Your Privacy Matters

Privacy Policy

How SEOscar collects, uses, and protects your personal information.

Last Updated: March 5, 2026Effective: March 5, 2026

1Introduction

Welcome to SEOscar ("we," "us," "our," or the "Service"). SEOscar is a search engine optimization (SEO) analysis platform that provides website auditing, performance monitoring, competitor tracking, and AI-powered optimization recommendations.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application and related services (collectively, the "Service"). Please read this policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2Information We Collect

2.1 Account Information

When you register for an account, we collect:

  • Email address — used as your unique account identifier, for login, and for service communications
  • Full name — used for display within the Service and team collaboration features
  • Password — stored using a secure one-way hash (never in plaintext); only applicable if you register with email/password rather than OAuth
  • Profile picture URL — imported from your OAuth provider if you sign in via Google or GitHub

2.2 Authentication Data

Depending on how you sign in, we may collect:

  • OAuth tokens — if you sign in via Google or GitHub, we store access tokens, refresh tokens, and token expiration data to maintain your authenticated session. We do not access any data beyond basic profile information (email, name, avatar) from these providers.
  • Session tokens — we issue a secure, signed session token stored in an HTTP-only cookie with a 30-day duration
  • IP address and user agent — recorded with each session for security and abuse prevention purposes

2.3 User-Provided API Keys (BYOK)

Our Service operates on a Bring Your Own Key model. You may optionally provide your own API keys for Google PageSpeed Insights, SerpAPI, Google Gemini AI, and Google Natural Language Processing API.

Your API keys are encrypted at rest using industry-standard encryption. We never store your API keys in plaintext. These keys are used solely to make API calls on your behalf and are never shared with any other party.

If you do not provide your own API keys, certain features may use our server-side API keys to process your requests, in which case we act as an intermediary.

2.4 SEO Analysis Data

When you use the Service to analyze websites, we collect and store:

  • URLs analyzed — the full URL of each page you submit for analysis
  • Keywords — any target keywords you provide for analysis
  • Audit results — including overall scores, category breakdowns, meta tag data, heading content, content metrics, link analysis, image alt-text quality, schema markup detection, mobile-friendliness indicators, and identified issues
  • PageSpeed metrics — Core Web Vitals and performance data
  • SERP data — search engine ranking positions, titles, and snippets
  • AI recommendations — optimization suggestions generated by AI
  • NLP analysis — optional sentiment and entity analysis of page content
  • Snapshots — historical records for comparison over time

2.5 Batch Audit Data

When you perform batch (site-wide) audits, we additionally collect starting URL and crawl configuration, per-page analysis results, and crawl status metrics.

2.6 Organization and Team Data

If you use our team collaboration features, we collect organization details, member roles (owner, admin, member, viewer), and invitation data including email addresses and expiration (7 days).

2.7 Kanban Boards and Task Management

If you use our project management features, we collect board names, descriptions, settings, task data (titles, descriptions, priority, due dates, assignees), comments, activity logs, labels, and source links connecting tasks to audits.

2.8 Billing Information

If you subscribe to a paid plan, we collect Stripe customer and subscription IDs, your plan tier, billing status, billing period dates, and (where applicable) your billing address and tax ID for VAT/sales tax calculation.

We do not collect or store your credit card number, bank account details, or other direct payment information. All payment processing is handled entirely by Stripe. See Stripe's Privacy Policy for details.

2.9 Usage Data

We track aggregate usage metrics per billing period to enforce plan limits: number of audits, batch pages crawled, AI recommendation requests, and SERP checks.

2.10 Competitor Blacklist

You may provide a list of competitor domain names to filter from SERP results. This list is stored in association with your account.

2.11 Notifications

We store in-app notification records including type, title, message, read status, and associated metadata.

2.12 Reports and Exports

When you generate reports, we store report metadata and generated PDF files in cloud storage (Cloudflare R2).

3How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the Service — perform SEO audits, generate reports, deliver AI recommendations, track rankings, and enable team collaboration
  • Authenticate your identity — verify your account, manage sessions, and secure access
  • Process API requests — use your API keys (or our server keys) to call third-party services on your behalf
  • Send transactional emails — deliver account verification, password reset, audit notifications, team invitations, and payment alerts
  • Enforce usage limits — track monthly usage against subscription plan allowances
  • Process payments — manage subscription lifecycle events through Stripe
  • Deliver webhooks — send audit and batch completion data to endpoints you configure
  • Improve security — detect and prevent unauthorized access and abuse
  • Maintain and improve the Service — diagnose issues, monitor performance, and enhance features
We do not use your data for advertising, sell your personal information, or create user profiles for marketing purposes.

4How We Share Your Information

We do not sell, rent, or trade your personal information. We share your data only in the following circumstances:

4.1 Third-Party Service Providers

We use the following third-party services. Each receives only the minimum data necessary:

ProviderPurposeData Shared
VercelApp hosting & CDNRequest logs, IP addresses
RailwayWorker hostingJob processing data in transit
NeonPostgreSQL databaseAll stored data (TLS encrypted)
UpstashRedis cache & queuesCached data, job metadata
Cloudflare R2PDF storageGenerated report files
ResendEmail deliveryEmail addresses, names, content
StripePayments & tax calculationEmail, subscription events, billing address, tax ID, payment methods
Google APIsPageSpeed, AI, NLPURLs, content excerpts, metrics
SerpAPISearch resultsKeywords, location preferences

4.2 User-Configured Webhooks

If you configure webhooks, we send audit/batch data to your specified endpoints. Payloads are cryptographically signed using a unique secret key per webhook.

