PRIVACY POLICY
THE SEO ENGINE ("we," "us," or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, disclose, and protect your information when you use our platform as a subscriber (Client) or as a visitor to a Client's website hosted on the SEO Engine platform.
This policy complies with the UK General Data Protection Regulation (UK GDPR), the EU GDPR (2016/679), and other applicable data protection legislation.
Data Controller: THE SEO ENGINE Ltd. All data protection enquiries: privacy@theseoengine.com
1. Data We Collect
1.1 Client (Subscriber) Data
- Account information: Business name, owner name, email address, password (stored as bcrypt hash), city, country, industry, and subdomain preference.
- Business profile data: Services, keywords, content preferences, branding assets, and scheduling settings.
- Billing information: Subscription plan and payment status. Full card details are handled exclusively by Stripe and never stored by us.
- Usage data: Log files, IP addresses, browser type, pages visited, and feature usage metrics.
- Communications: Emails and support messages you send to us.
1.2 Lead / Visitor Data (Collected on Your Behalf)
When visitors submit lead capture forms on your Client-hosted blog, we collect this data as a Data Processor on your behalf:
- Contact information: name, email address, phone number (where provided).
- Message content submitted via the lead form.
- Technical data: IP address and User-Agent string (for spam filtering only).
- Attribution data: source URL, referrer, and UTM parameters.
All lead PII is encrypted at rest using AES-256 (Fernet encryption).
1.3 Analytics Data
We use Umami Analytics — a privacy-preserving, open-source tool that does not use cookies, does not track users across sites, and does not collect personally identifiable information.
2. Data Storage and Security
All personal data is stored exclusively on servers located in Germany (EU), operated by Hetzner Online GmbH (ISO 27001 and ISO 9001 certified).
- Encryption at rest: Lead PII encrypted with AES-256 (Fernet). Passwords hashed with bcrypt (cost factor 12+).
- Encryption in transit: TLS 1.2+ enforced on all connections.
- Access controls: Principle of least privilege applied to all systems.
- Automated backups: Encrypted backups retained for 7 days.
3. Sub-processors
We share limited data with these third-party sub-processors, each bound by appropriate DPAs or SCCs:
Resend (resend.com)
Purpose: Transactional email delivery.
Data shared: Recipient email and name only.
Location: United States (SCCs apply).
Stripe (stripe.com) — Payment Processor
Purpose: Payment processing and subscription management.
Data shared: Billing contact info and subscription data.
Location: UK and United States.
Hetzner Online GmbH (hetzner.com)
Purpose: Cloud infrastructure and managed databases.
Location: Germany (EU) — no data transfer outside EEA.
Anthropic (anthropic.com)
Purpose: AI content generation via the Claude API.
Data shared: Business profile info only. No lead PII or visitor contact data is shared with Anthropic.
Location: United States (Anthropic DPA applies; API inputs not used for training).
4. Data Retention
| Data Category | Retention Period |
|---|---|
| Active subscriber account data | Retained while subscription is active |
| Cancelled account data | 90 days from cancellation, then permanently deleted |
| Lead / visitor PII | 2 years from submission, or until Client deletion request |
| Billing records | 7 years (tax and accounting law) |
| Application logs | 90 days |
| Encrypted backups | Up to 7 days |
5. Your Rights as a Data Subject
Under UK GDPR and EU GDPR, you have the following rights. To exercise them, email privacy@theseoengine.com. We respond within 30 days.
- Right of Access (Art. 15): Request a copy of your personal data.
- Right to Rectification (Art. 16): Request correction of inaccurate data.
- Right to Erasure (Art. 17): Request deletion of your data.
- Right to Data Portability (Art. 20): Receive your data in a machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
- Right to Restrict Processing (Art. 18): Restrict how we process your data.
You have the right to lodge a complaint with a supervisory authority. In the UK: Information Commissioner's Office (ICO).
6. Cookie Usage
We use minimal cookies strictly necessary to operate the platform. We do not use third-party advertising cookies or cross-site tracking technologies.
Umami Analytics (used on Client-hosted blog pages) does not use cookies or persistent tracking identifiers. No consent is required for Umami under the ePrivacy Directive.
See our full Cookie Policy for details.
7. Legal Basis for Processing (GDPR Art. 6)
- Contract Performance (Art. 6(1)(b)): Processing necessary to deliver the Service, manage your subscription, and send transactional emails.
- Legitimate Interests (Art. 6(1)(f)): Usage and log data to improve the platform, detect fraud, and maintain security.
- Legal Obligation (Art. 6(1)(c)): Retaining billing records for tax compliance.
- Consent (Art. 6(1)(a)): Where relied upon (e.g. optional marketing emails), you may withdraw consent at any time.
8. Contact Our Data Protection Officer
Data Protection OfficerTHE SEO ENGINE Ltd
Email: privacy@theseoengine.com
General support: support@theseoengine.com
Legal matters: legal@theseoengine.com
We aim to respond to all data protection requests within 30 days. Complex requests may require up to 3 months, in which case we will notify you within 30 days of the expected timeline.