Privacy Policy

Account information — your email address, provided when you run an audit or create an account.

Google Search Console data — if you connect GSC, we access your top keywords, clicks, impressions, CTR, and average position via read-only OAuth (scope: webmasters.readonly). We never modify your Search Console data.

Session data — your IP address and user agent are stored with your session for security and rate limiting.

Usage data — which keywords you click or interact with inside the dashboard.

We use your data to:

• Deliver SEO audit results and keyword scoring
• Send transactional emails (audit results, password reset, billing notices)
• Process payments and manage your subscription
• Rate-limit audit requests (3 per day per IP) to prevent abuse
• Improve the scoring engine and product experience

We do not sell your data. We do not use your data for advertising.

We share limited data with the following services to operate SEO Triage:

• DataForSEO — we send keywords and location codes to fetch SERP data, search volume, and keyword difficulty. No personal information is sent.
• Stripe — processes payments. Receives your email address and billing information. Subject to Stripe's Privacy Policy.
• Mailgun — delivers transactional emails. Receives your email address.
• Google OAuth — authenticates your Search Console connection. Subject to Google's Privacy Policy.
• Cloudflare Turnstile — bot protection on the audit form. Processes your IP address and browser signals. Subject to Cloudflare's Privacy Policy.
• Anthropic (Claude) — generates content briefs. Receives keyword data only — no personal information is sent.
• Umami Analytics (self-hosted) — privacy-first analytics. No cookies, no personal data collected.

We use a single session cookie (better-auth) to keep you signed in. It is:

• Secure and HTTP-only (not accessible to JavaScript)
• SameSite: lax
• Expires after 30 days

We do not use tracking cookies, advertising cookies, or third-party cookies.

Your data is stored in a PostgreSQL database on self-hosted infrastructure. GSC OAuth tokens are encrypted at rest. All connections use HTTPS. Passwords are hashed — we never store them in plain text.

You have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account and associated data
• Export your data in a portable format
• Revoke Google Search Console access at any time via your Google account
• Withdraw consent — you can stop using the service and request deletion

To exercise any of these rights, contact us at the address below.

• Sessions expire after 30 days
• Rate-limit records are deleted after 24 hours
• Account data is retained until you request deletion
• Upon deletion request, we remove your data within 30 days