4.3 Team Members

Organization members may view shared audits, batch audits, reports, and boards depending on their assigned role and permissions.

4.4 Legal Requirements

We may disclose information if required by law or in response to valid legal process.

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you via email or prominent notice of any such change.

5Cookies and Tracking

5.1 Essential Cookies

We use a single essential cookie for authentication:

Type
Essential (required)
Duration
30 days
Secure flag
Enabled (HTTPS only)
HttpOnly flag
Enabled

5.2 No Tracking or Analytics Cookies

We do not use third-party analytics cookies, advertising cookies, remarketing cookies, social media tracking pixels, or any form of cross-site tracking.

6Data Security

We implement appropriate technical and organizational safeguards:

  • Encryption at rest — API keys and sensitive data protected using industry-standard encryption
  • Password security — passwords stored using secure, one-way hashing
  • Encryption in transit — all connections use HTTPS/TLS
  • Secure sessions — HTTP-only, secure cookies inaccessible to client-side scripts
  • Signed webhooks — payloads cryptographically signed for authenticity

While we strive to use commercially acceptable means to protect your information, no method of transmission over the Internet or electronic storage is 100% secure.

7Data Retention

7.1 Active Account Data

  • Account information retained for the duration of your account
  • Audit and analysis data retained until you delete them or your account
  • Reports retained until you delete them or your account
  • Usage records retained for billing period tracking

7.2 Automatically Expiring Data

Data TypeRetention
Session tokens30 days
Email verification tokens24 hours
Password reset tokens1 hour
Organization invitations7 days

7.3 Cached Data

Certain API responses may be temporarily cached in Redis for up to 1 hour to improve performance.

8Your Rights and Choices

8.1 Access and Export

  • View all your audit data, reports, and account information through the dashboard
  • Export your audit data as JSON or PDF reports at any time

8.2 Deletion

You have the right to delete your data:

  • Delete specific audits, batch audits, webhooks, and reports
  • Delete your account permanently, including all audits, snapshots, reports, API keys, webhook configurations, notifications, organization memberships, boards, tasks, comments, and session records
Account deletion is permanent and cannot be undone.

8.3 Modify Your Information

  • Update your name and email address through account settings
  • Update or remove stored API keys at any time
  • Modify your competitor blacklist at any time

8.4 Communication Preferences

Transactional emails (account verification, password reset, security alerts) are essential and cannot be opted out of. Audit completion notifications follow your notification preferences.

9European Users (GDPR)

If you are located in the EEA, United Kingdom, or Switzerland, you have additional rights under the GDPR:

9.1 Legal Basis for Processing

Processing ActivityLegal Basis
Account creation & authenticationPerformance of contract
SEO analysis & auditingPerformance of contract
Payment processingPerformance of contract
Transactional emailsPerformance of contract
Security monitoring (IP, user agent)Legitimate interest
Service improvementLegitimate interest

9.2 Your GDPR Rights

  • Right to be informed (this Privacy Policy)
  • Right of access to your personal data
  • Right to rectification of inaccurate data
  • Right to erasure (see Section 8.2)
  • Right to restrict processing
  • Right to data portability (JSON export available)
  • Right to object to processing based on legitimate interest
  • Right to lodge a complaint with your local data protection authority

9.3 International Data Transfers

Your data may be processed on servers located in the United States and other countries. We rely on standard contractual clauses and our providers' data protection commitments.

10California Users (CCPA)

If you are a California resident, you have additional rights under the CCPA:

  • Right to know — request categories and specific pieces of personal information collected
  • Right to delete — request deletion (see Section 8.2)
  • Right to non-discrimination — we will not discriminate for exercising your rights
  • No sale of personal information — we do not sell your data
  • No cross-context behavioral advertising — we do not share data for targeted advertising

11Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have, we will promptly delete that information.

12Third-Party Links

The Service may contain links to third-party websites as part of SEO analysis results or other features. We are not responsible for the privacy practices of these third-party sites.

13Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you by updating the "Last Updated" date and sending an email for material changes. Continued use constitutes acceptance.

14Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns, please contact us:

SEOscarSEOscar

Email: office@asarum-tech.com

For GDPR requests, include "GDPR Request" in your subject line.
For CCPA requests, include "CCPA Request" in your subject line.

15Summary of Key Points

Data We Collect

Account info, SEO analysis data, usage metrics, billing identifiers

API Keys

Encrypted at rest; never stored in plaintext

Cookies

One essential session cookie only; no tracking cookies

Selling Data

We never sell your personal information

Advertising

No advertising, no tracking, no profiling

Third Parties

Data shared only with essential service providers

Data Deletion

Full account deletion available; all data permanently removed

Security

Industry-standard encryption, secure hashing, HTTPS/TLS