Legal · Feature-specific disclosure

Scorecard Privacy Notice

Last updated: 1 May 2026

This notice explains how the free Scorecard tool processes your data. It covers only the Scorecard feature. For our general privacy practices — including your GDPR rights, contact details, and complaints procedure — see our main Privacy Statement.

What happens when you click "Grade my dashboard"

Your browser takes a screenshot of the window you select. That screenshot is sent as a base64-encoded string over HTTPS to our backend, which forwards it directly to Anthropic's Claude API. The API returns a score and short feedback. We display the result in your browser.

The screenshot is held in memory only for the duration of the API call (typically under 30 seconds). It is never written to disk, never stored in our database, and is discarded as soon as the API response is received.

What we store

After every analysis we save a pseudonymous result record to our database:

Score, grade, headline, summary
Dimension scores (five axes)
Strengths and improvement tips
A timestamp (UTC)

No screenshot. No IP address. No name or identity. The record is pseudonymous — it cannot be linked to you unless you voluntarily provide your email address in the next step.

If you enter your email to unlock your action plan, your email address is attached to that record and we send you the results. We use this to send improvement tips and, if you grade five or more dashboards, a free consult offer.

What we do not do

✕ We do not store the screenshot — not to disk, not to any storage layer.

✕ We do not store your IP address.

✕ We do not require an account.

✕ We do not sell or share your data with third parties other than the sub-processor below.

✕ Anthropic does not use API data to train its models (per their Commercial Terms).

Rate limiting

To prevent abuse, our server limits analyses to 10 per IP address per hour. Your IP address is used transiently by the rate-limiter (in-memory, not persisted). It is not logged or stored beyond the current server session.

Retention

Screenshot: never stored; discarded in-memory after the API response.
Pseudonymous result record (no email): kept indefinitely for aggregate product analytics.
Result record with email: kept until you request deletion. Email privacy@metricsign.com to have your record removed.

Sub-processor

Anthropic PBC — San Francisco, USA

Processes the screenshot to generate the score and feedback. The transfer to the USA is covered by Standard Contractual Clauses incorporated in Anthropic's Data Processing Addendum. DPA accepted: yes (incorporated in Commercial Terms on account creation).

Legal basis

Your rights and contact

Because we do not link a scan to any identity unless you provide your email, there is nothing to access, correct, or delete for anonymous scans once they complete.

If you submitted your email address and want to exercise your GDPR rights (access, rectification, erasure, portability, objection), or for any other privacy question, see our main Privacy Statement or email privacy@metricsign.com.