Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how Era Labs ("ora," "we," "us," or "our"), operating at orank.ai, collects, uses, stores, shares, and protects information when you ("you," "your," or "user") visit our website, use our scanning services, interact with our API or MCP server, or communicate with us (collectively, the "Services").

By accessing or using any part of our Services, you acknowledge that you have read, understood, and agree to the collection and use of information in accordance with this Policy. If you do not agree with this Policy, please do not use our Services.

ora provides an automated agent-readiness scoring platform that evaluates how well websites and products can be discovered, understood, authenticated with, and acted upon by AI agents. Our scanning methodology involves both automated static checks and AI-powered deep analysis using multiple large language models and autonomous agent simulations, the details of which are described below.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to email addresses, IP addresses, and any other information that can be used to directly or indirectly identify an individual.
• "Scan Data" means all information collected, generated, or derived from the scanning of a domain, including scores, grades, check results, AI-generated summaries, and agent feedback.
• "AI Agent" means any autonomous or semi-autonomous software system powered by artificial intelligence, including large language models, that interacts with our Services or with scanned domains on behalf of a user or organization.
• "Deep Analysis" means the AI-powered scanning process in which autonomous agents simulate real-world interactions with a domain, including browsing, searching, evaluating content, and attempting task completion.
• "MCP" means the Model Context Protocol, an open standard for AI agent-to-service communication through which agents may interact with our platform programmatically.

3. Information we collect

3.1 Information you provide directly

• Domain submissions. When you initiate a scan, you provide a domain name or URL. We do not require account creation, login credentials, or any personally identifiable information to use the scanning service.
• Email address. If you subscribe to scan completion notifications or contact us directly, we collect the email address you provide along with any message content.
• Agent feedback. AI agents interacting with our MCP server may submit structured feedback about products, including agent identifiers, task descriptions, user intent context, outcomes, friction points, layer-by-layer scores, and recommendations. This feedback is associated with an agent identifier (in the format platform-hash), not with an individual person. Feedback submission is rate-limited to one entry per agent per domain per 24-hour period and ten entries per agent per hour.

3.2 Information collected through scanning

When a scan is initiated (whether by a user through our website, programmatically via our REST API, or by an AI agent through our MCP server), our system collects and analyzes publicly available information about the submitted domain. This includes, but is not limited to:

• Static technical checks. We probe publicly accessible paths and files including robots.txt, sitemap.xml, llms.txt, llms-full.txt, /.well-known/ directories (including agent-card.json, ai-plugin.json, openid-configuration, and MCP manifests), OpenAPI and Swagger specifications, developer documentation pages, pricing pages, and developer portal URLs. We parse HTML content, HTTP headers, DNS records, JSON-LD structured data, Schema.org markup, Open Graph meta tags, and other machine-readable metadata.
• Registry and index queries. We query public third-party registries and indexes to assess the domain's visibility in the AI agent ecosystem, including MCP registries (Smithery, mcp.so, Glama, PulseMCP), package registries (NPM, PyPI), and code hosting platforms (GitHub) for agent configuration files (such as .claude/, .cursor/, and .windsurf/ directories), SDKs, CLI tools, and integration references.
• AI-powered deep analysis. For certain checks, we deploy AI agent simulations using third-party large language models and autonomous agent platforms. These simulations include ChatGPT (OpenAI), Claude (Anthropic), Gemini (Google), OpenClaw, Qwen (Alibaba), DeepSeek, and ora's own agent. During deep analysis, these agents may: browse and analyze publicly available pages on the submitted domain; search the open web for references to the domain, including mentions on Reddit, YouTube, Wikipedia, Stack Overflow, review sites, industry publications, and other public sources; evaluate content quality and trustworthiness signals; test and document authentication flow patterns; analyze API schema usability and complexity; simulate multi-turn conversations about the product; test function-calling compatibility across platforms; evaluate error recovery behavior; and attempt autonomous end-to-end task completion flows including discovery, understanding, authentication, and action execution.
• Web searches. As part of the deep analysis process, our AI agents conduct web searches to assess brand authority in AI training data, AI citability (how likely LLMs are to cite or reference the product), competitive positioning clarity, E-E-A-T signals (Experience, Expertise, Authoritativeness, Trustworthiness), and public perception of the scanned domain. These searches query publicly available information only and do not access any private, gated, or authenticated content.
• Content analysis. We analyze the quality and structure of publicly available content associated with the domain, including semantic indexability for vector search and retrieval, content quotability for AI citation, context window efficiency for large language model consumption (measuring how effectively content fits within 128K to 2M token windows), and cross-platform consistency of product information across multiple AI platforms.

