Privacy Policy

1. Data we collect

Account data. Name, email, company, role, language, and avatar. Collected when you sign up or accept an invitation.

Billing data. Plan, billing cycle, invoice history, and the last four digits and brand of your payment method. Full card numbers are processed directly by Stripe under PCI DSS and never stored on our servers.

Content and usage data. Briefs, articles, keyword lists, AI chat messages, rank-tracking history, uploaded assets, and any other inputs or outputs you generate through the Service.

Integration data. OAuth tokens and configuration you provide to connect Google Search Console, Google Analytics 4, Slack, Webflow, or WordPress. We request only the minimum scopes needed for the features you enable.

Technical data. IP address, user agent, device identifiers, pages visited, timestamps, and diagnostic logs.

Cookies. Essential (session, authentication, CSRF), preference (theme, locale), and — where permitted — analytics cookies. See §7 below.

We do not sell personal data. We do not use your content to train third-party AI foundation models.

2. How we use your data

We use personal data for the purposes below, under the following legal bases under the GDPR and UK GDPR:

• Provide and operate the Service — contract (Art. 6(1)(b))
• Authenticate users and prevent fraud or abuse — legitimate interests (Art. 6(1)(f))
• Process payments and manage subscriptions — contract
• Send transactional emails (invoices, security alerts, product updates) — contract / legitimate interests
• Send marketing emails — consent, opt-in only (Art. 6(1)(a))
• Product analytics, debugging, and error tracking — legitimate interests
• Comply with tax, accounting, and legal obligations — legal obligation (Art. 6(1)(c))

3. Sharing and subprocessors

We share personal data only with service providers (subprocessors) who help us operate the Service, under written agreements requiring confidentiality, security, and GDPR-equivalent protections. We may also disclose data when required by law, to enforce our terms, or to protect the rights, property, or safety of SEOTopSecret, our customers, or the public.

A current list is maintained and updated before material changes. Contact privacy@seotopsecret.com to receive notice of new subprocessors.

4. International transfers

Your data may be transferred to and processed in countries outside your home jurisdiction, including the United States. Where required, we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum, and the Swiss addendum, together with appropriate supplementary measures such as encryption in transit and at rest.

For data originating in Mexico, transfers are governed by the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and our internal data-transfer standards.

5. Retention

• Account data — while your account is active; deleted or anonymized within 90 days of closure.
• Billing records — up to 5 years (Mexico) / 7 years (US), as required by tax law.
• Content data — while your account is active, plus a 30-day recovery window after closure.
• Logs and diagnostics — up to 12 months.
• Marketing data — until you unsubscribe or withdraw consent.

6. Your rights

Regardless of where you live, you may ask us to:

• access a copy of your personal data;
• correct data that is inaccurate or incomplete;
• delete your data, subject to legal retention;
• export your data in a portable format;
• object to or restrict specific processing;
• withdraw consent at any time (for processing based on consent).

EEA, UK, Switzerland (GDPR / UK GDPR): you may lodge a complaint with your local supervisory authority.

Mexico (LFPDPPP): you may exercise your ARCO rights (Acceso, Rectificación, Cancelación, Oposición) with us directly and, if unresolved, with the INAI.

California (CCPA / CPRA): you have the right to know, delete, correct, and opt out of “sharing”. We do not sell or share personal data for cross-context behavioral advertising.

To exercise any right, email privacy@seotopsecret.com. We respond within 30 days.

7. Cookies

• Essential — session, authentication, CSRF. Cannot be disabled.
• Preference — theme, locale. Set when you use the feature.
• Analytics — load only after consent in the EEA, UK, and Switzerland; loaded by default elsewhere and can be disabled in your browser.

8. Security

We apply technical and organizational measures including TLS 1.2+ in transit, encryption at rest for databases and object storage, scoped access with Postgres row-level security, least-privilege service roles, audit logs, multi-factor authentication for internal access, and regular security reviews. No method is 100% secure; we notify affected users and authorities of material breaches within 72 hours where required by law.

9. Children

The Service is not directed to children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided data, contact privacy@seotopsecret.com and we will delete it.

10. Changes

We may update this Policy. Material changes are notified by email or in-app at least 30 days before the effective date. Continued use of the Service after that date constitutes acceptance.