PMFKit

What we read, what we store

Public footprint only. No authenticated event streams, no internal company data.

What we read

PMFKit reads only the public footprint of the URL you paste. That includes the rendered page itself, its public sub pages, and a small set of public APIs (search rank, public traffic estimators, GitHub's public API, public social signals on X, ProductHunt, Indie Hackers, Hacker News).

We do not run authentication bypassing crawls. Pages requiring a login, a paywall, or session state are not accessed. We honor robots.txt and rate limits. We operate inside the hiQ and Van Buren US framework on public page scraping, and inside the EU DSM Article 4 (Text and Data Mining) regime by honoring machine readable opt outs.

What we store

For 24 months from the time you run an analysis, we store:

  • The submitted URL and the public pages we crawled.
  • Crawl artifacts: rendered HTML, screenshots, public API responses, with timestamps.
  • The three reports (Discoveries, Context, Strategies) and the verdict.
  • The prompt version and model version used at run time, so we can re run the same prompt against your inputs later if you need to audit a verdict.
  • Your account data (email, plan tier, Stripe customer ID).

After 24 months, the audit trail is purged unless you have an active subscription, in which case it persists for the life of the account plus 12 months.

What we do not store

  • No PII beyond what is on the public page itself. Founder names and emails publicly displayed on your site are stored as part of the report. Founder identities not on the page are not derived, enriched, or persisted.
  • No authenticated event streams. Mixpanel, PostHog, Amplitude, Heap, Stripe webhooks, your private analytics: none of these are pulled. PMFKit is not the right tool for analyzing your private metrics.
  • No internal company data. We never connect to your data warehouse, your CRM, or your finance system.

GDPR posture

For EU users (founder buyers): a standard SaaS DPA is available on request, the sub processor list is disclosed, and EU data residency is offered for Team plans (Supabase EU instance).

For analyzed URLs of EU resident founders: same posture. The analyzed URL is treated as the data subject's published business information; the legal basis for the public footprint analysis is legitimate interest, with opt out via robots.txt or a direct request.

Data subject access requests are handled within the GDPR's 30 day window via support@pmfkit.com.

The advisory disclaimer

PMFKit's verdict and recommendations are advisory. They are not financial advice, legal advice, employment advice, or any other regulated form of advice. The verdict reflects the model's synthesis of public footprint data at a point in time; you have access to information PMFKit cannot see. See also our privacy policy and terms of service.