All data collected through scanning is derived exclusively from publicly accessible sources. We do not attempt to bypass authentication mechanisms, access gated content, circumvent paywalls, or collect any data that is not freely available on the public internet. Our scanning respects robots.txt directives where applicable.

3.3 Information collected automatically

• Usage analytics. We use Google Analytics to collect anonymized usage data, including pages visited, session duration, referral sources, general geographic region (country/city level), device type, browser type, and operating system. This data is aggregated and cannot be used to identify individual users.
• Server logs. Our hosting infrastructure may collect standard server access logs, including IP addresses, request timestamps, HTTP methods, request URLs, and response status codes. These logs are used for security monitoring, performance optimization, and debugging purposes.
• API and MCP access logs. When you interact with our Services programmatically (via REST API or MCP server), we may log request metadata including the endpoint accessed, request parameters, timestamps, and response status codes. We do not log authentication tokens or API keys.

4. Legal basis for processing (EEA/UK users)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your Personal Data on the following legal bases under the General Data Protection Regulation (GDPR):

• Legitimate interest (Article 6(1)(f)). We process domain scan data, publicly available website content, and usage analytics on the basis of our legitimate interest in providing an agent-readiness scoring service, maintaining the public leaderboard, improving our Services, and ensuring security. We have assessed that these interests are not overridden by your fundamental rights and freedoms, particularly as our scanning is limited to publicly available information.
• Consent (Article 6(1)(a)). Where you provide your email address for scan completion notifications, we process that data based on your explicit consent. You may withdraw consent at any time by contacting us or following the unsubscribe instructions in any notification email.
• Legal obligation (Article 6(1)(c)). We may process data where necessary to comply with applicable legal obligations, including responding to lawful government requests.

5. How we use your information

We use the information we collect for the following purposes:

• Providing scan results. To generate agent-readiness scores, grades, and detailed check-by-check results across five scoring layers (Discovery, Identity, Access and Auth, Integration, and User Experience) for submitted domains.
• Powering the public leaderboard. Scan results are displayed on our public leaderboard, which ranks domains by their agent-readiness scores across industry categories including Developer Tools, AI and ML, Agent Tools, Infrastructure, CRM, Productivity, Payments, E-commerce, Communication, Data and Analytics, Identity and Auth, and Community (user-submitted domains).
• Generating AI-powered content. We use large language models to generate natural-language summaries, assessments, and structured agent feedback about scan results, which are displayed on individual score pages.
• Product discovery. Scan data powers our product discovery feature, which enables AI agents to find the most agent-ready products for specific tasks or intents through our API and MCP server.
• Embeddable badges. We generate SVG badges displaying domain scores that can be embedded on external websites, README files, and documentation.
• Social sharing assets. We generate Open Graph (OG) images for each scanned domain to enable rich link previews when score pages are shared on social media platforms.
• Notifications. If you opt in, we use your email address to send scan completion notifications. We do not send marketing communications unless you separately and explicitly consent.
• Service improvement and research. Aggregated, anonymized usage data and scan results help us understand industry-wide trends in agent readiness, improve our scoring methodology, and enhance the accuracy and coverage of our checks.
• Methodology evolution. The AI agent ecosystem evolves rapidly, with new protocols, authentication patterns, and discovery standards emerging regularly. We continuously update our checks, scoring weights, and evaluation criteria to reflect the current state of the market. As a result, a domain's score may change between scans even if the domain itself has not changed, because the methodology has been updated to incorporate new standards or retire obsolete ones. Historical scan results are preserved to enable trend analysis.
• Security and abuse prevention. Server logs, rate-limiting mechanisms, and agent verification (via HATCHA, a reverse CAPTCHA system for agent identity) help us detect and prevent abuse, spam, and unauthorized use of our Services.

6. Automated decision-making and profiling

Our Services involve automated processing to generate agent-readiness scores and grades. Specifically:

• Automated scoring. Domain scans produce scores calculated algorithmically based on 68 automated checks across five layers, weighted according to our published methodology. The scoring is fully deterministic for static checks. Deep analysis checks involve AI model outputs that may introduce variability between scans.
• AI-generated assessments. Large language models generate natural-language summaries, competitive positioning assessments, and agent feedback. These outputs are generated automatically and are not reviewed by humans before publication.
• Public grading. Scores are automatically mapped to letter grades (A through F) and published on public leaderboards. These grades may influence how third parties perceive the scanned domain's agent readiness.

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. If you believe our automated scoring has a significant effect on your business or rights, you may contact us to request human review of your scan results, contest the accuracy of any check results, or request removal of your domain from our leaderboard.

7. Public visibility of scan results

Please be aware that scan results are publicly visible by design. When a domain is scanned, the following information is made publicly accessible:

• The domain name, overall agent-readiness score (0 to 100), and letter grade (A through F)
• Individual check results, scores, and details for all five scoring layers
• AI-generated natural-language summaries and assessments
• Agent feedback submitted through the MCP server, including task descriptions, outcomes, and recommendations
• The domain's position and category on the public leaderboard
• Embeddable SVG badges displaying the domain's score and grade
• Open Graph images generated for social media sharing
• Historical scan data, including score changes over time

This information is accessible via our website (orank.ai), our REST API (documented at /api-reference), our MCP server (7 tools available to AI agents), our OpenAPI specification (/api/openapi.json), and our machine-readable llms.txt file. Any person or AI agent with internet access may view, query, or reference this data.

If you are the owner or authorized representative of a scanned domain and wish to have scan results removed, please contact us using the information in Section 18.

8. Data storage and retention

• Scan results are retained indefinitely to maintain historical leaderboard data, enable score trend analysis, and provide a persistent public record. Results are stored in our production database, hosted on infrastructure in the United States.
• Deep check job data, including AI agent analysis results, progress metadata, and intermediate outputs, are retained alongside scan results for the purpose of displaying detailed check information and debugging.
• Email notification records are retained for 90 days after the notification is delivered, after which they are automatically purged.
• Agent feedback is retained indefinitely as part of the public product profile for each domain. Feedback entries include agent identifiers, timestamps, and the structured feedback content.
• Server and access logs are retained for up to 30 days, after which they are automatically purged.
• Analytics data is retained according to Google Analytics' default retention settings (14 months for user-level data, indefinite for aggregated data).

You may request deletion of data associated with your domain at any time by contacting us. Upon receiving a valid deletion request, we will remove the specified data within 30 days, except where retention is required by law.

9. Cookies and tracking technologies

We use the following cookies and tracking technologies:

• Strictly necessary cookies. Required for basic site functionality. These cookies do not collect Personal Data and cannot be disabled without impairing core functionality.
• Analytics cookies. Set by Google Analytics (cookies: _ga, _ga_*, _gid) to collect anonymized usage data. These cookies have a maximum lifespan of 24 months. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, configuring your browser's privacy settings, or using a content blocker.

We do not use advertising cookies, retargeting pixels, fingerprinting techniques, or any form of cross-site tracking technology. We do not participate in ad networks or data broker ecosystems.

Do Not Track

Some browsers offer a "Do Not Track" (DNT) setting. There is currently no universally accepted standard for how to respond to DNT signals. We do not currently respond to DNT signals, but we limit our tracking to the analytics described above and do not engage in cross-site tracking.

10. Third-party services

We rely on third-party service providers to operate our platform. Each provider processes data in accordance with their own privacy policies. The key categories of third-party services we use include:

• Cloud infrastructure. We use third-party cloud providers for hosting, compute, and data storage. Data may be processed and stored on infrastructure located in the United States.
• AI model providers. During deep analysis, we transmit publicly available domain content (HTML, documentation, metadata, and API specifications) to AI model providers including Anthropic (Claude), OpenAI (ChatGPT), Google (Gemini), and others for agent simulation and analysis. Each provider processes this data according to their respective privacy policies and data usage terms.
• Analytics. We use Google Analytics for anonymized website usage analytics. Google Privacy Policy
• MCP registries (Smithery, mcp.so, Glama, PulseMCP) - queried during scans to check domain registration in AI agent tool registries. No Personal Data is transmitted to these services.
• Package registries and code platforms (NPM, PyPI, GitHub) - queried during scans to check for published SDKs, CLI tools, and agent configuration files. No Personal Data is transmitted to these services.

When AI agents perform deep analysis, they may access publicly available web pages and search engine results. The content accessed is limited to publicly available information and is processed solely for generating the agent-readiness assessment. We do not store copies of third-party web pages beyond what is necessary to complete the scan analysis.

11. Data sharing and disclosure

We do not sell, rent, lease, or trade any Personal Data to third parties for their marketing purposes or any other purpose. We may share information in the following limited circumstances:

• Public scan results. As described in Section 7, Scan Data is publicly visible by design and accessible through our website, REST API, MCP server, OpenAPI specification, and machine-readable files.
• Sub-processors. We share data with the third-party service providers listed in Section 10, strictly for the purpose of operating and maintaining our platform. We maintain data processing agreements with sub-processors where required by applicable law.
• Legal requirements. We may disclose information if required to do so by law, regulation, subpoena, court order, or other legal process, or if we believe in good faith that such disclosure is reasonably necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or other illegal activity; (d) protect the personal safety of users or the public; or (e) protect against legal liability.
• Business transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, Personal Data and Scan Data may be transferred as part of that transaction. We will provide notice before Personal Data is transferred and becomes subject to a different privacy policy.
• With your consent. We may share your information for any purpose with your explicit consent.

