. Other than that, we share information only:

• With recipients of emails you send. When you send outreach emails through Kapiway, the recipient receives the message body, attachments, and any addressees you specify.
• With your own website / CMS. When you direct Kapiway to publish to your own site (WordPress, Webflow, Shopify, Wix, Ghost, Framer, Notion, Feather, or a custom webhook), the rendered article and its metadata (title, slug, tags, SEO fields) are transmitted to that destination using the credentials you supplied.
• With syndication platforms you connect. When you choose to syndicate an article to a third-party publishing platform (Medium, Dev.to, Hashnode, Substack, LinkedIn, and the assisted/manual platforms above), a copy of the article and its metadata is transmitted to that platform under your account, where it becomes subject to that platform’s own terms.
• With ad platforms you connect. Campaign edits, creative uploads, and bid changes are submitted to the connected Google Ads or Meta account at your direction.
• With AI providers when you trigger generation. When you click “Generate”, request an audit summary, draft outreach copy, ideate ad creatives, or invoke any other AI feature, the project context needed for that feature — your URL, business profile, target keywords, relevant snippets of your content or crawled pages, and any prompt you supplied — is sent to Anthropic for inference. Anthropic processes the request and returns a response; the constraints in Section 5 apply to any Google API data included in that context.
• With SEO data providers. When you trigger keyword research, SERP analysis, backlink lookups, prospect discovery, or competitor research, the queries needed — including your site URL, target keywords, and competitor domains — are sent to DataForSEO.
• With stock imagery providers. When generated content needs imagery, we send short search queries derived from the article’s title, keywords, or section headings (e.g. “modern kitchen”, “cybersecurity dashboard”) to Pexels and Unsplash to retrieve royalty-free images. We do not send your full article body or any account credentials to these providers.
• With other members of your organization. Anyone you invite to your Kapiway organization can see project data, audit results, prospect lists, draft and sent emails, reports, and connection settings according to the role you assign them. You can revoke access at any time from the team / members area of your account.
• With our error-monitoring provider. Server-side errors and stack traces are forwarded to Sentry to help us debug. We initialize the Sentry SDK with send_default_pii = false so that the SDK does not automatically attach IP addresses, request headers, request bodies, or user identifiers to error reports. What reaches Sentry is the request path, the stack trace, the exception message, and runtime metadata (Python version, environment).
• For legal reasons. Where required by valid legal process, to protect rights and safety, or in connection with a corporate transaction (merger, acquisition, asset sale).

7. Subprocessors

Subprocessor list last updated: April 2026

We engage the following subprocessors to operate the Service. Each accesses only the data needed for its role and is contractually bound to confidentiality and data-protection terms.

This page is the canonical list of our subprocessors. We update it when we add or replace a subprocessor. If you object to a subprocessor we have engaged, and we cannot accommodate the objection, you may terminate your subscription on reasonable notice.

Note on Dodo Payments. Dodo plays two roles. For the analytics, reporting, and support-action work we direct, Dodo acts as our processor and is listed in the table above. For payment processing itself — taking your card, screening for fraud, calculating and remitting tax, handling chargebacks — Dodo acts as an independent controller under its own Data Processing Agreement. The subprocessors Dodo engages for that controller-side processing are listed in Annex 2 of Dodo’s DPA; they sit under Dodo’s controllership, not ours, so we do not list them here.

8. Data retention

We retain personal data for as long as it serves the operational, legal, or commercial purpose for which it was collected. The specific behaviour varies by data type:

• Account data. Persists while your account is active. After cancellation, your data is preserved for at least 60 days to allow recovery, after which we may delete or anonymize personal data on request or as part of operational housekeeping.
• OAuth refresh tokens. Deleted from our database immediately when you disconnect the integration inside Kapiway or revoke the app from the provider’s account-permissions page.
• Crawled site snapshots, prospect lists, outreach email records, generated content, reports, and activity logs. Retained for the life of the project. You can delete individual prospects, integrations, content pieces, team members, and similar items from inside the relevant area of the Kapiway UI; to delete an entire project or your account, email support@kapiway.com.
• Error tracking data. Sent to Sentry; retained per Sentry’s standard plan-tier defaults (typically 30–90 days depending on plan). We do not configure additional retention.
• Operational backups. Database backups are retained for a short rotation window by our hosting provider for disaster-recovery purposes.

You can exercise your right to deletion at any time as described in Section 10.

9. Security

We use industry-standard safeguards: TLS 1.2+ for all data in transit, encryption at rest for OAuth tokens, integration credentials, and other secrets (Fernet/AES with keys derived from a master secret), role-based access controls (Viewer / Editor / Admin / Owner), HMAC-signed state parameters on OAuth flows, and Sentry configured with send_default_pii=false so cookies, auth headers, and session data are stripped from error reports before they leave our infrastructure. Sign-in is passwordless — we use either a one-time email code or Google Sign-In, so there is no password for an attacker to steal. No system is perfectly secure, so we encourage you to enable two-factor authentication on every connected provider account (Google, Microsoft, etc.).

10. Your rights

Depending on where you live (e.g. EEA/UK under GDPR, California under CCPA/CPRA), you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and associated personal data.
• Export your data in a portable, machine-readable format.
• Object to or restrict certain processing.
• Withdraw consent for OAuth integrations at any time.
• Lodge a complaint with your local data protection authority.

Most of these rights are fulfilled on request — email support@kapiway.com and we will respond to verified requests within 30 days. We may need to verify your identity before processing the request to protect your data from unauthorized access.

You can withdraw OAuth consent yourself at any time: disconnect the integration from inside Kapiway (Integrations or Outreach → Connections), or revoke our app from your Google / Microsoft / LinkedIn account-permissions page.

We do not sell your personal information, and we will not retaliate or discriminate against you for exercising any of these rights.

11. International data transfers

Kapiway operates from the United States. If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms with our subprocessors.

12. Children’s privacy

Kapiway is a B2B SaaS product not intended for use by anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision; we recommend checking back periodically. For material changes (including new subprocessors and new OAuth scopes) we will make the update visible on this page before relying on the change for new processing. If you object to a change, you may stop using the Service and request deletion of your data.

14. Contact us

If you have questions or concerns about this policy or our data practices, contact us at: