Privacy Policy

Last updated: {lastUpdated}

1. Information We Collect

We collect information you provide directly when creating an account:

Account information: name, email address, and password
Google Search Console data: search performance metrics (clicks, impressions, CTR, position) accessed via OAuth
WordPress site data: post content, titles, and URLs synced through our plugin
API keys: your OpenAI API key, encrypted at rest
Payment information: processed securely by Stripe; we do not store card numbers

2. How We Use Your Information

Your data is used to:

Provide SEO analysis and generate recommendations for your sites
Generate AI content drafts using your OpenAI API key
Track the ROI of applied recommendations over time
Send you notifications about analysis results and traffic anomalies
Process payments and manage your subscription

3. Data Storage and Security

We take data security seriously:

All sensitive data (API keys, OAuth tokens, HMAC secrets) is encrypted at rest using AES-256
All connections use HTTPS with HSTS enforcement
Session data is encrypted in production with secure, HTTP-only, SameSite cookies
Content Security Policy headers protect against XSS attacks
Rate limiting is applied to all authentication and API endpoints

4. Sub-Processors

We use the following sub-processors to deliver the Service. Each has been assessed for GDPR adequacy or operates under Standard Contractual Clauses.

Sub-Processor	Purpose	Location	DPA
OpenAI	AI content generation (BYOK)	US	DPA
DataForSEO	SERP data (BYOK)	EU	DPA
Stripe	Payment processing	US / EU	DPA
Google GSC	Search Console data (OAuth)	US / EU	DPA
Sentry	Error monitoring	US	DPA

For the full sub-processor list see our{' '} Sub-Processors page .

5. Data Retention

We retain personal data only as long as necessary (GDPR Art. 5(1)(e)):

Data Type	Retention Period	Basis
Account & profile data	Until account deletion	Contract
Google Search Console metrics	90 days (configurable)	Legitimate interest
Content snapshots	90 days	Contract
Audit logs	365 days	Legal obligation
ROI snapshots	365 days	Legitimate interest
Cookie consent records	3 years	Legal obligation (GDPR Art. 7)
Payment & billing records	7 years	Legal obligation (tax law)

You may request deletion of your account and all associated data at any time from your profile settings.

6. Your Rights

Under GDPR you have the following rights. To exercise any right, use the in-app settings or contact us.

Right of access (Art. 15): export all data stored about you via your profile settings
Right to rectification (Art. 16): correct inaccurate information in your account
Right to erasure (Art. 17): delete your account and all associated data from your profile settings
Right to data portability (Art. 20): download your data as JSON or CSV
Right to withdraw consent (Art. 7): revoke cookie consent or third-party access (Google, WordPress) at any time
Right to object (Art. 21): object to processing based on legitimate interest by contacting us

7. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you additional rights:

Right to know: request disclosure of the categories and specific pieces of personal information we collect, use, and share
Right to delete: request deletion of personal information we hold (subject to legal exceptions)
Right to opt-out of sale/sharing: we do not sell or share personal information for cross-context behavioral advertising
Right to correct: request correction of inaccurate personal information
Right to limit sensitive data use: we do not process sensitive personal information beyond what is necessary to provide the Service
Non-discrimination: we will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, use the data export or account deletion features in your profile settings or contact us directly.

8. Cookie Policy

We use cookies in the following categories. You can manage your preferences using the cookie consent banner at the bottom of the screen.

Category	Purpose	Required
Necessary	Session management, authentication, CSRF protection, and core Service functionality	Yes — cannot be disabled
Functional	Remember your preferences (theme, language, timezone)	Optional
Analytics	Understand how the Service is used to improve features (PostHog, first-party only)	Optional
Marketing	Personalise content and measure campaign effectiveness	Optional

9. Server-Side Analytics

We use PostHog for product analytics to improve our Service. For critical product functionality events (account creation, first analysis completion, subscription changes), we process these events server-side as part of our legitimate interest in product improvement and service delivery (GDPR Art. 6(1)(f)). These events are limited to product usage milestones and do not track browsing behaviour.

Client-side analytics (page views, feature usage tracking) are subject to your cookie consent preferences and can be managed via the cookie consent banner.

10. AI-Generated Content

Content generated through the Service uses your OpenAI API key. Your site content and search data are sent to OpenAI for processing. We do not use your content to train our own models. OpenAI's data retention and usage policies apply to data processed through their API.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Your Data Rights

Under GDPR, you have the following rights regarding your personal data:

Access & Export: Download a full copy of your data from{' '} Settings → Privacy → Export Data . We will respond within 30 days.
Rectification: Correct inaccurate personal data at any time through your account settings.
Erasure: Request deletion of your account and all associated data. Submit a request through{' '} Settings → Privacy → Delete Account .
Portability: Receive your data in a structured, machine-readable format (JSON) via the Data Export feature.
Restriction of Processing: Request that we limit how we use your data while a dispute is resolved.
Objection: Object to processing based on legitimate interests. We will cease unless we have compelling legitimate grounds.

We will respond to all data rights requests within 30 days. For complex requests, we may extend this by up to 2 months with notice.

To exercise your data rights, log in and visit{' '} Settings > Privacy to request a data export or delete your account. You may also contact us at{' '} privacy@{new URL(app_url).hostname} .

13. Legal Basis for Processing

We process personal data under the following legal bases (GDPR Art. 6):

Legal Basis	Processing Activities
Performance of Contract (Art. 6(1)(b))	Account management, Google Search Console data sync, WordPress integration, content recommendation generation
Legitimate Interest (Art. 6(1)(f))	Product analytics (PostHog), SEO recommendations, site health scoring, fraud prevention, service improvement
Consent (Art. 6(1)(a))	Optional cookies, marketing communications, optional feature notifications
Legal Obligation (Art. 6(1)(c))	Audit logs (GDPR Art. 30 records), billing records (tax compliance), data breach notifications (GDPR Art. 33)

14. International Data Transfers

Some of our sub-processors are located outside the EEA. We ensure appropriate safeguards are in place for all international transfers:

Sub-Processor	Location	Purpose	Transfer Mechanism
OpenAI	United States	AI content generation (BYOK)	Standard Contractual Clauses (SCCs)
Stripe	US / EU	Payment processing	SCCs + EU-US Data Privacy Framework
Google (Search Console)	US / EU	SEO data integration	SCCs + EU-US Data Privacy Framework
DataForSEO	European Union	SERP data (BYOK)	No transfer — EU-based

For BYOK integrations (OpenAI, DataForSEO), your API key and associated data are processed under your own agreement with the sub-processor. We act as a data processor on your behalf.

15. Data Protection Officer

For questions about how your personal data is processed, to exercise your data rights, or to raise a concern about our data practices, please contact our Data Protection Officer:

Email:{' '} dpo@{new URL(app_url).hostname}
Response time: We aim to respond to all enquiries within 5 business days

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed unlawfully.

16. Contact

If you have general questions about this privacy policy, please contact us through the Service or email{' '} privacy@{new URL(app_url).hostname} .