12. Data security

We implement industry-standard technical and organizational security measures to protect the information we collect, process, and store. These measures include:

• Encrypted data transmission using TLS/HTTPS for all communications
• Secure, encrypted database connections with role-based access controls
• Environment-based secret and credential management
• Rate limiting on API endpoints and agent feedback submissions to prevent abuse
• Agent identity verification via HATCHA (reverse CAPTCHA) for MCP interactions
• SOC 2 Type II compliant infrastructure providers

Despite these measures, no method of electronic transmission or storage is completely secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security. In the event of a data breach affecting Personal Data, we will notify affected individuals and relevant supervisory authorities as required by applicable law.

13. Your rights and choices

Depending on your jurisdiction, you may have the following rights regarding your data:

13.1 General rights (all users)

• Access. You may request a copy of the data we hold about you or your domain. Scan results are also publicly available via our REST API and MCP server.
• Correction. You may request correction of inaccurate scan results or associated data. You may also initiate a rescan of your domain at any time to generate updated results.
• Deletion. You may request removal of your domain's scan results from our database and public leaderboard.
• Opt-out of analytics. You may opt out of Google Analytics tracking as described in Section 9.
• Data portability. You may request your domain's scan data in a machine-readable JSON format.

13.2 Additional rights for EEA/UK residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you additionally have the right to:

• Object to processing based on legitimate interest, including objecting to the public display of your domain's scan results.
• Restrict processing of your data while a dispute about accuracy or our legitimate interest is resolved.
• Withdraw consent at any time where processing is based on consent (e.g., email notifications), without affecting the lawfulness of processing prior to withdrawal.
• Lodge a complaint with your local data protection supervisory authority if you believe our processing of your Personal Data violates applicable law.
• Contest automated decisions as described in Section 6, including requesting human review of AI-generated scores and assessments.

13.3 Additional rights for California residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know. You may request that we disclose the categories and specific pieces of Personal Data we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share data.
• Right to delete. You may request deletion of Personal Data we have collected from you, subject to certain exceptions.
• Right to opt-out of sale or sharing. We do not sell or share (as defined by the CCPA/CPRA) your Personal Data. No opt-out is required, but you may contact us if you have concerns.
• Right to non-discrimination. We will not discriminate against you for exercising any of your privacy rights.
• Right to correct. You may request correction of inaccurate Personal Data.
• Right to limit use of sensitive Personal Data. We do not collect sensitive Personal Data as defined by the CPRA.

To exercise any of these rights, please contact us at hello@orank.ai. We will verify your identity before processing any request and will respond within 30 days (or 45 days if an extension is necessary, with notice). You may also designate an authorized agent to make a request on your behalf.

14. International data transfers

Our Services are hosted on infrastructure primarily located in the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other jurisdictions where our service providers operate.

For transfers of Personal Data from the EEA/UK to the United States, we rely on: (a) the European Commission's adequacy decisions where applicable; (b) Standard Contractual Clauses (SCCs) approved by the European Commission; and (c) our sub-processors' compliance with applicable data transfer frameworks, including the EU-U.S. Data Privacy Framework where certified.

By using our Services, you acknowledge and consent to the transfer of your information to these jurisdictions, which may have data protection laws that differ from those of your home jurisdiction.

15. API and programmatic access

Our Services are designed for both human and programmatic access. When you or an AI agent interacts with our REST API or MCP server:

• API requests are subject to rate limiting. Excessive requests may be throttled or blocked to prevent abuse.
• Scan results returned via the API contain the same information displayed on our website and are subject to the same public visibility terms described in Section 7.
• MCP server interactions are authenticated via HATCHA agent verification. Agent feedback submissions are rate-limited and associated with agent identifiers.
• Automated scraping or bulk downloading of scan results beyond normal API usage is prohibited without our prior written consent.

16. Children's privacy

Our Services are not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected Personal Data from a child under the applicable age of consent, we will take reasonable steps to delete such information promptly. If you believe we have collected information from a child, please contact us immediately.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this page. For material changes that significantly affect how we process Personal Data, we will make reasonable efforts to provide prominent notice (such as a notice on our homepage or, where feasible, direct notification).

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with any changes, you should discontinue use of our Services and may request deletion of your data.

18. Governing law

This Privacy Policy and any disputes arising from or related to it shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law provisions. Any legal proceedings shall be brought exclusively in the state or federal courts located in Delaware.

Notwithstanding the foregoing, if you are located in the EEA or UK, nothing in this section limits your rights under the GDPR or your ability to lodge a complaint with your local supervisory authority.

19. Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or wish to exercise any of your rights described herein, please contact us at:

For GDPR-related inquiries, you may also contact your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.